In 2019, we presented a variety of threat intelligence to help defenders design and bolster their defenses. This included data-driven intelligence on web attacks, API security incidents, ransomware, TLS snooping, bot denial-of-service attacks, IoT device compromises, and all kinds of malware for both mobiles and general-purpose clients. Within each of these threat intelligence reports and articles, we spelled out specific advice on how to defend yourself. Let’s take a global eye view of all these controls and see which defenses are the most commonly needed.
Web Application Security
Our biggest research story of the year was our 2019 Application Protection Series, which focused on looking at an entire year of application-related breaches as well as a year of global web attack traffic. In that story, we noted how PHP vulnerabilities comprise 81% of the attack traffic, much of it looking for open phpMyAdmin web interfaces. We found once again, a large number of breaches stemming from Magecart formjacking web injections, especially at any organization accepting payment cards on the web. The top recommended controls for this are:
- Inventory your web assets
- Scan for vulnerabilities and double-check your inventory
- Apply critical patches
- Use a web application firewall
When attackers found the web defenses too formidable, they simply routed around to attack the user login process. Year after year, F5 Labs has found the largest threat to applications continues to be access control attacks such as credential stuffing and phishing. Many of the breaches in 2017, 2018, and 2019 were tied to attackers taking credentials and abusing email accounts. Our breach analysis showed that email is directly attributed as a factor in more than one out of five breach reports. Why? Email is a primary application that is both used to store a lot of confidential information but is also quite useful for impersonation fraud. Our recommended controls are:
- Use strong authentication to limit unauthorized access
- Detect and block malicious bot activity (a common vector for brute force and credential stuffing attacks)
- Log and alert on suspicious activity
Lastly, we have threats to application programming interfaces, or APIs. APIs are designed for other application services and not human/user interaction. Because of this functionality, developers often assume the automated functions of the API will act like guardrails to dangerous actions. Therefore, APIs often are given with wide permissions to numerous data repositories and functions within the application that would never be granted to an end user. Additionally, APIs are also common backends for IoT devices and mobile clients, which are increasing in usage. Lastly, large platforms and complex applications, especially in the cloud, make extensive use of APIs to link up services and third parties. This growth trend means that APIs represent a growing attack surface for all the common web attacks, especially injection and access control attacks. We recommend organizations lock APIs down by
- Scanning and inventorying all of your APIs
- Use strong authentication to prevent unauthorized logins
- Narrowing API authorization to just necessary functions
- Log and alert on suspicious API activity
- Using API-aware firewalls to restrict attacks and malicious bot activity
Application Infrastructure Security
When it comes to application infrastructure, more of it is residing in the cloud. We’ve published numerous articles about application security in cloud computing, including specific cloud threats like malicious and accidental leaks and unexpected outages. We also have talked extensively on security and architecture strategies for the cloud. From those, here are the key cloud controls to consider:
- Inventory cloud infrastructure to understand the attack surface
- Use strong authentication to limit unauthorized access
- Tighten authorization of all accounts by using the least privilege principle
- Monitor changes to cloud systems, especially comparing against expected configurations
- Log and alert on suspicious access and actions
- Develop and test incident response and recovery capability
Another major contemporary threat to application infrastructure is ransomware, where a single breach of a privileged system or account can lead to cybercriminals seizing control of major critical data repositories. Vectors for ransomware entry and rapid internal contagion are often the same old problems we’ve noted before: unpatched vulnerabilities and weak access controls. Therefore, our recommended controls include:
- Use updated antivirus (AV) software
- Inspect encrypted traffic for hidden malware and phishing attempts
- Use strong authentication to limit unauthorized access
- Tighten authorization of all account using least privilege
- Scan your assets for vulnerabilities
- Apply critical patches
- Develop and test your incident response and recovery capability
An often-forgotten aspect of application infrastructure is transport layer encryption. This year we saw a nation state attempt to man-in-the-middle (MitM) some of its citizenry to snoop on their encrypted conversations. Many MitM attacks also take advantage of legacy protocols and semi-trustworthy certificates, so organization should always be aware of what users need and lock down everything else. To ensure conversations and transactions remain private, we recommend:
- Security awareness training, especially regarding on TLS/SSL browser warning messages
