As businesses improve security, cyber attackers find new weak points and online attacks evolve. Today’s web apps use numerous third-party scripts — expanding the security perimeter to include the browser and leaving businesses without a true end-to-end security solution in place vulnerable to attack.
For example, early denial-of-service (DoS) attacks were not as sophisticated as today’s botnet-powered DDoS attacks, which are far more advanced and targeted. The goal of a distributed denial-of-service (DDoS) attack is to prevent access to a particular online resource by overloading it. So, in the past, a hacker would take over a computer at an organization with a lot of bandwidth, such as a university, to overload a website hosted on a smaller network.
Today, hackers are more advanced and create botnets made up of thousands of internet-connected devices. Because the devices are spread out across hundreds of locations, botnet DDoS attacks are impossible to stop using traditional methods such as a firewall or IP blocking. Just one example of this is the Mirai botnet, which shut down internet sites such as Twitter, Netflix, CNN, and the country of Liberia.
Below are three more examples of how the most common types of web application attacks have evolved.
Sophisticated bots impersonate human behavior
Nearly 40 percent of web traffic comes from bots and approximately 1 in every 5 requests come from bad bots scanning for passwords or exploitable software bugs. Bots used to be simple to spot: a large number of requests in a short period of time or coming from an older browser clearly signaled non-human activity.
But today’s attackers are getting more sophisticated as technology gets more advanced — they can now program bots to mimic human actions, such as mouse movement and multi-page navigation. Server-side protections fail to block these bad bots because of their seemingly human behavior.
Mobile applications and APIs create new battlefields
Application programming interfaces (APIs) are creating new battlefields, opening up many doors and creating more security holes that are prime for exploitation. In addition to helping to power native mobile applications, third-party APIs are one of the most common ways for developers to access fully functional third-party services that can then be leveraged to complement their own product or service.
Unfortunately, the APIs powering mobile applications and other service functionality have become a target for cybercriminals. API traffic doesn’t have natural browsing patterns, so it can be difficult to determine whether traffic is legitimate based on server monitoring alone. In addition, because APIs are often seen as the back-end to another application, organizations often omit the necessary protections which should be applied and as a result, businesses often end up leaving APIs open to attack.
After gaining access, attackers often plant seeds for multiple future attacks. For example, one in five businesses compromised by Magecart malware are back on the defensive within ten days. Here’s an example from bedding retailer MyPillow.com.
The first attack used a skimming script that loaded from mypiltow.com – using a “t” instead of an “i” in the domain name. The hackers even obtained an SSL certificate for this domain to cloak their activity.
After the initial attack was discovered, the hackers changed tactics. The next attack utilized a domain called livechatinc.org, a slight variation of the valid live chat application used by MyPillow, livechatinc.com. The hackers proxied the standard script used by LiveChat and appended their skimming code below it.
Shield your business against cyberattacks with an end-to-end security platform
Any business with an online presence needs an end-to-end security platform that offers layered protection from the origin to the edge and then additional deep client-side capabilities that extend to the browser. The old perimeter-based protection solutions are no longer sufficient for keeping web apps safe.
With the explosion of modern browsers, devices, and the way attacks evolving, it’s essential to secure applications beyond the edge in the browser — or businesses will find themselves falling victim to the attack types above. Today’s bot attacks, API exploitation, DDoS attacks, and Magecart web skimming attacks are leveraging the architecture of modern apps and using their insecure nature to attack outside the traditional security perimeter. Appliance and edge-focused security solutions are no longer enough — failure to evolve can lead to being compromised.
The Instart web application and API protection (WAAP) platform is the first cloud-based application security solution to deliver complete, best-in-class protection to easily adapt to emerging threats. Instart’s security products are powered by deep visibility, intelligence, and automation that secure the end-to-end delivery of web applications and APIs. By protecting the entire traffic path of your application, from origin to the browser, Instart enables you to secure your entire application infrastructure, keeping out threats and preventing data exfiltration.
Establish a secure perimeter where your web apps are being used — the browser — and prevent even the most sophisticated application cyber attacks.
*** This is a Security Bloggers Network syndicated blog from Instart blog RSS authored by Jon Wallace. Read the original post at: https://www.instart.com/blog/attackers-are-smarter-protect-yourself