Our site uses cookies to make it work and to help us give you the best possible user experience. By using our site, you agree to our use of cookies. To find out more about cookies and how you can disable them, please read our cookies statement. 

Cookie Settings

You can manage your cookie settings by turning cookies on and off.

Click on the different cookie  headings to find out more about the types of cookies we use on this site and to change your settings. Please be aware that if you choose to turn off  cookies, certain areas of our site may not work and your browsing experience may be impacted.

For further information on how we use cookies, please see our cookies statement. 

Strictly Necessary Cookies

(Req)

These cookies are essential for the technical operation of and proper functioning of our site  and enable you to register and login, to easily move around our site, and to access secure areas. Without these cookies our site won't function properly.  

These cookies are required

Performance Cookies

Performance cookies allow us to collect aggregated and anonymous data on how our site is used, such as the number of visitors to our site, how you navigate around and the time spent on our site and also to identify any errors in functionality. These cookies also help us to improve the way our site works by ensuring that you can find what you’re looking for easily, to better understand what you are interested in and to measure the effectiveness of the content of our site. 

Marketing Cookies

These cookies allow us to advertise our products to you and allow us to pass this information on to our trusted third parties so that they can advertise our products to you on our behalf. All information these cookies collect is aggregated and therefore anonymous. No personal information is shared to third parties. Any personal information collected while using our website could be used for direct marketing from Dimension Data only.

Web-based attacks

Alarming spike in top hostile activity

Mark Thomas

VP, Cybersecurity ─ Dimension Data


For the past 18 years, Mark has worked in the cybersecurity field establishing pragmatic, business-aligned risk minimisation strategies and developing intelligence-led computer network defences. His broad knowledge and in-depth expertise are a result of working extensively in consulting, technical, and managed services with large enterprises across numerous industry sectors including finance, government, utilities, retail, and education.

Follow on LinkedIn

Web-based attacks moving up the stack for profit


Attacks doubled in 2018 and now account for 32% of all hostile activity

Web-based attacks aren’t new and have been frequently observed for some years. However, we’ve seen an alarming spike in recent cyberattacks in this area. In fact, they doubled year-on-year, (accounting for 32% of all attacks detected during 2018), and represented the top type of hostile activity. These findings were recently unveiled in Dimension Data’s Executive Guide to the NTT Security 2019 Global Threat Intelligence Report.

Graph showing global hostile web attacks

Figure 1: Global hostile activity

What are web-based attacks ─ and what’s behind this dramatic increase?

The role of information technologies is changing dramatically. It’s fast moving away from simply being a back-office process automation function to one that deploys applications ─ the primary way through which an enterprise conducts its business.

Web-based attacks target web-application and application-specific vulnerabilities in technologies frequently used by many businesses.

Any organisation that has a web presence is exposed to these attacks ─ and the larger their web presence, the greater the attack surface. Compounding the challenge is that today, more companies’ applications are being housed in the cloud. This not only exposes the organisation to new attack types but also means that a host of new user devices ─ which are designed to access those applications from anywhere in the world, at any time ─ are also now under the threat of compromise.

Web-based attacks text

Added to this is the challenge of securing DevOps. Today, in response to increasing customer demands, business leaders are putting IT under pressure to publish applications faster. This is because they want to be first-to-market with innovative products and services to secure and enhance their competitive advantage.

Modern applications require more frequent code changes, as you deploy new functions. So, gone are the days when IT teams would develop an application over a 6─12-month period, knowing that they had sufficient time to build and test prototypes before delivering the finished product. Now, the timeframe may be compressed down to weeks, days, or even hours.

But, if security isn’t integrated into this process, organisations run the risk of exposing themselves to a new array of vulnerabilities that may have been introduced during the development lifecycle.

How do you strike a balance between speed-to-market and security due diligence?

This is where the concept of ‘DevSecOps’ comes in, i.e.: secure software ─ sooner.

Security teams need to be involved from the time the development of a new application begins, through to testing and run time. This requires the following:

  • ensuring you have the appropriate technologies integrated into the DevOps tool pipeline that allow you to analyse code as it’s being developed, and identify any vulnerabilities
  • confirming that configurations are secure
  • identifying any other software or dependencies that may impact the application
  • conducting security monitoring for auditing purposes and to allow you to identify any threats that may target the application
  • ensuring that security web application testing is embedded into each phase of the application development and production process, rather than being ‘bolted on’ at the end
  • using automation wherever possible

This way, you can identify and fix application vulnerabilities faster (and reduce or eliminate the cost to the business associated with remediating vulnerabilities or issuing patches that may need to be deployed at a later stage, after the application’s been published).

