WEBVTT 00:00:00.000 --> 00:00:06.390 align:middle line:90% 00:00:06.390 --> 00:00:10.780 align:middle line:84% Welcome to Insufficient Logging and Monitoring session. 00:00:10.780 --> 00:00:14.710 align:middle line:84% In this first part, we will focus on threat analysis. 00:00:14.710 --> 00:00:16.900 align:middle line:84% We will first discuss what insufficient logging 00:00:16.900 --> 00:00:19.300 align:middle line:84% and monitoring is and then how the system can 00:00:19.300 --> 00:00:22.210 align:middle line:84% be harmed, the impact of successful exploitation, 00:00:22.210 --> 00:00:24.250 align:middle line:84% and give you some insights to identify who 00:00:24.250 --> 00:00:26.320 align:middle line:90% may want to harm your system. 00:00:26.320 --> 00:00:28.060 align:middle line:84% Insufficient logging and monitoring 00:00:28.060 --> 00:00:31.060 align:middle line:84% is the bedrock of nearly every major incident, allowing 00:00:31.060 --> 00:00:34.120 align:middle line:84% attackers' activity to pass unnoticed. 00:00:34.120 --> 00:00:36.850 align:middle line:84% In 2016, identifying a breach took 00:00:36.850 --> 00:00:39.850 align:middle line:84% an average of 191 days, plenty of time 00:00:39.850 --> 00:00:42.400 align:middle line:90% for damage to be inflicted. 00:00:42.400 --> 00:00:45.250 align:middle line:84% And we are not doing better: in 2019, 00:00:45.250 --> 00:00:48.940 align:middle line:84% this number grew to 206 days, plus seven to three days 00:00:48.940 --> 00:00:51.010 align:middle line:90% average to contain a breach. 00:00:51.010 --> 00:00:55.950 align:middle line:84% We are talking about 279 days total. 00:00:55.950 --> 00:00:58.220 align:middle line:84% You should consider that any of the other OWASP 00:00:58.220 --> 00:01:00.900 align:middle line:84% Top 10 risks and associated vulnerabilities 00:01:00.900 --> 00:01:03.120 align:middle line:90% may be used as attack vectors. 00:01:03.120 --> 00:01:05.430 align:middle line:84% Attackers do not exploit insufficient logging 00:01:05.430 --> 00:01:06.840 align:middle line:90% and monitoring directly. 00:01:06.840 --> 00:01:08.550 align:middle line:84% They go after other vulnerabilities 00:01:08.550 --> 00:01:10.590 align:middle line:84% an application may have, and take advantage 00:01:10.590 --> 00:01:12.450 align:middle line:84% of insufficient logging and monitoring 00:01:12.450 --> 00:01:14.880 align:middle line:84% to pass unnoticed and make their attack last 00:01:14.880 --> 00:01:19.230 align:middle line:84% longer until the organization is capable of mitigating it. 00:01:19.230 --> 00:01:22.290 align:middle line:84% Improper logging and monitoring leads to longer incident 00:01:22.290 --> 00:01:24.390 align:middle line:84% response times, preventing organizations 00:01:24.390 --> 00:01:26.460 align:middle line:90% to react in a timely fashion. 00:01:26.460 --> 00:01:28.860 align:middle line:84% When the logs do not include sufficient details 00:01:28.860 --> 00:01:31.320 align:middle line:84% allowing the organization to understand attackers' activity 00:01:31.320 --> 00:01:34.770 align:middle line:84% extent, then there's a loss of accountability. 00:01:34.770 --> 00:01:38.580 align:middle line:84% The losses are obvious and they have been reported in the news. 00:01:38.580 --> 00:01:41.280 align:middle line:84% Behind the damage caused by attackers' activity, 00:01:41.280 --> 00:01:43.800 align:middle line:84% organizations may also be subject to fines 00:01:43.800 --> 00:01:47.950 align:middle line:84% according to applicable law and regulations. 00:01:47.950 --> 00:01:51.040 align:middle line:84% Malicious actors do not exploit directly insufficient logging 00:01:51.040 --> 00:01:53.170 align:middle line:84% and monitoring, but it makes their activities 00:01:53.170 --> 00:01:56.650 align:middle line:84% unnoticed or at least harder to detect and track. 00:01:56.650 --> 00:01:59.110 align:middle line:84% Anyone to whom your system's data is valuable, 00:01:59.110 --> 00:02:01.900 align:middle line:84% may target your application to get an unauthorized access 00:02:01.900 --> 00:02:03.700 align:middle line:90% or even controlling the system. 00:02:03.700 --> 00:02:06.430 align:middle line:84% Reviewing the threat analysis part of previous sessions 00:02:06.430 --> 00:02:09.880 align:middle line:84% may help you identifying who may want to harm your system. 00:02:09.880 --> 00:02:11.650 align:middle line:84% You should think about it broadly. 00:02:11.650 --> 00:02:13.480 align:middle line:84% Depending on your system's nature, 00:02:13.480 --> 00:02:15.880 align:middle line:84% foreign nations may be a threat agent. 00:02:15.880 --> 00:02:18.730 align:middle line:84% On the other hand, you have a non-target specific threat 00:02:18.730 --> 00:02:22.420 align:middle line:84% agents looking for ransom, employees and contractors, 00:02:22.420 --> 00:02:25.720 align:middle line:84% terrorists and activists, and organized crime. 00:02:25.720 --> 00:02:28.130 align:middle line:84% You'll find this table in OWASP Top 10. 00:02:28.130 --> 00:02:31.210 align:middle line:84% Pause the video and take your time to carefully read it. 00:02:31.210 --> 00:02:33.130 align:middle line:84% In the next part, we will demonstrate 00:02:33.130 --> 00:02:35.380 align:middle line:84% how attackers take advantage of insufficient logging 00:02:35.380 --> 00:02:37.330 align:middle line:84% and monitoring, while perpetrating 00:02:37.330 --> 00:02:41.500 align:middle line:84% a credential stuffing attack on our target application. 00:02:41.500 --> 00:02:42.000 align:middle line:90%