By Ilia Kolochenko, CEO – High-Tech Bridge
Initially started as an open community of security experts, DevSecOps has become Gartner’s Top 10 technology for Information Security. One of the pillars of DevSecOps is a 24/7 continuous monitoring of infrastructure, including all your applications and web services. However, some organizations still don’t see much value-add for their application security strategy in continuous monitoring, and prefer to rely on opportunistic security testing, conducted quarterly or even annually. Although an ad-hoc approach is reasonable for some specific cases, continuous security monitoring is vital in today’s environment.
According to PwC’s Global State of Information Security® Survey 2017, only 51% of organizations actively monitor and analyze information security intelligence data, while modest 47% have deployed SIEM systems for threat intelligence and analysis. Meanwhile, cybercriminals continue to outperform the cybersecurity industry, causing trillion USD damages. Disastrous data breaches affecting the largest companies and governmental departments make media headlines almost every week. Attackers understand that they can maximize their illicit profits by using well thought out organization and systems thinking in their criminal business.
The cybercrime industry is well organized: almost every hacking group has its own specialization, from exploit packs with 0day vulnerabilities to stolen databases with millions of financial or health records. Several groups perform continuous monitoring of the global web, using legitimate technologies and large cloud security providers, such as AWS. Have your ever questioned why over 50% of the Internet traffic is generated by bots?
Cybercriminals certainly contribute to these numbers, crawling the Web in a 24/7 mode. They gather information about websites and web applications, their versions and other security-related information. They can sell you a list of thousands of websites running outdated or vulnerable versions of WordPress for several dollars. Then, we regularly see headlines when a major security flaw in popular e-commerce engine is aggressively exploited in the wild just after security patch release.
You can virtually buy anything on the black market. Websites hosted in England, but not on “ac.uk” or “gov.uk” domains, running vulnerable SEO plugin for Joomla, without a Web Application Firewall, and located on a web server with at least 30 other websites. Such data will cost you from a dozen to several hundred dollars, depending on the accuracy, date of verification and exclusivity. Some hacking groups are ready to pay more to be sure that the information will be sold only to them. Others prefer to quickly breach and backdoor as many applications as possible, and install legitimate security patches, precluding their competitors from getting in afterwards.
Once attackers have a portfolio of backdoored websites, they sell it to a next group in the criminal chain. Usually, another group will extract any valuable data from the websites (such as personal, health or financial data) and sell it separately. If they detect any celebrities or important people in the dump – they will first try to re-use their passwords and get into their emails and social networks. Afterwards, they will likely sell emptied websites to their colleagues to place malware on the websites and gather bots for DDoS attacks. Worse, you can bug 0day vulnerabilities in many popular web CMSs and frameworks for less than $10,000, and compromise even up2date web applications.
Today, many SOC teams envy the rapidity and reactivity of professional Black Hats. Attackers are getting in before security guys even see a new event in their SIEM. While developers, sysadmins and Red/Blue security teams argue whose job description best reflects application security, cybercriminals already sell their crown jewels on the Dark Web.
In terms of ad-hoc and continuous security testing and integrity monitoring, even static web applications need to be located within your continuous monitoring perimeter. Web applications can be breached in dozens of different ways, including a subcontractor breach or FTP password re-use by your webmaster. Every security incident opens a door for the next one, mostly targeting web applications in a domino effect. A good example is the Polish financial regulator website, breached to host sophisticated malware for spear-phishing against local banks.
You need to start an application security strategy with a comprehensive inventory of your applications and web services. One forgotten subdomain can ruin all your efforts. Those apps that do not require external access – can be protected by a firewall making them inaccessible from the Internet. If a number of application users is small – consider adding IP whitelisting or a 2FA authentication. The second step is to ensure that all your applications and services are permanently up2date and reliable patch and vulnerability management solution are in place. Also, a WAF for the most critical apps and services can be a good idea.
Once you minimize the scope of exposure and attack vectors, you should implement a solution, like ImmuniWeb Continuous, for a 24/7 web application security testing and integrity monitoring. Otherwise, you invite cybercriminals to give you a visit that may cost millions to your company and a career to you.