Web Applications And The Expansion Of The Attack Surface

With today’s digital transformation, many enterprises rely on web applications to support key business processes, improve performance, and support interactions with customers, partners and employees.

As enterprises move their web applications to the cloud, they become more exposed to increasingly sophisticated attacks. Adversaries are taking advantage of attack vectors that bypass traditional network and host-based security technologies to target web applications. Because of this, it is essential for organizations to have application layer security measures in place that protect web applications as well as the underlying servers and databases that support them.

In this section, while keeping the focus on web applications, we will illustrate the technical examination of the extreme cyber loss events over the last 5 years, showcasing the frequency of attacks and the size of monetary losses while unmasking the threat actors.

1. Tactical Findings – Technical examination of web application threats

We have gathered and analyzed the 100 largest cyber loss events over the last 5 years, totaling $18 billion in reported losses and 10 billion compromised records. We have quantified the notable incidents, the threat actors involved as well as the TTPs. We have derived the following observations from a number of sources*:

Threat Incidents –Attack incidents pertaining to web applications

• 58 of the 103 biggest incidents over the last 5 years (56%) tie back to some form of web application security issue. With an all-inclusive price tag of $7.6 billion and some change, this constitutes 42% of all financial losses recorded for these extreme events.
• Notable mentions out of OWASP top 10:
  • Web Application Exploits like CVEs, XSS, SQL Injections30 of these mega loss events exploited published vulnerabilities (CVEs) affecting web applications with Total Verifiable Losses at $5.7 billion
  • Credential Stuffing –  2incidents targeting the Web Application Credentials alone took advantage of weak or stolen passwords, thereby increasing the losses up to $6.5 billion.

Threat Actors – Adversaries targeting web applications and vulnerabilities

• • Almost one in five events are attributed to state-affiliated actors. Even more surprising, these state actors caused $4.3 billion in damages. L7 DDoS as well as volumetric attacks were low on the count but high on the monetary losses.
  • Cybercriminal gangs constitute the known proportion.

Threat Actions –TTPs adopted by threat actors

• • Based on the threat incidents and actors, we could see a rise in credential stuffing (T1110.004), public facing application exploit (T1190), data encrypted for impact (T1486), automated exfiltration (T1020) and phishing (T1566)

• Top Threats Per Sector –If we look deeper in the recent F5 Labs Application Protection Report 2021, the retail sector was by far the most heavily targeted sector for data breaches, constituting more than 60% of the breaches in 2019 and just under 50% in 2018. In 2020 (figure 2), three sectors that had historically experienced a lot of breaches — finance and insurance, educational services, healthcare and social assistance — were hit harder than retail.
  Compared with 2018 and 2019, the clear pattern between e-commerce web exploits and access attacks against everyone else became less pronounced in 2020, partly due to the explosion in ransomware.

• Tactical Recommendations: Based on the aforementioned large data breaches as well as their verifiable losses, most organizations are well on their way to adopt an App Centric Security Framework which corroborates to keeping their applications at the heart of the digital transformations efforts. A scalable and highly performing Web Application Firewall with advanced features helps organizations:
  • Protect web and mobile apps from exploits, bots, theft, and app-layer DoS
  • Prevent malware from stealing data and credentials
  • Prevent Brute Force attacks that use stolen credentials
  • Eliminate time-consuming manual tuning for App-layer DoS protection

2. Strategic Findings and Challenges

Most organizations often struggle with the following challenges:

• Increasingly complex application deployment architectures spanning on-premises, multi-cloud, or hybrid environments.
• Rapid underlying changes in web server or app server technologies demanding heavier investment.
• Continually evolving threats and vulnerabilities targeting the very applications and their underlying deployment infrastructure.

To manage these threats, you need round-the-clock protection delivered by a team with sophisticated skillsets and a holistic view to identify and filter out the risks.

Strategic Recommendations:

We at Help AG understand these challenges and realize that business velocity demands an agile security strategy. Help AG’s cloud delivered Managed AWAF service is a subscription-based offering with value-added benefits that include:

• Point and Shoot – with simple DNS redirection and a few clicks, customers are ready with an advanced layer of application security.
• Centralized and organized view of multiple applications and an evolving threat landscape with deep analysis and recommendations by our analysts.
• Monthly subscription service eliminating the need for upfront investment in infrastructure.
• Service package with an advanced underlying infrastructure that includes high performance Virtual Machines and cutting-edge traffic management.
• High service availability at device as well as link level coupled with auto scalability.
• Committed service availability SLAs, guaranteed at 99.95%.
• Simple throughput based service packages which are inline with customers’ bandwidth requirements. Help AG’s service subscription starts at as low as 10 Mbps.
• Unhindered accessibility to specialized expertise with 24x7x365 geographic-focused support.

Concluding Remarks

• From a technical perspective, we suggest that organizations adopt a highly advanced web application protection service that can guard them against zero days. They must plan to maintain their workloads during security outages by enabling themselves to enforce or block any type of threats to the applications and the hosting infrastructure.
• Strategically, organizations should plan to have a high performance and scalable infrastructure with SLA backed committed outcomes. They must have either in-house resource capabilities or accessibility to a local Managed Service Provider who can offer them expertise on day-to-day operations or any sophisticated attack scenarios. A robust web application protection framework needs to be integrated by default and factored in all digital transformation projects, right from the first stage of project planning.

*References:

• https://www.cyentia.com/wp-content/uploads/IRIS2020-Xtreme.pdf
• https://www.f5.com/content/dam/f5-labs-v2/article/pdfs/The-State-of-the-State-of-Application-Exploits-in-Security-Incident-F5Labs-rev22JUL21.pdf
• https://www.f5.com/labs/articles/threat-intelligence/2021-application-protection-report-of-ransom-and-redemption
• https://www.f5.com/labs