The exposure of the application layer to the outside world makes it a prime target for a cyber attack. The application layer – layer 7 of the Open Systems Interconnection (OSI) communications model – is where the user communicates with the application and the application calls whatever services and information it needs to complete this communication.
Cyber attacks look to exploit vulnerabilities in the software code of these applications. Attackers look to mimic legitimate user behaviour, and it can be difficult for security products to differentiate between human-originated traffic, botnet traffic, and hijacked web browsers and connected devices. The result can be distributed denial of service (DDoS) attacks that although difficult to initiate, are also difficult to detect and respond to.
Developing a mitigation strategy to address the sharp rise in application layer attacks should begin with focusing on the risk. Which assets could be compromised, how likely is it that each of these assets will be compromised, and what is the potential impact of a compromise? Once the risks are understood, a mitigation strategy can then be developed.
Prevention is better than cure – software without security vulnerabilities is a fantastic mitigation strategy. However, the rise of DevOps has raised inevitable concerns around security: does the end product adequately address security issues? Incorporating security into DevOps – often referred to as DevSecOps – is needed to prevent software vulnerabilities from the outset.
Of course, not all code will be vulnerability-free. Prevention also requires an organisation to work with its communication service provider on the approach to addressing DDoS attacks. This will be a partnership; the provider may well be the target of the attack, but it will expect you to have DDoS protection capabilities as well.
“The mitigation strategy to prevent, detect and respond to a Layer 7 attack must be dynamic. Don’t implement and forget”
Maxine Holt, Ovum
Recognising that prevention is not always going to be successful, the next set of security controls need to focus on detection. A web application firewall (WAF) is used to monitor application traffic, proactively monitoring, filtering and blocking traffic, and has become a vital part of a company’s security infrastructure. The level of automation in these products is increasing, a welcome advancement for what was previously a largely manual process to spot DDoS attacks via alerts.
However, if a Layer 7 attack does succeed, a dedicated incident response plan is required, to define the resources, procedures and tools needed to deal with the attack. It is feasible that all corporate systems will be unavailable, therefore a separate communications plan will be necessary so that those involved in incident response can engage with each other. And don’t forget about communications with the wider user community – employees, temporary workers, customers, partners, suppliers – all will need some information about the unavailability of your organisation’s systems.
The mitigation strategy to prevent, detect and respond to a Layer 7 attack must be dynamic, to deal with the constantly evolving attack patterns, style and details. Don’t implement and forget.
Read more from the Computer Weekly Security Think Tank about application layer security
