SBN

Web-based threats your organization needs to prepare for

The modern business faces a bevy of threats every day, and knowing which ones are likely to reach your network makes all the difference. Recent reports suggest that web-based attacks are the most common and make victims of unsuspecting employees who are likely to click on a malicious link or download a dangerous attachment.

 

Unfortunately, these threats are becoming increasingly successful as hackers adopt more sophisticated methods. Couple that with knowledge workers spending 75 percent of their workday in web browsers or virtual meetings, and it’s clear that today’s real offices are no longer separated by walls, but by mere tabs in a browser that must be secured.

 

The 2021 CyberEdge Cyberthreat Report found that more than 85 percent of organizations have been compromised by at least one successful attack (an increase from 80 percent in 2020). Even more startling, nearly 40 percent of organizations have been compromised by six or more attacks, a significant increase from 35 percent in 2020. Data from the recently released Verizon Data Breach Investigations Report (DBIR) backs up these findings, pointing to web applications as the top attack vector for breaches, accounting for 90 percent of the observed attacks.

 

Of these attacks, security teams need to know what web-based threats are on the rise, the risk they post to the business, and what to do to protect their organizations.

 

Advanced phishing

Phishing attacks, most often used to steal credentials and other sensitive information that would give way to future compromises, are incredibly common and increasing in frequency. According to Verizon’s DBIR, phishing can be attributed to 36 percent of breaches in 2020, up from 25 percent in 2019.

 

While many hackers leverage a pray-and-spray technique in an effort to reach as many companies and individuals as possible indiscriminately, new credential phishing tool kits are much more concerning. Tool kits such as evilginx2 and modlishka, open-source tool kits originally developed for red team testing, are now available to anyone with some tech savviness and minimal resources.

 

These phishing attacks compromise users by getting them to divulge sensitive information, such as passwords, on what seem to be legitimate websites. These new tool kits are sophisticated enough that they’re even able to bypass two-factor authentication (2FA) if configured correctly. This kind of attack won’t go away anytime soon—it’s a global problem that’s affecting every industry.

 

Credential stuffing and account takeovers

Account takeovers are also on the rise as a result of the success of the aforementioned phishing attacks. These attacks often aim to harvest credentials, and a number of high-profile data breaches have already leaked billions of passwords, making it easier to hit organizations with brute-force attacks and access even more sensitive data.

 

The Verizon DBIR found that 23 percent of organizations monitored in their SIEM data had security events related to credential stuffing and brute-force attacks, totalling in the millions. We also found that account takeover and credential stuffing attacks were the top concern for security professionals.

 

Zero-day browser exploits

Unlike phishing attacks, browser-based attacks are much more focused on the types of organizations they’re targeting. While these attacks aren’t as frequent, they’re still on the rise.

 

Zero-day browser exploits, by definition, exploit vulnerabilities that have no patch or available security fix, rendering organizations helpless. One of the biggest attack vectors exploited is Google Chrome, largely because it’s the most prevalent browser on the market.

 

Scamware/Scareware

Scamware, also known as scareware, is another browser-based attack that many enterprises fall victim to. These are pop-up browser-based attacks that fabricate some kind of support or urgent message, trying to get an individual to click on a pop-up and download or install some kind of malicious code or malware. Ironically, these attacks may even tell the victim they’re infected with malware to elevate the sense of urgency. While the attack method is somewhat crude, it’s hard to detect by anti-virus software because the attack and its payload are conducted within the browser.

 

Surprisingly, employees do fall for this kind of attack, which speaks to a larger issue of security awareness, or rather, lack thereof. The CyberEdge Cyberthreat Report found that, for the second year in a row, the number one barrier to IT security’s success is low security awareness among employees.

 

JavaScript skimmers

These attacks target third-party payment processors that most websites use to process customer payments. Hackers are consistently looking for vulnerabilities within these payment processors and know that web administrators may not always have the most updated versions, so attackers target websites with outdated, vulnerable versions. We’ve found that Magento, used quite widely among sites, is one of the more commonly exploited payment processors.

 

The most dangerous aspect of this attack is that it’s difficult to detect because the compromise is designed to steal credit card and other important financial information from site visitors who make purchases on compromised websites. Hackers steal this information and may not use them for months or even years down the line, so it’s difficult for an organization to know that they’ve been compromised.

 

Browser-constructed malicious payloads

This is one of the more sophisticated and dangerous attacks we’ve come across. This attack requires a lot of user interaction, but because the payload is constructed on the browser, it bypasses the traditional network security stack that looks at network traffic, identifies the malicious payload, and runs it in the sandbox to protect the user.

 

Instead, a user visits a website, clicks on a malicious link, and is prompted to download the payload. The payload then executes on the browser itself before reaching its desired endpoint. This is a new kind of attack we’re keeping an eye on, specifically because it does such a good job at evading detection.

 

Thwarting web-based attacks

According to the 2021 Verizon DBIR, web-based attacks lead to credential theft 80 percent of the time, which can lead to compromises in the future because threat actors can get into important accounts and exfiltrate sensitive data. The report also shows that 96 percent of compromised mail server instances were cloud based. This highlights the need for cloud security in addition to traditional solutions that will protect the organization.

 

To address these risks and improve their cybersecurity defenses, organizations are investing in technology that includes data loss prevention (DLP), cloud-based secure web gateways (SWGs), and remote browser isolation, according to the findings in the 2021 CyberEdge Cyberthreat Report.

 

Looking to the cloud for security

In just one year, the CyberEdge Cyberthreat Report found that the share of security applications and services delivered via the cloud increased by 5 percent, pointing to the cost and resource benefits they offer modern enterprises. Given that the office of today is most often the Internet browser, securing Internet traffic via cloud-based SWGs powered by isolation technology provides security teams with the visibility and protection they need to secure modern work. By completely isolating any threats from the endpoint, the organization is not at risk even if an employee were to end up on a risky website.

 

To protect the productivity of employees and realize the promise of digital transformation projects, a majority of security leaders are looking to implement a Secure Access Service Edge (SASE) architecture. This framework tightly integrates SD-WAN capabilities with network security functions. A cloud-based SWG is the security cornerstone of the SASE architecture, which is considered the go-to model for companies that are continuing their digital transformation. As organizations look to add security to flexible and scalable business operations, a SWG is an important component in the effort to protect the productivity of their distributed workforce.

 

By scaling cybersecurity according to your organization’s expected growth and expansion while deploying a Zero Trust methodology that treats everything as a risk, you’re taking a much more preventive approach to ending the cat-and-mouse game that always benefits threat actors.

 

To learn more about new threats, concerns, and risks facing cybersecurity and IT departments and how they’re responding to them via investments and strategy, download the 2021 CyberEdge Cyberthreat Report.

*** This is a Security Bloggers Network syndicated blog from Menlo Security Blog authored by Marcos Colón. Read the original post at: https://www.menlosecurity.com/blog/web-based-threats-your-organization-needs-to-prepare-for