Why web apps are one of this year’s leading attack vectors

Learn how your company can create applications to automate tasks and generate further efficiencies through low-code/no-code tools on November 9 at the virtual Low-Code/No-Code Summit. Register here.

Cybercriminals’ ingenuity at bypassing the latest web application firewalls is turning internet apps into the fastest-growing attack vector this year. Public-facing web apps are now the most widely used attack vector to penetrate an organization’s perimeter. Attacks that start in web apps increased from 31.5% in 2020 to 53.6% in 2021, according to a recent report by Kaspersky’s Global Emergency Response Team. 

Protecting web apps is a moving target 

Identifying internet app intrusion attempts, attacks and breaches with automated threat detection is getting more challenging. Cybercriminals rely on stolen privileged-access credentials and use living-off-the-land (LOTL) techniques that rely on Powershell, PsExec, Windows Management Interface (WMI) and other common tools to avoid detection while launching attacks.

PsExec, Mimikatz and Cobalt Strike continued to be among the most popular attack tools in 2021. As a result, 71% of intrusion attempts are malware-free, making them more challenging to identify, much less stop. It takes a cybercriminal just one hour and 24 minutes to move laterally across a network once they’ve compromised an attack vector, according to CrowdStrike’s 2022 Falcon OverWatch Threat Hunting Report. 

API attacks are the fastest-growing attack strategy on web apps by a wide margin. There has been a 117% increase in API attack traffic over the last year, while overall API traffic grew 168%. Enterprises say stopping attacks by improving API security is their most urgent challenge, followed by identifying which APIs expose PII or sensitive data. In addition, cybercriminals look to APIs as a quick means to bypass web app security and gain access to networks, often staying there for months undetected.


Low-Code/No-Code Summit

Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.

Register Here

“Web application is the number one vector and, not surprisingly, is connected to the high number of DoS attacks. This pairing, along with the use of stolen credentials (commonly targeting some form of a web application), is consistent with what we’ve seen for the past few years,” according to the 2022 Verizon Data Breach Report. 80% of all breaches get started in web applications, which are getting breached with stolen access credentials, backdoor attacks, remote injection and desktop-sharing software hacks.  

Every device’s identity is a new security perimeter

Web application firewalls (WAF) and reverse proxies aren’t slowing the pace of intrusion and breach attempts on managed and unmanaged devices. One reason is that WAFs aren’t designed to enforce least-privileged access, provide granular rights and policy controls or support microsegmenting a network. In addition, because of a large number of false positives, many organizations run their WAFs in “alert” mode rather than having them block attacks. At the same time, a recent survey indicated that at least half of application layer attacks bypassed WAFs.

Complicating matters further is the new distributed work environment that most organizations need to support. Users connect from diverse and changing IP addresses and a mix of managed and unmanaged devices. The use of BYODs and unmanaged devices is particularly problematic, as evidenced by Microsoft’s recent report that 71% of ransomware cases are initiated by unmanaged internet-facing devices.

Now known as the gig economy, contractors have become vital to every organization’s workforce. They rely on unmanaged devices to get work done, creating third-party access risk. Even managed devices are a security threat, as they’re often over-configured with endpoint security agents. Absolute Software’s Endpoint Risk Report found that, on average, every endpoint has 11.7 agents installed, each creating potential software conflicts and degrading at a different rate. Absolute Software’s report also found that the majority of endpoints (52%) have three or more endpoint management clients installed, and 59% have at least one identity access management (IAM) client installed. Attempting to fortify unmanaged and managed devices by overloading them with agents isn’t working.

Unfortunately, WAFs stop less than 50% of application layer attacks and are known for generating false positive alerts. Security teams have been known to turn alerts off, given how many are false, leaving applications and the data they contain only partially secured. 

A zero trust-based approach that tracks every device’s identity down to the browser session is needed as a suitable security perimeter for the web app age.

Running web apps more securely  

Instead of attempting to secure, control and filter the traffic flowing between each device and the app it is attempting to access, as firewalls do, browser isolation is a technique that can be used to run web apps more securely by creating a gap between networks and apps on the one hand and malware on the other. Remote browser isolation (RBI) runs all sessions in a secured, isolated cloud environment, enforcing least-privilege application access at the browser session level. This alleviates the need to install and track endpoint agents/clients across managed and unmanaged devices and enables simple, secure BYOD access and third-party contractors to work on their own devices. 

Each application access session is configurable for the specific level of security needed. For example, cybersecurity teams are using application isolation to define user-level policies that control which application a given user can access and which data-sharing actions they’re permitted to take. Common controls include DLP scanning, malware scanning and limiting cut-and-paste functions, including clipboard use, file upload/download permissions, and permissions to enter data into text fields. Vendors who have adapted their RBI solutions to support application access security include Broadcom, Ericom and Zscaler. 

In addition to the access and data sharing controls, the RBI approach also secures web apps’ exposed surfaces, protecting them from compromised devices and bad actors while ensuring legitimate users have full access. The air-gapping technique blocks the risk that hackers or infected machines pose when they attempt to probe web apps, seeking vulnerabilities to exploit, because they have no visibility to page source code, developer tools or APIs.

Ericom ZTEdge’s approach to application isolation is called web application isolation (WAI), a unique approach to leveraging RBI to secure BYOD and unmanaged device access to public or private web and cloud applications. Image source: Ericom.

Ericom says that its customers find that WAI is also effective in masking applications’ attack surfaces, enabling organizations to gain greater protection against the OWASP Top 10 Web Application Security Risks.

Top 10 Web App Security Risks
Isolating web apps by relying on RBI to create secure, isolated air gaps between apps, systems and malware attempts can secure some of the OWASP Top 10 most critical security risks for web applications. Source: OWASP Top Ten.

Zero trust for secure browser sessions

Cybercriminals continue to discover new ways to bypass WAF and reverse proxies, successfully launching intrusions and breaches of web apps at a growing rate. Securing web apps is also becoming more challenging as the number of unmanaged devices continues to grow exponentially. Greater reliance on outside contractors, suppliers, sales and distribution networks is putting a strain on IT and security teams to secure the growing base of unmanaged devices. Additionally, installing agents on third-party systems is fraught with compatibility and scale challenges. 

With security teams stretched thin already, there needs to be a more efficient way to secure every device and browser, ideally using zero trust as the framework. Securing web apps by using RBI solves that challenge at the browser and session level — and removes the need for agents on every device. What’s noteworthy is that this framework enables users of unmanaged devices to work virtually without exposing corporate applications or data to intrusion attempts or threats. This is the way forward for a zero-trust strategy for simplified clientless security that protects corporate applications and their sensitive data. 

Originally appeared on: TheSpuzz