Since the creation of email in the 1970s, the number of third-party applications and systems we rely on has only increased over the past few decades. Today, the expansion of business applications has increased in the middle department which depends on dozens of applications. Production of these applications has also increased, keeping pace frantically. These have overwhelmingly left a slap component in the dust: security.
Cybersecurity is already behind it. Third-party solutions such as web application firewalls (WAFs) are no longer simple suggestions to help keep your organization up to date; a headless WAF is now a must.
Blow up the fastest pieces
Software development runs in cycles. Following an agile framework, the teams will work in one- or fifteen-day sprints. After each iteration, the product teams present a working app, gathering feedback and readjusting the goals, before starting the next sprint. This process is very fast and focuses on bringing the minimum viable product (MVP) to market. It makes a lot of sense from an economic perspective: after all, only an operational app can make money. However, a major flaw in this development process is its usual security oversight. 3 out of 4 applications produced by software vendors do not meet the OWASP Top 10 standards, which means they do not meet the most common vulnerabilities.
Most security flaws are identified and then corrected, in that order. Even worse, the average patch time is between 60 and 150 days.
Compare this to the dark market software supply chain. Many pieces of malware run on a ransomware model as a service; here, affiliates will pay the original developers a fixed amount, in order to use their malicious code. Often, this is a percentage of what affiliates earn with a successful bailout. The business model that these cybercriminals rely on is inherently viral, as the same code can be replicated and armed against millions of potential victims. Even worse: once a RaaS achieves a successful reputation, more and more affiliates come together, looking for their own share of the pie.
Vulnerability research and exploitation naturally goes beyond the application of patches, which is why vulnerability catalogs play a vital role in maintaining the health of the global security environment. Common vulnerabilities, once discovered in nature or by researchers, are assigned a CVE code. Many of these are then cataloged in industry-specific lists. For example, CISA maintains an authorized source of vulnerabilities. Federal and state agencies are required to comply with the requirements of the included patches.
The number of vulnerabilities within catalogs such as the U.S. National Vulnerability Database has skyrocketed in recent years; In 2021, 18,374 vulnerabilities in the production code were discovered. Interestingly, however, there were fewer high-gravity errors than in 2020, indicating that the attacks are increasingly multifaceted and complex.
Some of the 2021 vulnerabilities were relatively niche; others were massive. Microsoft Exchange is one of the largest mail servers available, used by hundreds of thousands of organizations around the world. Multiple vulnerabilities were found on this server throughout 2021, one of the worst of which was the ProxyShell attack.
ProxyShell and ProxyLogin refer to attack strings that focus on privilege escalation and authentication avoidance. The HAFNIUM attack group made particular use of this vulnerability, targeting U.S.-based organizations in infectious disease research, charities, and higher education. Worldwide in the Middle East, researchers noted that this chain of attack was often used to deploy ransomware.
It just gets worse
Although new vulnerabilities are discovered daily, many attacks in the wild continue to depend on old vulnerabilities.
Equifax’s massive data breach in 2017 was caused by a weakness months ago in Apache’s prop function. Apache struts is an open source web application framework that in this case was used for form data. The vulnerability meant that without logging in, without even uploading any form data, an attacker could run remote code.
The initial data breach resulted in the theft of employees ’login credentials. The attacking group then used these details to access Equifax’s credit control databases. From there, they leaked the private records of nearly 150 million Americans, 15 million British citizens and 19,000 Canadian citizens.
As of this year, the data has not been put up for sale on the dark web: this is due to the fact that it was an act of political espionage by the group of hackers founded by the PCC Liberation Army Popular.
How to stay ahead
Given the distance between the discovery of an exploit and its use in a genuine attack, you will be forgiven for thinking that data breaches are just the cost of doing business. Many organizations already have this philosophy, especially as they grow.
However, this type of thinking is a total failure for both your customers and stakeholders. Ransomware criminals, in particular, work on the assumption that companies will pay them to leave. Simply ignoring the problem or, worse, postponing a solution directly encourages these criminals.
The answer lies in the virtual patch. Sometimes called vulnerability shielding, virtual patches act as a temporary bandage to prevent a known or unknown vulnerability from being exploited. Solid virtual patches implement policy layers that identify, prevent, and intercept an exploit from the attacker on your critical systems.
A web application firewall (WAF) is a firewall that encompasses an application. By monitoring perimeters, the WAF will compare all the connections it makes with its own customizable black and white list. A positive WAF model will allow any connection apart from a select few; while a negative WAF model only allows specific connections. The latter option should be the default for parts of non-public infrastructure, as it inherently prevents attackers from hijacking and gaining control through a third-party command and control server. A well-configured WAF frees up your time and resources for critical security tasks that matter.
The second layer of the virtual patch should be your runtime application self-protection (RASP) solution. This is within the application itself, directly monitoring their behaviors. Once it detects any behavior that is considered abnormal, it reports it and can end the activity. This prevents even new zero-day attacks, such as the Microsoft Exchange ProxyShell problem.