[Owasp-leaders] Web Threat Intelligence

Colin Watson colin.watson at owasp.org
Fri Jun 12 18:09:09 UTC 2015


I can't add to the helpful information already given by others, or
directly answer your question, but hope the following inputs may be of

1. Regarding threat intelligence sharing, ENISA recently produced two
useful documents:

   Detect, SHARE, Protect - Solutions for Improving Threat Data
Exchange among CERTs

   Standards and tools for exchange and processing of actionable information

2. Additionally I have been working on a new OWASP project that
attempts to name and provide resources for automated threats to web
applications, that are not solely about exploiting implementation
bugs. CAPEC/CWE/WASC are useful but not sufficient. The output of my
earlier research is summarised in a diagram:


But the draft project briefing is here:


and the project wiki page here:


Those don't help you with the "how" of sharing, but perhaps might help
with naming. I am hoping to publish a fuller document within a month.



On 12 June 2015 at 18:38, Patrick Laverty <patrick.laverty at owasp.org> wrote:
> Thanks Dre, good stuff.
> It'll be interesting to see what more people have to say. I guess what I'm
> looking for is a good way to share information and intelligence. I work for
> a company that gets at least as much web data every day as anyone else, and
> many people want the data, but when we talk about sharing, what they have to
> offer is malware and phishing. I'm interested in the latest web attacks,
> threats and specific actors. I want to hear what the Tunisian Cyber Army is
> up to, I want to hear what the Yemen group is doing, I want to know more
> about Anon Australia vs. Anon Indonesia, I want to talk more about the
> latest #Op and new communication channels other than the wide open IRC
> channels. None of that seems to be stuff that many people know about or are
> willing to join a group to discuss. That's what I'm looking to find.
> Something like FS-ISAC or NCCIC but more focused on web layer attacks,
> actors and strategies.
> Thanks!
> Patrick
> On Fri, Jun 12, 2015 at 12:33 PM, Andre Gironda <andreg at gmail.com> wrote:
>> On Fri, Jun 12, 2015 at 8:10 AM, Timo Goosen <timo.goosen at owasp.org>
>> wrote:
>>> Interesting question.
>>> I'm also always interested in finding out new stuff like this. Twitter
>>> and reddit is pretty good place for this. Sometimes IRC can be a good place
>>> for this too.
>> Monitor pastebin and twitter for app attack key words and phrases. For
>> drilling down into more detail, I personally use Topsy, google.com/?tbm=blg,
>> and sometimes yandex or other appropriate source. See the books, "Open
>> Source Intelligence Techniques: Resources for Searching and Analyzing Online
>> Information, Fourth edition", "Hacking Web Intelligence", and "Introduction
>> to Social Media Investigation" (and perhaps her other book, "Analyzing the
>> Social Web") for greater depth.
>> There are forums such as leakforums that discuss some threat-actor
>> techniques and provide tools, but those who network there (i.e., threats)
>> tend to move around so you will have to learn how to follow them. Again, I
>> agree that Reddit, Twitter, PasteBin, and IRC are some of the better
>> sources.
>> As far as commercial offerings go, Packet Ninjas is the closest to
>> offering app-happy intelligence based on conversations and what I've seen of
>> their SocialNet entity package for Maltego (N.B., they also offer a
>> commercial transform). I've also received shared IoCs from FS-ISAC that did
>> become relevant to app attacks after additional analysis.
>> The primary threat intelligence commercial players, such as iSECPartners,
>> Crowdstrike, and FireEye (N.B., one could easily add others to this list, or
>> even argue about the relevancy of these, but I will shy away from naming too
>> many names) don't quite seem to understand web app attacks (although FireEye
>> and others do some good work with mobile apps). Especially difficult for
>> them are Web Services technologies and similar Enterprise Software and app
>> developer technologies.
>> For example, almost all of the recent media-busting breaches have had a
>> webapp compromised as a link, or even several links, of the kill chain. For
>> the Target data breach, Aorato Labs was able to piece together many facts,
>> mostly from KrebsOnSecurity, about the technical specifics of that breach as
>> they relate to webapps and connected elements. However, I haven't seen many
>> of these other players chip in. Crowdstrike postulated that the Sony
>> Pictures breach was SQLi-related but it turned out to be AppleID-related
>> instead.
>> To compound the threat intelligence problem, there is also a threat
>> hunting problem with appsec assets. Responders and investigators are not
>> equipped skill-wise or tool-wise to handle incidents at these layers. I can
>> count on one hand the number of outspoken industry experts on app-layer
>> incidents, i.e., Kevvie Fowler, Cory Scott, Romain Gaucher, David
>> Litchfield, and Micah Hoffman.
>> For SIEM, too, app-layer events and alerts just haven't been picked up by
>> vendor radar yet. Ran into two old posts (one I wrote) from 6 years ago --
>> http://holisticinfosec.blogspot.com/2009/09/using-ossec-to-monitor-modsecurity-and.html
>> --
>> http://www.tssci-security.com/archives/2009/02/23/web-application-security-incident-handling/
>> -- and nothing else since then.
>> To Patrick -- What would you like to see in terms of a better
>> understanding of app-layer threat intelligence? What are we doing very
>> poorly and what really needs to be improved?
>> dre
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list