Learn how hybrid work is fueling ransomware attacks and what to do about it.

Back to blog

Why traditional SWGs don’t protect against HEAT attacks

Why some Secure Web Gateways won’t protect against Highly Evasive Adaptive Threats (HEAT)

Share this article

Cybersecurity is often described as a game of cat and mouse. Or chess. Or warfare. Or some other activity heavy in strategy that plays out across a series of moves and countermoves. Regardless of the metaphor, it’s clear that security professionals are engaged in a constantly shifting landscape against threat actors. A new threat emerges. A solution is found and implemented. A new vulnerability comes to light. It gets closed. On and on it goes, ad nauseam.

Until it doesn’t. New, highly sophisticated attacks are growing increasingly successful at breaching enterprise networks — putting threat actors ahead in the arms race against security teams. Digital transformation, modern applications, cloud migration, and the new distributed workforce are pushing work outside the data center to the Internet, where it is more vulnerable to malicious activity. These expanding threat surfaces are increasingly being exploited by threat actors — giving them that initial access to the network from which they can spread to other, more enticing targets.

What’s contributing to this gap in the arms race? Secure Web Gateways (SWGs), organizations’ primary tool for combatting web-based threats. They’re not up to the task of countering the increasingly sophisticated tactics of today’s threat actors.

Read on to find out why traditional SWGs are failing and what security teams should do instead to protect their organization from today’s web-based threats.

What is a SWG?

According to Gartner, Secure Web Gateway (SWG) solutions protect web-surfing PCs from infection and enforce company policies. They work by filtering malware from user-initiated Internet traffic and enforcing corporate and regulatory policy compliance. These gateways must, at a minimum, include URL filtering, malicious-code detection and filtering, and application controls for popular web-based applications.

Why are SWGs important?

Given that 90 percent of today’s breaches stem from the web and email, SWGs are an increasingly critical component of an enterprise security strategy. They are the main line of defense against web-based malware, drive-by attacks, credential theft, and the most common and disruptive type of attack, ransomware. More than 70 percent of organizations were hit by ransomware attacks in 2021, according to the 2022 CyberEdge Cyberthreat Defense Report — a staggering increase from 55 percent in 2018. These attacks shut down businesses, disrupt public infrastructure, and cost organizations billions of dollars in ransom payments at a time when the world continues to struggle to recover from the global pandemic, increasingly volatile geopolitical tensions, and other disruptions ranging from supply chain crises to rising inflation. The fact that SWGs are ill-equipped to stop these attacks is a major drain on enterprise resources. The Cyberthreat Defense Report also found that two-thirds of organizations that pay a ransom end up having their data exposed on the Internet anyway. The only way to reduce this risk is to stop the initial breach from occurring.

Why are traditional SWGs ill-suited to prevent that initial breach?

Traditional SWGs were designed more than a decade ago for a world that doesn’t exist anymore. Ten years ago — heck, five years ago — most work was conducted in the data center, but as applications and data have been decentralized and moved to the cloud, traditional SWGs have been unable to keep up. As a result, malicious actors have used this decentralization to their advantage and evolved their tactics. They are now extremely successful at evading detection on the edge of the network, which enables them to breach end devices through vulnerabilities in the browser. From there, all they have to do is wait patiently and slowly probe the environment until the time is right to deliver their payload.

How do threat actors specifically evade SWG detection techniques?

Called Highly Evasive Adaptive Threats (HEAT), these attacks are used by threat actors who employ highly evasive techniques to bypass traditional web security measures and leverage web browser features so they can deliver malware or compromise credentials. If successful, HEAT attacks render all browser-based security defenses helpless. These include sandboxes, file inspections, network and HTTP-level inspections, malicious link analysis, offline domain analysis, and indicator of compromise (IOC) feeds.

Specific techniques include HTML smuggling, sending malicious links through unprotected channels (such as text messaging, social media, professional web networks, collaboration software, SMS, shared documents, shared folders, and SaaS platforms), hiding malicious content inside web page source code, and using benign websites to deliver sophisticated malware. Essentially hiding in plain sight, these HEAT attacks are able to trick traditional SWGs into assuming they are legitimate traffic.

So, what is the solution? What can I do to protect my organization from HEAT attacks?

Not all is lost. While traditional SWGs operate on a block-or-allow decision tree based on known threats, a new breed of cloud-native SWG solutions extends protection to unknown threats. These cloud-native SWG solutions leverage isolation technology — which assumes that all content is malicious — to eliminate the requirement to make an allow-or-block decision. All content, malicious or not, is isolated in a remote browser in the cloud.

With no access to the end device, any malware is effectively neutered, whether it’s been detected or not. It’s simply unable to make that initial breach or deliver its intended payload. And, since most content comes from the Internet or through email, routing traffic through a cloud-native control point allows organizations to apply the appropriate policies to all traffic and all users without impacting performance or the user experience.

Will any cloud-native SWG solution using isolation technology be able to protect my organization?

Well, no. Not all SWGs are created equal. Many solutions still rely on a detect-and-respond approach and only isolate content by rule — for example, by isolating risky or unknown sites. They may fail to block malicious content delivered from a website with an established reputation that was recently compromised, or they may fail to find malicious code obfuscated in a web page’s source code. At that point, the threat has likely already delivered its payload to the endpoint and started to move laterally across the organization. These are the exact exceptions and rules that threat actors have become experts at exploiting.

To be truly effective against threat actors’ evasion techniques, anti-phishing and advanced isolation technology needs to be at the center of your SWG — meaning that all content and all websites are treated as malicious and isolated by default. This Zero Trust approach to security stops both known and unknown threats from entering your organization and infecting your endpoints.

Share this article

Make the secure way to work the only way to work.

To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.