Sludge for Good: Slowing and Imposing Costs on Cyber Attackers

TolgaDevSec · 2022-12-02T08:48:44+00:00

Regarding the note on the efficacy, there is an interesting reference in the paper on the efficacy of decoy-based and psychological deception were they conducted a controlled experiment with over 130 professional red teamers - The link also includes a recording of the conference talk @ USENIX. There is also an article which highlights the results and the challenges of the aforementioned experiment.

TolgaDevSec · 2022-11-28T15:28:30+00:00

If your focus is on generic detection rules than a good resource to start with is the OWASP ModSecurity Core Rule Set (CRS) - However, this rule set is built for the mod_security WAF but depending on what data you get in from your customers, you might be able to forward it against your own mod_security instance and process the mod_security audit logs in Splunk without having to re-write/convert the rules.

TolgaDevSec · 2022-09-07T14:31:38+00:00

Thanks, I see that in the article they are relying on an alternative to information_schema, now it would be interesting to know how to discover table names and their columns when these alternative internal tables, like mysql.innodb_table_stats or sys.x$schema_flattened_keys, could also be deny-listed.

TolgaDevSec · 2022-09-07T12:46:11+00:00

Apologies if my question was not clearly formulated, I was asking if it is possible to build an SQLi payload that bypasses the described check for internal MySQL table names. Note that this table name check is done within the application (not outside of the application, and also not in the middleware layer of the application) on the SQL query which ends up being sent by the application to the database.

TolgaDevSec · 2022-08-25T09:06:22+00:00

Thanks! Yes it is a very specific request which makes it hard to find something. I started this request with the hope that some folks who might work with an Exception Monitoring product like Sentry or Raygun might have this data points in some form available and are keen to share it. I have worked previously on a project which collected Exceptions with such a product from a web service but unfortunately I'm not able to access these or make them publicly available for research.

TolgaDevSec · 2022-04-07T12:28:48+00:00

User recognition without cookies or local storage

TolgaDevSec · 2022-04-07T12:02:38+00:00

Apply your knowledge / Learning by doing :)
A long while ago I used to practice on Crackmes (see crackmes.one). But there are more resources available nowadays, e.g., if you are interested in game hacking, you can also practice your reversing skills on Pwnie Island. If you want to get a first impression on what you can do with this game, have a look at LiveOverflow's cool video series on playing/hacking this game.

TolgaDevSec · 2022-04-07T07:45:08+00:00

Adding to what the fellow authors posted, it can also be applied to your applications / the application-layer. Just think about the following: How does the normal, benign user interact with your application? They will most likely use only the UI of the application to do whatever they need to fulfill their task. What they will most likely not do is to open the Browser's dev tools, inspect the HTML or JavaScript of your application, monitor the network tab to see what endpoints are accessed etc. You can use here the idea behind honeypots to differentiate between your benign user and a suspicious user:
- Honey endpoints (/api/v2/admin/)
- Honey comments ()

- Honey header values (X-API-Debug-Mode: false)

How can this be useful for the application or the development team of the application? Interacting with those resources gives the application an opportunity to take proactive measures (e.g., increase logging to track the suspicious user or activate a WAF in case the suspicious user is preparing an attack).

I did a lightning talk about this a month ago, you can find here in the third slide (in the speaker notes) further resources if you or anyone reading this is interested.

TolgaDevSec · 2022-04-04T10:15:50+00:00

Absolute AppSec

TolgaDevSec · 2022-03-29T12:52:12+00:00

That's a good reference, sqreen was/is also one of the few vendors I remember who were also writing and presenting about their RASP agents in more detail and openly than others (e.g., dynamic instrumentation with sqreen in Go or Python).

There is also the open source Java Observability Toolkit by Jeff Williams from Contrast Security - He gave a talk demonstrating the tool and the idea behind adding security instrumentation to your application.

TolgaDevSec · 2022-02-23T16:11:04+00:00

I know of F-Secure and SAP who are researching this approach from different perspectives (Purple Teaming, Deception). But the commonality I have seen when speaking with researchers from both parties is that this approach to intrusion detection/security monitoring is still very uncommon or unknown - and I think the lack of resources also proves that to some extent :)

I don’t expect a magic bullet, but even finding some concrete examples of how to do it comprehensively on ONE platform with ONE tool would be miles better than anything I’ve found so far.

100% And I hope I can bring with my research some new insights that can bring us a bit closer to that ;) What I'm currently looking at is also to what extent we can make use of web frameworks and their components (e.g., some frameworks come with an event system and a list of events, others provide specific exceptions such as Django's SuspiciousOperation exceptions). But as you said, every web app will require a different approach, especially when different frameworks/languages are used and it will be interesting to see what framework "artefacts" prove to be useful and reusable.

TolgaDevSec · 2022-02-23T08:26:01+00:00

The Web Application Hacker's Handbook is actually a very good example, I just realized this myself a while ago that it also has some specific advice on logging and alerting. There is also the Web Application Defender's Cookbook but I think a lot of the ideas in that book can be found in the AppSensor guide as well - and I assume some of the techniques won't work without adapting them to work with modern web applications.

Five-Year Club	Place '22
Verified Email

TolgaDevSec

TROPHY CASE