Threat Analaysis

Welcome to Insufficient Logging and Monitoring session. In this first part, we will focus on threat analysis. We will first discuss what insufficient logging and monitoring is and then how the system can be harmed, the impact of successful exploitation, and give you some insights to identify who may want to harm your system. Insufficient logging and monitoring is the bedrock of nearly every major incident, allowing attackers’ activity to pass unnoticed. In 2016, identifying a breach took an average of 191 days, plenty of time for damage to be inflicted.

And we are not doing better: in 2019, this number grew to 206 days, plus seven to three days average to contain a breach. We are talking about 279 days total. You should consider that any of the other OWASP Top 10 risks and associated vulnerabilities may be used as attack vectors. Attackers do not exploit insufficient logging and monitoring directly. They go after other vulnerabilities an application may have, and take advantage of insufficient logging and monitoring to pass unnoticed and make their attack last longer until the organization is capable of mitigating it. Improper logging and monitoring leads to longer incident response times, preventing organizations to react in a timely fashion.

When the logs do not include sufficient details allowing the organization to understand attackers’ activity extent, then there’s a loss of accountability. The losses are obvious and they have been reported in the news. Behind the damage caused by attackers’ activity, organizations may also be subject to fines according to applicable law and regulations. Malicious actors do not exploit directly insufficient logging and monitoring, but it makes their activities unnoticed or at least harder to detect and track. Anyone to whom your system’s data is valuable, may target your application to get an unauthorized access or even controlling the system. Reviewing the threat analysis part of previous sessions may help you identifying who may want to harm your system. You should think about it broadly.

Depending on your system’s nature, foreign nations may be a threat agent. On the other hand, you have a non-target specific threat agents looking for ransom, employees and contractors, terrorists and activists, and organized crime. You’ll find this table in OWASP Top 10. Pause the video and take your time to carefully read it. In the next part, we will demonstrate how attackers take advantage of insufficient logging and monitoring, while perpetrating a credential stuffing attack on our target application.