Protecting your data in 2020: How to identify web attacks
As we reflect on the past year, it’s clear how far we’ve come in improving cybersecurity efforts. However, with that progress comes persistent efforts by hackers to try and infiltrate organizations.
Cloud, web and mobile applications continue to be one of the top sources of successful breaches, according to the 2019 Verizon Data Breach Report (DBIR).
It can be overwhelming to navigate the sheer number of attacks and attack types targeting applications, APIs and microservices. However, most attempts can be narrowed down to these three types:
- Credential stuffing
- API abuse
- Business logic
It’s a challenging landscape, but the best way to get ahead of these attacks requires visibility into the threats targeting your business applications. Security, development and DevOps teams need line of sight into what attackers are attempting against their systems so they can have feedback to build an effective defensive strategy and prioritize their very limited resources.
Let’s take a moment to take a deeper dive into the types of attacks mentioned above.
As organizations continue to migrate to the cloud or design and deploy cloud-native apps, the keys to business and user data are usually protected only by a simple username-and-password combination. It’s no wonder, then, that credential stuffing has become the most successful attack type over the last year. Attackers use these credentials to take over accounts, gain access to private Internet of Things (IoT) devices, and chain attacks by accessing account recovery email addresses.
Credential stuffing is the primary tactic for account takeover attacks. And, the signs of an attack have evolved -- they are often more than simple brute force password guessing or dictionary attacks.
Indicators of an attack typically include:
● Performing login attempts from geographically diverse areas, different from users’ normal geographies
● An increasing number of failed login attempts across all users rather than just spikes in select users
● A rise in successful logins from suspicious IP addresses that have exhibited other attack behaviors
With the explosion of mobile applications, there has been a corresponding increase in the number of APIs provided by all types of companies to power these mobile apps. As applications are increasingly deployed to cloud infrastructure, and maintained by development or DevOps groups operating with autonomy, APIs have grown considerably, which has opened them up to attacks.
Attacks on APIs often attempt to abuse legitimate functionality and perform actions much more frequently than intended.
Common indicators of an attack on an API include:
● An unexpected burst in requests to specific APIs
● API requests that come from an untrusted device, unauthorized client, or suspicious geography
● API requests that attempt to brute force authorization identifiers or access data of other users
Often, attackers will skip attempting to perform classic injection style attacks and instead learn how an application/API works in order to abuse specific parts of its design to achieve their aims. These so-called “business logic” attacks can abuse intentional functionality in unintended ways to steal information, gain access to accounts, or cause service disruption.
Because they use valid application and API features, business logic attacks can be difficult to detect. Companies need to track signals that could indicate that someone is abusing an application and put into place controls that provide visibility into abuse of an application.
Such controls should focus on behaviors such as:
● Spike in usage of sensitive, but rarely used functionality
● Out of order usage of sensitive functionality (ex: performing step one, skipping steps two and three, and jumping straight to step four of functionality)
● Anomalous sources accessing sensitive functionality, regardless of volume (ex: “low and slow” attacks)
To build an effective defense strategy in the new year, organizations must have visibility into how their applications are being misused and attacked. Make sure your security, development and DevOps teams are equipped with the right application security tools, and are knowledgeable on the signs of application/API abuse and attacks -- this will help your teams diagnose problems, prioritize limited resources and react quickly based on actionable intelligence, ultimately protecting the business.