Security Think Tank: Counter application layer attacks with automation

Application layer attacks have been with us since the first internet-facing applications. However, a recent survey showed 89% of respondents admitted to an application attack in the past year. Historically, attackers have exploited coding vulnerabilities such as SQL injection and cross-site scripting due to poor practice and testing. 

There have been improvements in coding practices and application testing, but at the same time, the Owasp top 10 application vulnerabilities still include SQL injection at number one and cross-site scripting at number seven. It is not clear what is driving this, but it may be a combination of new DevOps development environments and an increase in the sophistication of the attacker. 

DevOps greatly speeds up the deployment of apps, some changing on a daily or even hourly basis, which may result in untended security vulnerabilities through a lack of time for proper security testing. 

We are also seeing more sophisticated attacks. The best response to these is a combination of improved design and coding to remove vulnerabilities in applications and websites, along with a layered approach to attack prevention and detection. 

This includes denial of service (DoS) attacks that target buffer overflow, or other vulnerabilities used to crash the application or deplete application resources. Such attacks appear to be increasing faster than brute force distributed denial of service (DDoS) attacks at the network layer.

There are a number of tools that can detect coding vulnerabilities and can be integrated into the development environment. These tools will need to be configured for the deployment environment and coding policies, and there may be some push back as they start picking up problems. However, people must realise that any delays are the result of poor coding, not because of the testing. 

Automated testing environments can also be used to create new rules and policies for a web application firewall (WAF) as the system evolves. This will then help to protect the applications and application programming interfaces (APIs) as they are added and detect and gather information on attacks as they occur.

A good WAF should be able to cover most of the Owasp top 10 vulnerabilities and also gather information that can be used to identify and track an attack. The other main defence is protection of third-party APIs through encryption and comprehensive access control to prevent session hijacking and ensure least privilege principle to minimise data exposure. High-value data should, of course, be protected by encryption.

Attacks are becoming more sophisticated and more difficult to detect once the defences are breached, as illustrated by the British Airways (BA) data breach in September 2018.

An analysis by RISKIQ reveals that this was specifically tailored to the BA website, with a domain being registered specifically for the attack and exfiltration designed to blend into the regular operation of the site and so is difficult to detect. 

However, on an e-commerce site with a large number of individual user transactions, it may have been possible to detect the appearance of a relatively large number of connections to a single site as something unusual. 

In such circumstances, user behaviour analytics (UBA), network traffic analytics or anomaly detection can fill a gap.

UBA is typically used for insider threat detection, or fraud prevention on e-commerce sites. Typically it would flag up abnormal activity away from typical customer, or user activity.

Monitoring source and destination of the network traffic flow either through an analytic use case to detect specific types of activity, or an anomaly detection system to detect unexpected events are probably the only way to detect such activity.

BA also identified third-party code as giving the attacker a foothold. This highlights importance of supply chain management and ensuring all code on the site is secure. 

Application layer attacks are clearly still with us, with the majority aimed at e-commerce, or denial of service. The difficulty in defending against them is exacerbated by the rapid updates to such sites made possible by DevOps, meaning the response must be comprehensive and automated to remove as many vulnerabilities as possible, defend against attacks and actively look for breaches.