Security teams need to be involved from the time the development of a new application begins, through to testing and run time. Read more @Dimensiondata. Tweet this

Cultural change

Successful DevSecOps involves everyone understanding that applications aren’t just about technology. It also calls for a cultural change and the need for:

  • efficient collaboration between the development and operations teams, and the security team
  • improved communication, consistency, and transparency
  • continuous improvement being built into the process

WhiteHat Security recently conducted research1 on this topic. Their Report included some interesting findings regarding microservices-based architectures. As data and applications increasingly move to the cloud, it’s important to start considering microservices-based architectures. These allow applications to run seamlessly across on-premise and various cloud environments. However, WhiteHat Security discovered that if you migrate to this kind of architecture, the number of vulnerabilities per line of code actually increases. Their Report states: ‘Microservices are riddled with vulnerabilities … that said, they do have a higher remediation rate and shorter time to fix than monolithic apps.’

To me, this suggests that security isn’t yet fully part of the DevOps model – partly due to a lack of understanding and/or implementation of DevSecOps practices.

What’s the rationale and methodology associated with these attacks?

Web applications are the ‘gateway’ into other systems and parts of an organisation’s infrastructure. They’re usually connected to databases which store sensitive data or intellectual property. So, by compromising the web application, attackers can access these databases, if they’re not adequately secured, and exfiltrate large amounts of data.

The primary motivation behind web attacks is profit, i.e. by selling stolen data to other cybercriminals or criminal agencies.

But it’s also about access. By gaining access to other infrastructure (using the web application as a ‘gateway’), threat actors can infiltrate the wider organisation to conduct other types of malicious activity.

Finally, there’s influence – here, an attacker will look for opportunities to disrupt the business’ operations. This is often related to hacktivism (e.g. defacing a website) to promote a political agenda or movement for social change. In other cases, the attacker will blackmail the target in an attempt to extort funds.

Older vulnerabilities in the firing line

Interestingly, vulnerabilities in older software are targeted most frequently in web-based attacks. To cybercriminals, these represent the ‘low-hanging fruit’, as they’ve remained unpatched for some time. So, businesses need to examine their overall window of exposure and determine how long certain vulnerabilities have been in existence and how long it will take to remediate or patch them.

However, attackers are very much on the front foot in this respect, as they often incorporate web scanners and reconnaissance capabilities into their toolsets. These allow them to identify an organisation’s software and their version numbers … and then they’ll automate the exploitation of selected vulnerabilities. Some of these toolsets are available at no cost on open source forums and the dark web.

Businesses need to examine their overall window of exposure and determine how long certain vulnerabilities have been in existence and how long it will take to remediate or patch them. Read more @Dimensiondata. Tweet this

Why are web-based attacks so successful?

There are several reasons for the high success rate of web-based attacks. These include the fact that:

  • It’s possible to develop exploits quickly, before patches are released. While patches for many new vulnerabilities are released reasonably swiftly, others aren’t, and weaponised exploits for these vulnerabilities can be very effective.
  • Attacks are generally automated and conducted using a variety of tools, which enable more threat actors to use them.
  • There’s a relatively low amount of effort required by cybercriminals, as they can easily integrate reconnaissance scans into their toolkits. If these toolkits are sold over the dark web, there’s little skill required on the part of the buyer to capitalise on these features.

My top 5 recommendations for protecting your organisation

  1. Prioritise patching to minimise your attack surface. Focus on your core, business-critical and high-risk vulnerabilities, rather than simply ‘playing a numbers game’ by patching a large amount of low-risk vulnerabilities. Measure and track your efforts by using key metrics, such as mean-time-to-fix and window-of-exposure.
  2. Segment your network environment to avoid the widespread propagation of attacks, but also to ensure that the appropriate end-point controls are in place (e.g. anti-virus end-point detection and response).
  3. Develop and enforce secure coding practices by educating developers about security risks and principles, and how to integrate security validation tools into their development pipelines, so they can rapidly remediate vulnerabilities during development, build, and run time.
  4. Deploy web application firewalls to prevent and detect threats to your business’ data and applications. Ensure logs are continuously monitored for malicious activities.
  5. Perform continuous application securing testing to validate that the defences you have in place are adequate, and that no frequent code or infrastructure changes are causing vulnerabilities to be inadvertently introduced.

Web-based attacks text 

All of the above encapsulate the features and the ultimate goal of DevSecOps. Success lies in integrating all your security toolsets into the application development pipeline, ensuring that security is part of the end-to-end process, and giving developers an understanding of security principles so that they can detect vulnerabilities early on and patch them rapidly, which will reduce the cost to the business.

1 WhiteHat Security 2018 Application Security Statistics Report, Volume 13: The Evolution of the Secure Software Lifecycle

 

Recommended for you

How we can help you

Two people sitting in a meeting

Cybersecurity Advisory

Get the insights and action you need to improve your security posture

Read more
A person standing on a cliff with a starry sky

Managed Security Services

Management and optimisation of your security infrastructure to shield and protect your data and applications no matter where they reside.

Read more

Get the Executive Guide to the NTT Security 2019 Global Threat Intelligence Report

Australia

By clicking submit below, you are agreeing to the Dimension Data Terms and Conditions and Privacy Policy