The cyber security landscape is constantly changing, and with it, the types of attacks that organizations must protect themselves against. We often hear about 'modern attacks', which require a different defensive strategy than more traditional ones. Malware, phishing, and DDoS remain a threat, but modern attacks are becoming more widespread and harder to identify. In this blog, we'll look at how attackers have adapted their tactics, techniques, and procedures, and why signature-based detection methods are no longer enough to detect and prevent them.
Before we get too far into what a modern attack is, let’s discuss what it isn’t. Anything that cannot be feasibly detected by signature-based approaches most certainly does not fit under the category of the modern attack type. This includes attacks that can be commonly identified by legacy technology such as firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), or web application firewalls (WAF). Modern attacks are more sophisticated and difficult to detect. While a number of common legacy attack vectors and application-level attacks such as SQL injection, cross-site scripting (XSS), and Remote Code Execution (RCE) certainly still exist, these tend to be a single component of modern attacks, rather than the complete attack chain. These “one-shot” attacks are designed to directly exploit vulnerabilities in web applications, allowing attackers to gain access to sensitive data or execute malicious code. While these types of attacks do still occur, modern organizations tend to have less low hanging fruit and vulnerability surface area comprised of these basic vulnerabilities. More often, today’s organizations are better at implementing secure development practices, system patching, and vulnerability scanning in general. This means attackers have been forced to shift focus towards discovering and exploiting behavior based flaws in applications and APIs rather than simple vulnerabilities.
According to Gartner, 75% of organizations that run cloud-native applications in production still use web application firewalls (WAFs) or web application and API protection (WAAP) tools to protect their applications during runtime.
These more traditional application security tools like WAFs are designed to identify and block malicious requests, but they are not able to detect multi-stage, behavior-based attacks. Inspecting and blocking web traffic is necessary and useful in certain situations, however relying on this technique as the sole defense against modern attacks is a recipe for disaster.
Learn more about the advantages/disadvantages of WAFs, and how to expose their limitations in a recent blog: https://ghost.security/resources/blog/what-your-waf-isnt-telling-you
So, with that being said, what measures can organizations take to protect themselves from both modern and more traditional, moment-in-time-based vulnerabilities and attacks?
The shift to the cloud requires organizations to update their strategy for protecting applications. Instead of just inspecting web traffic, they should assess application-related events in the context of the entire application workload. For instance, if an attack exploits an application-level vulnerability to establish a remote shell connection, traffic inspection may not detect anything malicious in the request. However, by monitoring the broader context and the creation of the reverse shell instance, it may be possible to identify the malicious or suspicious behavior and either block it or generate an alert. To achieve this, organizations need to add a threat detection and protection component that can not only block unwanted traffic, but also monitor application workloads more closely for events that are outside the normal, expected baseline of behavior. By establishing a baseline of 'normal' activity between hosts or endpoints, organizations can quickly identify any anomalies and respond to new variants as they arise.
In a practical sense, starting with security solutions that automate inventory management of your applications and APIs is key. Without visibility into what has access to your organization, everything that happens downstream as far as monitoring and protection becomes ineffective. In other words, no matter how great your monitoring capabilities are - if you don’t know what you’re monitoring does it really matter?
Additionally, prioritize ease of deployment and management. Cloud-native applications mean rapid development and frequent changes. Finding a solution that keeps up with this dynamic environment automatically with little knowledge about the cloud infrastructure required by the user is going to save a lot of time and headaches in the future, not to mention be much more effective at identifying threats and misconfigurations, thus reducing risk. Proactive identification of application-related assets such as APIs is a paradigm shift from the wait and see approach that you see in WAFs which are designed to filter and monitor traffic based on a predefined ruleset.
With a constantly changing landscape and increasing number of endpoints to defend, organizations must be prepared to protect themselves against modern attacks. Solely relying on signature-based detection methods is no longer enough to detect these attacks and protect their applications and APIs. Take proactive steps to partner with a solution that automates discovery and inventory management, monitors traffic and application workloads for anomalies, and simplifies deployment, management, and scalability for the user.