- Review settings and certificates on your key clients, such as browsers
DDoS Protection
Whether attackers are knocking down your critical applications with carefully crafted strikes or just blasting your site with a firehose of packets, denial of services to applications can shut down your business and frustrate your customers. When it comes to most network applications, DNS is still a single point of failure and thus a tempting target for attackers. Nearly every DDoS attack originates from botnets made up of thousands or millions of compromised devices. Attacks of this scale mean that organizations need to think beyond simplistic blocking techniques and look into more advanced bot blocking strategies to weather the continual ebb and flow of DDoS attacks. Key controls for DDoS include:
- Inventory and prioritize application services to understand attack surface and impacts
- Log and alert on service outages with sufficient detail to detect DDoS attacks
- Detect and block malicious bot activity
- Develop and test an DDoS incident response and service recovery capability
Client Security
To use an application, users need some kind of a client. Frequently, an application client is a web browser or a mobile device. In both cases, F5 Labs continues to see a plague of malware designed to insert itself into the conversation to steal credentials or commit fraud. A lot of malware targets ecommerce or banking customers using password sniffers or injection into login forms. Organizations using login forms can implement the following controls to reduce fraud from malware-infected customers:
- Detect and block malicious bot activity
- Use strong authentication to limit unauthorized access
- Scan your assets for vulnerabilities for potential attacker insertion points
- Log and alert on suspicious client access and actions
- Develop and test a fraud detection and response capability
For the client/user side, the danger isn’t just from credential theft and fraud but also from infection by cryptominers, DDoS thingbot rootkits, and other critical resource tampering parasites. For app clients, we recommend you:
- Use updated antivirus (AV) software
- Apply critical patches
- Inspect encrypted traffic for hidden malware and phishing attempts
- Do meaningful security awareness training to make it easy for users to report suspicious behavior
Controls in Detail
Let’s quickly go through all those controls, in order of those most commonly recommended.
Use Strong Authentication to Limit Unauthorized Access
Since access control attacks are prevalent and often the tip of the spear for most of the cyber-mayhem we’ve reported on, it makes sense that strong authentication be a pillar of security. Ideally, everyone would use multifactor authentication (MFA), especially for any system that connects to high-value services and data stores. However, we realize that MFA is not easy to implement, which is why we collected these MFA rollout tips from CISOs.
When MFA isn’t feasible, strengthen the use of passwords. A good baseline can be found in the new NIST Digital Authentication Guidelines.1 Some of the key tips include regularly checking passwords against a dictionary of easy-to-hack credentials, using long passwords, and eliminating password hint mechanisms. Since a lot of password attacks are credential stuffing or brute force, your authentication system should have a mechanism to detect and throttle floods of login attempts.
Practice Regular Monitoring and Logging
Monitoring and logging is all about knowing what is actually going on in your environment. Like most things in this list, it’s one of the necessary chores that is simple but, at the same time, tedious. However, with a good logging and review regimen, it’s possible to catch breach attempts in progress before real damage can occur. When reviewing logging capabilities, remember the goal is to be able to determine how an attacker got in and what they did. They are your lifeline when an incident occurs. Mike Simon of CI Security offers some practical advice on logging and analysis.
Take Inventory
An inventory should be an ingrained practice embedded in normal IT operations, not an annual fire-drill for the auditors. Knowing what you have, where it is, what it talks to, and how it is configured is a foundation for all risk decisions, both strategic and tactical. Keeping up with an accurate inventory is not a trivial task, given the complexity and ever-evolving nature of applications and their infrastructure. There are more and more automation tools available for tracking IT inventory, but be sure that they give you the complete picture. You don’t want to find out what the inventory system missed after an attacker has compromised it.
Strategize and Practice Incident Response
No affordable defense is going to keep all the attackers out forever. So, plan accordingly with a well-tested, detailed incident response plan. Incident response rests on the pillars of inventory and logging, so make sure those practices are well-honed as well. Each of the major threats outlined above should have response scenarios spelled out that include trigger definition (how do you know when such an incident occurred), activation plans (who and what jumps into action and when), intelligence collection (what logs and devices should be examined), containment (specific playbooks to activate additional controls), investigation (who analyzes what and when), reporting (for legal and executive conversations), and recovery (of both data and system rebuilds).
