The application layer is critical when building security infrastructures, says Rodney Joffe, SVP and Fellow, Neustar and Chairman of the Neustar International Security Council.
Today’s applications are more complex than early Internet pioneers could have predicted. While innovation in this space has been critical to the digital age, it has also left applications vulnerable to new and constantly evolving cyber threats.
As we entered into 2020, the Covid-19 pandemic forced the majority of office workers to work from home overnight. IT departments across the world were given very little time to respond, and their main focus was on enabling remote working and processes as fast as possible.
This rapid acceleration to become digital-first left many organisations vulnerable to cyber-attacks, with hackers using every technique at their disposal to take advantage of the situation. While large-scale DDoS attacks remain devastating and ubiquitous following successive lockdowns, threats to the application layer have become even more insidious in nature, given that they are increasingly difficult to detect.
Recent research from the Neustar International Security Council (NISC) revealed that almost 30pc of cybersecurity professionals find it difficult to alter their Web Application Firewall (WAF) policies to guard against the shifting application threat landscape. There are a number of reasons why this may be, including a lack of collaboration between application development and security teams, leaving many applications with vulnerabilities that cybercriminals waste no time in identifying and exploiting.
So, what can organisations do to strengthen their defences?
The path of least resistance
While attacks have heightened amid the pandemic, guarding application layer has been a challenge for security teams for years now. The containerised, microservices-orientated environment we now operate within differs dramatically to IT architectures of the past. Modern-day applications no longer require direct connections like legacy monolithic applications. Instead, they can exist in a variety of locations, from the data centre and to the cloud. This complexity enables a great deal of benefits, such as scalability, productivity and flexibility, but it has also led to an increased level of risk.
The application layer has also expanded to include APIs and content management systems (CMSs). Cybercriminals are, unsurprisingly, aware of this larger attack surface, targeting both the ‘front end’ of applications, the APIs, and the applications behind them.
When it comes to application attacks, it’s important to note that the majority of hackers are opportunists. More often than not, they chose the path of least resistance – the method that takes them the least amount of time, effort and risk to execute. As a result, cheap and simple tactics such as bot-driven reconnaissance are a popular option. This is where bots scan and probe for insight about web applications and underlying infrastructure, such as the APIs and CMSs. The goal here is to uncover information that can be paired with known, unpatched vulnerabilities. Cybercriminals can then use this to launch attacks on organisations using the applications in question.
A “vertical cascade” attack is another way hackers can exploit the application layer. This involves taking advantage of a vulnerability discovered during a recon. By analysing the vulnerability in further detail, a hacker can identify that it is unique to the same “industry vertical” as the original victim business. The shared customer requirements of organisations within the sector are often the tell-tale clue, given that most of these companies will use a plug-in, routine or mechanism created specifically for the industry. Over the last year, the “vertical cascade” technique has grown in uptake, which can be attributed to security gaps left by organisations that moved quickly to make their digital services more effective during the pandemic.
Targeted attacks against front-end systems are rarer as they are expensive and take a lot of time to execute, but if successful, they can lead to extremely damaging consequences for a brand. This attack type consists of cybercriminals spotting a vulnerability in an organisation’s web presence and exploiting it. The hackers involved are typically looking to steal sensitive data such as financial credentials, customer or patient information or intellectual property.
WAFs: a crucial part of the application security stack
Defending against the myriad of application threats that exist today requires having a thorough understanding of industry exploits, where all your assets reside, and what is being used to power your applications, including the APIs and CMSs.
Within organisations, an API-capable, cloud-based WAF is a core part of the application security stack – and a critical way to gain always-on awareness. This provides protection against common attacks – outlined in the OWASP Top Ten – across all locations of an organisation’s IT infrastructure. What’s more, a WAF allows businesses to “virtually patch” applications and implement an extra layer of protection to stop attacks from breaching their defences. Acting as a plaster, this provides a short-term fix until security teams come up with a longer-term solution. In addition, WAFs can be enhanced with third-party, 24/7 security resources, which can help address the challenge of keeping WAF security up-to-date.
Businesses should also build their awareness of industry vulnerabilities and breaches. Cybercriminals will jump on a piece of widely adopted exploitable code as soon as it’s been discovered, so it’s vital that a virtual patch is implemented as soon as possible.
As applications become more innovative and intricate, we can only expect threats to increase. Organisations should prioritise application security to make the most of these modern advances, while protecting all areas of their business.
