In today’s world, organisations are facing all manners of security threats– from ransomware and phishing to attacks on supply chains or compromise by insiders with malicious intent. But not everything is as straightforward as it seems. For example, while many believe threats typically emanate from Russia or the Far East, in fact the United States is a far more likely source than either of these. This goes against a common perception and suggests that while on the face of it, many businesses think they know the full details about the cyber threats they face, their assumptions can often be wrong.
This ignorance or lack of education can ultimately prove dangerous to an organisation and underestimating the scale of threats or where they may come from will leave doors open that cyber criminals can breach. Some of the most prevalent activity during the past year related to web-application attack activities in fact in the NTT Security 2019 Global Threat Intelligence Report, application-specific and web-application attacks accounted for over 32 percent of all hostile traffic, making them the top category of hostile activity. The application can range from being as simple as a message board or a guest sign-in book on a website or as complex as a word processing tool or a spreadsheet.
In order to lift the lid on some of the issues that are most misunderstood, let’s take a closer look at the threats, the motives and malicious actors behind them, as well as touching on the impact they can have upon business, and finally what these businesses can do to help to defend themselves
Web-Based Attacks Explained
Heavily used by threat actors, web-based attacks are those that target web-application and application-specific vulnerabilities. Successful exploitation can often lead attackers to access enormous amounts of back-end data such as supporting databases and systems. It is these types of attacks that target an organisation’s internet-facing applications and are commonly associated with large, widely publicised data breaches.
Successful exploitation and subsequent access or manipulation of data could prove catastrophic to an organisation’s finances or reputation, even if based solely on the sheer amount of data which could potentially be accessed. While attackers tend to exploit older vulnerabilities, the threat of unpatched newer vulnerabilities, especially in highly used technologies, or those which are often misconfigured (like content management systems), cannot be ignored. Such attacks are regularly integrated into automated tools, so it is not uncommon for the sheer volume of these attacks to be quite high.
Active Actors and Groups
A large variety of threat actors take advantage of web-application and application specific
attacks. Advanced attackers and nation-state actors develop and weaponise exploits for new vulnerabilities, including vulnerabilities discovered by those same actors. Those exploits that are reliable, mature and high quality in nature are then implemented into exploit toolkits which are sold to any hostile actor so inclined to purchase the tools. Once included in a toolkit, these attacks can be performed with little or no skill. Consequently, attacks which previously may have just impacted a single target, sector or geographic area can spread rapidly spread around the globe.
During the course of our own research we observed threat actors ranging from state-sponsored to cybercriminals who were leveraging various application vulnerabilities against multiple sectors. It’s worth noting that sophisticated actors can quickly exploit new vulnerabilities further emphasising the need to patch critical vulnerabilities as quickly as possible.
The Motives Behind Attacks
The goal of web-application and application-specific attacks is driven by the motivation of each actor and these typically fall into three categories:
- Access are those attackers wishing to further infiltrate the targeted organisation or to conduct additional attacks against other victims.
- Influence refers to attackers using system access to interfere with the target’s operations, typically for hacktivism or extortion.
- Profit is typically the primary motive behind web-application and application-specific attacks. Most often, actors attempt to steal sensitive information, such as trade secrets, personal data or financial data.
Application-specific and web-application attacks most often rely on leveraging an unpatched vulnerability or misconfigured system in the targeted environment. The true effectiveness of these
attacks stem from two facts:
- New exploits can be very effective if they are developed before patches or signatures are released. While patches for many new vulnerabilities are released reasonably quickly, some are not, and weaponised exploits for vulnerabilities can be very effective.
- These attacks are regularly automated and conducted using a wide variety of tools, which enables a broader number of attackers to use them. Tools can be used to scan for vulnerable applications, verify the existence of the vulnerability, and attempt to exploit the vulnerability, all with minimal interaction by the attacker.
Often these attacks form one component of a multi-vector attack which can include social
engineering, phishing, stolen credentials and other techniques that combine to work with web-based attacks. While these non-technical attacks are not actually a part of the web application or application-specific attacks, their use can increase the effectiveness of the more technical attacks.
The Risk to Business
Vulnerabilities of the most widely used technologies in organisations are typically the main targets of web-application and application-specific attacks. And, the reality is that any organisation with a web presence is exposed to these attacks, so the larger the web presence, the larger the attack surface. Successful exploitation of these vulnerabilities can lead to system compromise, providing the attacker remote access to the application, data and the underlying system.
Successful attacks have resulted in significant data breaches. Depending on the breach and the aims of the attacker these attacks can either be easily detected or quite stealthy. Some breaches may last for an extended period, for example, if the attacker is attempting to maintain long-term persistence for data theft. Others may be easily detected in the cases of ransomware and political website defacement campaigns. The 2017 WannaCry ransomware attack provides one of the clearest examples of what can happen when patches aren’t applied. Even though a patch for the vulnerability exploited by the ransomware had existed for several months many organisations -- notably, parts of the UK's National Health Service -- had failed to use it and it resulted in 200,000 affected computers in at least 100 countries. The attack itself was reported to have cost the NHS itself the princely sum of £20m while the subsequent clean-up operation including upgrades to its system amounted to £72m.
Strengthening Your Defence
So, while no organisation’s security infrastructure can ever be guaranteed to be 100-percent secure, there are a number of steps that can be taken to ensure that you are in a position of strength when it comes to web-based attacks.
- Prioritise patching and ensure operating system and application patching processes are comprehensive and reliable. The focus should be based on an organisation’s exposure, most critical systems, and highest risk vulnerabilities.
- Segment the network environment. Segmentation can restrict unauthorised movement across an organisation’s environment. If attackers can breach back-end servers, they may be able to access other portions of the network, doing further damage, and possibly gaining a foothold across multiple systems.
- Enforce secure coding. Ensure secure coding techniques are taught and enforced for all internally developed applications. For third-party applications and tools, use reputable vendors and prioritise organisations that have a verifiable secure coding practice.
- Implement application gateway firewalls. Use web and application gateway firewalls to help protect key internal and external applications.
- Perform regular vulnerability scanning. Organisations should evaluate their environment regularly, track all discovered vulnerabilities, and prioritise and patch them in an aggressive manner. Scan results must be evaluated for trends in the types of vulnerabilities observed and internal processes and controls should be adapted to help reduce future exposure.
There is no denying that web-based attacks are the preferred mode of attack by today’s cyber criminals and that these once opportunist attacks are now far more organised in their nature and widespread in impact. They can result in devastating consequences to an organisation’s network that go far beyond the initial compromise, which is why organisations must prepare themselves for the inevitable. Forming a robust and effective security strategy will ensure that organisations are best placed to determine the approaches to deal with these sorts of threats.