NEWS:
Menlo Security announces strategic partnership with Google
The browser has emerged as the most widely used enterprise application today. That’s good news for users who need to access corporate data and business tools from anywhere with a reliable Internet connection. But threat actors have taken notice as well, and, as a result, the popularity of the browser has made it the world’s most common attack vector – accounting for more than 80% of attacks in 2022. Unfortunately, limited capabilities of legacy cybersecurity tools prevent organizations from gaining the visibility into user behavior in the browser – valuable context and threat intelligence that would allow them to stop these attacks from gaining an initial foothold into the network.
How is this lack of visibility impacting the cybersecurity posture of today’s organizations? Let’s find out.
The browser is the unquestioned gateway to enterprise tools and information. Distributed users working from the office, a branch location, home or on the road can log in from anywhere to access web applications and Software as a Service (SaaS) platforms. This empowers a hybrid workforce, distributed supply chains and decentralized partner networks and ensures that work gets done in today’s digital world. According to Forrester, enterprise employees spend 75% of their device time in the web browser.
The shift of work to the browser has attracted unwanted attention. Threat actors, always looking for the easiest way into the network, are targeting the browser more than ever before. According to the Verizon 2022 Data Breach Investigation Report (DBIR), web applications and email – which are primarily accessed via web browsers – constitute the primary attack vectors in security breaches, accounting for over 80% of such incidents.
Unfortunately, too many of these attacks are successful. The decentralized nature of browsers means that they are rarely subject to the same enterprise security tools as other business vectors such as email and a private network. This creates a disconnect between users (who tend to assume that anything they’re able to access from a corporate-owned and managed device is safe) and IT teams (who really have no visibility or control into browser behavior). Coupled with the increasing business use of the browser, this security gap makes the browser an ideal attack vector.
As a result, threat actors are using Highly Evasive Adaptive Threats (HEAT) to get around traditional tools that rely on a detect and respond approach to cybersecurity. These solutions simply look for abnormal behavior on the end point or on the network – using carefully crafted policies to alert IT teams of anything that doesn’t seem right. Unfortunately, detection is too late. The threat has likely already taken hold and is moving through your network in search of more valuable targets. It’s only a matter of time before your business systems are compromised or data is exfiltrated. Either way, it’s not a good outlook. This lack of real-time protection leaves organizations open to dangerous credential theft, ransomware, phishing and drive-by attacks.
Traditional cybersecurity solutions were designed for a different world when applications lived in the data center, most users logged in from behind a corporate firewall and security teams just had to monitor a few access points connecting the data center to the Internet. With so little data flowing outside the organization, it was fairly easy to identify entities that were acting suspicious.
Digital and cloud transformation, coupled with hybrid workforces, have changed enterprise architecture. It’s now decentralized, spread across the Internet, hosted on cloud service provider infrastructure and accessed through unsecured WiFi networks. IT teams have virtually no visibility into these connections and have to rely on out-dated monitoring tools that weren’t built for this level of traffic. As a result, cybersecurity teams are overwhelmed by event data that generates thousands of false alerts that obscure the events that they should be focusing on.
Evasive web threats –such as HEAT attacks–use this lack of visibility to their advantage, hiding in plain sight by masking their behavior as legitimate traffic. This makes it difficult to identify and mitigate potential risks coming from the browser and prevents organizations from protecting users in real time. They can’t prevent users from entering their credentials into a false web form. They can’t block phishing sites that seem legitimate or prevent users from visiting a webpage that has recently been compromised. This leads to a lack of evasive threat intelligence as well–blocking safe but unknown sites while allowing access to newly compromised URLs.
Here are five ways that a lack of visibility into the browser exposes organizations to HEAT attacks:
Browsers, like any software, can contain vulnerabilities that can be exploited by attackers. Using browsers with unpatched security flaws, outdated extensions or plugins can give threat actors an entry point to inject malicious code into web pages or track browsing activity for malicious purposes. Attackers can target these vulnerabilities to gain unauthorized access to systems, steal sensitive information or install malware. Better browser visibility prevents the exploitation of such vulnerabilities. This includes the prevention of zero day exploits from impacting the underlying operating system or compromising sensitive data on the user’s device.
Many browsers automatically download files from the Internet when prompted – even by an unauthorized entity. Drive-by downloads, such as HTML smuggling, are becoming an increasingly popular evasive technique used by threat actors in which malicious code is automatically executed on a user's system when they visit a compromised or malicious website. Browsers can inadvertently execute this code, leading to the installation of malware without the user's knowledge or consent. This can lead to data breaches, system compromises or the installation of backdoors that enable further attacks. Increased browser visibility helps identify and block malicious downloads and malware that uses obfuscated Javascript to execute potentially malicious code. Detecting these threats before the point of click and executing them in an isolated environment prevents this initial foothold.
Browsers are commonly used to access email and other online services, making them a prime target for phishing attacks. While the emails, instant messages and other communications are not harmful themselves, they can include links that direct users to malicious websites. Attackers may send deceptive emails or create fraudulent websites that mimic legitimate ones, tricking employees into entering their credentials or providing sensitive information. These attacks can compromise user accounts, lead to data breaches or facilitate targeted attacks against the organization. Having better browser visibility allows organizations to identify fake web page components such as brand logos, phony domains or other previously invisible browser signals.
Cross-site scripting (XSS) attacks work by injecting malicious scripts into legitimate websites, which are then executed by users' browsers – ultimately leading to data theft, session hijacking or malware downloads. Browsers are also vulnerable to code injection attacks where attackers inject and execute malicious code within web applications that compromise the organization's systems or databases. Increased browser visibility allows cybersecurity teams to monitor and isolate browser activity across all websites (good or bad) to ensure content and page requests are safe and do not leave traces on the user’s device.
Browsers can inadvertently expose sensitive information through various means. For example, if a browser has weak privacy settings, it may disclose browsing habits, login credentials or other sensitive data to unauthorized entities such as ChatGPT. This information can then be used for targeted attacks or to gather intelligence for future exploitation. Increased browser visibility helps cybersecurity teams identify and understand how users are interacting with websites so they can prevent the accidental upload of sensitive data to websites using DLP policies. It can also prevent sensitive code or login credentials from being copy and pasted from websites and provide increased browser forensics.
A lack of browser visibility is putting organizations at great risk from today’s HEAT attacks. Legacy detect and respond solutions were built for a different world and aren’t suited to monitoring browser behavior or identifying the highly evasive techniques used by today’s threat actors. Better browser visibility through preventative security solutions such as isolation can provide this much needed context into specific browser behavior and give cybersecurity teams the tools to stop threats from making the initial breach on the end point. In an upcoming blog, we’ll go into more detail about how isolation and other preventative cybersecurity technologies can enable browser visibility and help you stop today’s HEAT attacks in their tracks.
Learn how Browser Security provides visibility and comprehensive protection inside the browser.
