Sander Vinberg, Senior Threat Evangelist at F5 Labs, highlights the tactics organisations need to stay safe
Every year, F5 Labs publishes the Application Protection Report.
Our goal is to document the evolution of the threat landscape so that security practitioners can fine-tune their defences accordingly.
The report aims to clarify the relationship between target characteristics and attacker behaviour so that each organisation can focus on the threats that apply most to them.
Based on our research, these are the cybersecurity mitigation measures no organisation can afford to ignore. (Note – The analysis is primarily based on successful attacks, so the recommendations are more of a bare minimum than a complete, holistic security architecture).
1 Data backup
Data backups need to be part of every organisation’s strategy, and it is often difficult to assess the robustness of a backup program until it is tested. Many good backup programs employ several different modes, with longer-term backups air-gapped, stored on physical media off-site, or using other degrees of protection.
However, beginning in 2020, ransomware strategies evolved to exfiltrate data before triggering encryption, which reduces the power that even good backups have to control ransomware risk completely. Sure, with the right backups you can restore operations once your environment is cleaned up, but the data is gone, and you still have to deal with the attacker and ransom. A robust ransomware strategy needs to start with backup, but the preceding attacker behaviours, the methods of initial access, lateral movement, execution, persistence, and exfiltration need to be controlled as well.
This primarily takes the form of various forms of virtualisation, such as virtual machines, containers, and browser sandboxing. This type of control can help mitigate several exploit-based approaches observed in 2021, including Exploitation for Client Execution, Exploit Public-Facing Application, and Drive-by Compromise.
The most obvious form of exploit protection is the use of a web application firewall (WAF). Despite the declining prevalence of web exploits in the data, a WAF is still critical for operating a modern web application. It is also a requirement for PCI-DSS, which applies specifically to the credit card numbers so heavily targeted by formjacking attacks. There are also a growing number of behavioural approaches to exploit protection that appear promising.
Network segmentation is a particularly underrated control, given how ransomware approaches have changed the threat landscape since the pandemic began.
It can shut down a huge number of attack vectors, five of which were observed in the 2021 data: Exploit Public-Facing Application, Automated Exfiltration, Exfiltration Over Web Service, External Remote Services, and Exploitation of Remote Services.
Furthermore, it makes exfiltration and lateral movement particularly difficult.
Some cloud-native applications may have implemented the same control objectives using identity and access management, but for organisations with hybrid environments or legacy applications in the process of moving to the cloud, this is still an important approach.
While the creation of privileged accounts is straightforward, the deletion of them is often overlooked, so they should be audited regularly to ensure they are decommissioned when they are no longer necessary.
The log4shell campaign that unfolded in late December 2021 is a reminder of the importance of software maintenance, not merely the software organisations produce or use, but all of the subcomponents and libraries necessary to keep everything running.
Regular vulnerability scanning adds situational awareness and flexibility to a vulnerability management program. This should include a public-facing scan from the Internet and an internal scan to assess how an environment appears to attackers.
Code signing is another underused approach, in light of architectural trends that pull code from disparate sources at runtime. In particular, sub-resource integrity (SRI) headers can ensure that external scripts haven’t been modified when they are called at runtime. As applications increasingly rely on external scripts to pull in new features, SRI is a powerful tool to shut down vectors, including many of the initial access techniques seen in formjacking and Magecart attacks.
This is a broad-reaching control objective that can manifest in many ways, but all centring on controlling avenues for both unauthorised access and exfiltration, such as blocking specific file types, known malicious IP addresses, and external scripts. This approach can shut off a wide range of attack vectors, including malicious script injection, phishing, and malvertising.
Content security policies (CSPs) appear underused for such a powerful and free control for restricting web content. During a scan that F5 Labs ran in August 2021 for the 2021 TLS Telemetry Report, HTTP response headers for the Tranco top 1 million sites were also collected. Just over 6% of the top 1 million had a CSP header in the server response. The most frequent directive in those CSPs was upgrade-insecure-requests, which ensures that cross-site requests travel over HTTPS. Upgrade-insecure-requests showed up in 2.5% of sites, followed closely by frame-ancestors. Other elements that are more frequent vectors for injection of malicious scripts, such as script-src, img-src, and frame-src, are less common.
Intrusion prevention systems are no longer the leading-edge controls that they were a decade or more ago, but as lateral movement and deployment of malware appear to be on the rise, this kind of control is valuable as part of a defense-in-depth approach that also uses a WAF and other controls.
Every organisation of every type should have antimalware capabilities. However, because malware needs to be placed on a system to work, it is never the first step in an attack. Because of this, antimalware needs to be part of a more holistic strategy.
While the corresponding attack techniques were observed in only 12% of attack chains, disabling or removing features or programs would mitigate five observed techniques in the 2021 data: Command and Scripting Interpreter, Exfiltration Over Web Service, External Remote Services, Exploitation of Remote Services, and Cloud Instance Metadata API. The log4shell events in December 2021 are a reminder that zero trust and least privilege need to apply to systems as well as people as applications and environments grow in complexity.
The absence of configuration management or change management structures from on-premises days does not obviate the need for a corresponding structure in the cloud.
Guides and information for cloud configuration management are plentiful for all public clouds, and organisations running customer-facing applications in the cloud should treat these guides as doctrine.