Apply Crucial Patches
Even keeping our phones and our home machines fully patched is already a chore, and these are controlled, singular systems, not thousands of machines spread across the globe. It’s unreasonable to assume that your average enterprise is going to patch everything without shutting down all useful work. But if you can’t patch everything, how do you prioritize? The highest priority is closing vulnerabilities with published, weaponized exploits, because even unskilled attackers will be pounding on your systems with these point-and-click attacks. Given that a lot of malware comes in via browsers and mail clients, those should also be kept up to date. For more ideas, F5’s CISO, Mary Gardner discusses how F5 prioritizes its patching.
Enforce Strict Authorization
We’ve talked about strong authentication but there is also a need for strong authorization. This means taking a hard look at the permissions associated with any credential set. Basically, once someone is logged in, what can they do? This is where least privilege should be used, so that users can only do exactly what they need to do and not a single action more. It seems obvious to do this but, given the amount of work needed to define these specific actions and restrictions, often users are just granted full access to everything they could possible require. When their accounts are compromised, this becomes a serious liability. It gets several orders of magnitude worse if that user is an administrator or a service account. A good middle ground is to implement role-based access and broadly lock down authorized actions based on general job duties such as administrator, developer, office staff, and remote user.
With their unrestrained access to all resources, system administrators are targeted by attackers. The number of administrators should be extremely limited, and, if possible, administrative usage should be partitioned to just the systems a given administrator is responsible for managing. The same goes for service accounts that run in the background.
Scan for Vulnerabilities
Vulnerability scanning is useful not only for gaining a “hacker’s eye view” of your systems but it is also a great way to double-check your inventory. The key is to do continuous vulnerability scans, preferably weekly, against both internal and external assets to ensure you find the holes before attackers do.
Detect and Block Malicious Bot Activity
Bot detection is a bit of an art and science, and it’s getting harder and harder to determine who is human and who is not. Many bots can be identified by previously observed unique patterns that have been encoded into signatures. However, newer and more sophisticated bots require more complex scrutiny such as looking for irregular behavior, illogical client configuration, and inhuman timing of actions. We’ve written a whole article on how to determine good bots from bad bots.
Conduct Security Awareness Training
Training users on basic security requirements is actually pretty easy, and most organizations do some form of it. What is missing is the effectiveness of that training. The F5 Labs 2018 Phishing and Fraud Report showed that training employees to recognize phishing attempts can reduce their click-through rate on malicious emails, links, and attachments from 33% to 13%. The key to effective training is to consider what decisions you want your users to make and what you can reasonable expect from them. Do they really need to know the difference between trojan horse malware and ransomware? Or would you rather they expend their mental energy to report suspicious links to IT instead? We discuss this in more detail in our Security Awareness Training Reimagined article.
Use Web Application Firewalls
Firewalls are a mainstay of cyber-defense, and it seems that web application firewalls (WAFs) are becoming so, as well. In our 2018 Application Protection Report, our survey of security professionals found that the primary application defense in use was web app firewalls (26% of respondents). The F5 2019 State of Application Security survey showed this number rising to 33%, so usage continues to climb. WAFs offer a level of application-layer visibility and control that can help mitigate a wide range of the web application threats mentioned above. Many WAFs also include the capability to inspect, validate, and throttle API requests.
Use SSL/TLS Inspection
More and more malware and phishing sites are being buried within encrypted SSL/TLS sessions, often using legitimate certificates. This traffic needs to be decrypted, inspected, and sanitized.
Use Antivirus Solutions
Antivirus is one of oldest security controls and is still a powerful tool for detecting and stopping malware infections. It should be configured to update its signatures without intervention and alert when it stops functioning.
Conclusion
As you can see, a small set of critical controls map pretty closely to the 20 CIS Controls & Resources.2 It pays to focus on making sure your key controls are running smoothly. In our 2019 Application Protection report, we saw how the specific threats vary based on industry. However, in general these controls should cover a majority of the risks for a typical organization.