Since email’s inception in the 1970s, the number of third-party apps and systems we rely on has only increased throughout the last decades. Nowadays, enterprise app sprawl has bloated to the average department relying on dozens of apps. The production of these apps has increased, too, frantically keeping pace. These have overwhelmingly left one component gasping in the dust: security.
Cybersecurity is already on the back foot. Third-party solutions such as Web Application Firewalls (WAF) are no longer mere suggestions to help keep your organization up to date; a headache-free WAF is now a necessity.
Exploits Outpace Patches
Software development runs in cycles. Following an agile framework, teams will work in week- or fortnight-long sprints. After each iteration, product teams deliver a working app, collecting feedback and re-aligning goals, before beginning the next sprint. This process is very rapid, and focuses on bringing the Minimum Viable Product (MVP) to the marketplace. Makes perfect sense from an economic perspective – after all, only an operating app can make money. However, one major flaw of this development process is in its habitual oversight of security. 3 out of 4 apps produced by software vendors do not meet OWASP Top 10 standards, meaning that they fall foul of the most common vulnerabilities.
The majority of security flaws are identified and then patched – in that order. Even worse, the average patching time is between 60 to 150 days.
Compare that with the dark market software supply chain. Many pieces of malware operate on a ransomware-as-a-service model; here, affiliates will pay the original developers a set amount, in order to utilize their malicious code. This is often a percentage of what the affiliates gain from a successful ransom. The business model that these cybercriminals rely on is inherently viral, as the same code can be replicated and weaponized against millions of potential victims. Even worse – once a RaaS gains a successful reputation, more and more affiliates join, seeking their own piece of the pie.
Finding and exploiting vulnerabilities naturally outpaces patching, which is why vulnerability catalogs play a vital role in maintaining the health of the overall security environment. Common vulnerabilities, once discovered in the wild or by researchers, are assigned a CVE code. Many of these are then cataloged in industry-specific lists. For example, CISA maintains an authoritative source of vulnerabilities. It is mandatory that federal and state bodies adhere to the patch requirements included.
The number of vulnerabilities within catalogs such as the US National Vulnerability Database has skyrocketed in the past few years; 2021 saw 18,374 vulnerabilities discovered in production code. Interestingly, however, there were fewer high severity bugs than in 2020, indicating that attacks are becoming increasingly multi-faceted and complex.
Some of 2021’s vulnerabilities were relatively niche; others were massive. Microsoft Exchange is one of the largest mail servers available, used by hundreds of thousands of organizations around the world. Multiple vulnerabilities were found in this server throughout 2021, one of the worst of which was the ProxyShell attack.
ProxyShell and ProxyLogin both refer to attack chains that focus on privilege escalation and authentication bypassing. Attack group HAFNIUM made particular use of this vulnerability, targeting US-based organizations across infectious disease research, charities, and higher education. Across the world in the Middle East, researchers noted that this attack chain was often utilized to implant ransomware.
It Just Gets Worse
While new vulnerabilities are discovered daily, many attacks in the wild continue to rely on old vulnerabilities.
Equifax’s massive data breach in 2017 was caused by a months-old weakness in the Apache struts function. Apache struts is an open-source web app framework that in this case was used for form data. The vulnerability meant that without logging in, without even uploading any form data at all, an attacker could perform remote code execution.
The initial data breach saw the login credentials of employees being stolen. The attacking group then used these details to gain access to Equifax’s credit monitoring databases. From there, they exfiltrated the private records of almost 150 million Americans, 15 million British citizens, and 19,000 Canadian citizens.
As of this year, the data has not been put up for sale on the dark web: this is because it was an act of political espionage by the CCP-founded hacking group People’s Liberation Army.
How to Keep Ahead
Given the distance between an exploit’s discovery and its use in a genuine attack, you’d be forgiven for thinking that data breaches are merely the cost of doing business. Many organizations already hold this philosophy, particularly as they grow.
However, this kind of thinking is a complete failure to both your customers and stakeholders. Ransomware criminals in particular operate off the assumption that businesses will pay them to go away. Simply ignoring the problem – or worse, procrastinating on a solution – directly encourages these criminals.
The answer lies in virtual patching. Sometimes called vulnerability shielding, virtual patches act as a temporary bandage to prevent a known or unknown vulnerability from being exploited. Solid virtual patching implements layers of policies that identify, prevent and intercept an exploit from making its way from the attacker to your critical systems.
A Web Application Firewall (WAF) is a firewall that encopasses an app. Monitoring the perimeters, the WAF will compare every connection it makes with its own customizable white- and black-list. A positive WAF model will allow any connection apart from a select few; whilst a negative WAF model only allows specific connections. This latter option should be default for non-public facing pieces of infrastructure, as it inherently prevents attackers from hijacking and gaining control via a third-party command and control server. A well configured WAF frees up your time and resources for the critical security tasks that matter.
The second layer of virtual patching should be your Runtime application self-protection (RASP) solution. This sits within the app itself, directly monitoring its behaviors. Once it spots any behavior deemed un-normal, it reports it and can terminate the activity. This allows for the prevention of even brand new, zero-day attacks, such as the Microsoft Exchange ProxyShell issue.