The Forrester Research Top Cybersecurity Threats In 2020 report was recently published, based on data obtained from nearly 4,000 respondents as part of an extensive survey performed between April 2019 and June 2019. It analyzes common attack patterns responsible for breaches last year, and how security professionals can protect against them. PerimeterX cybersecurity evangelist Deepak Patel joins us to discuss the Top Cyberthreats in 2020 as reported by independent research firm Forrester Research, and some of the best practices of how to protect and grow digital businesses in the midst of these threats. Listen to the full podcast episode here.
Let’s get into some background. Deepak, what are your biggest takeaways from this report?
Deepak: The key things to understand here are the explosion of web and mobile applications, as well as APIs that are used between applications. There's a total explosion in the usage of these, and recent events such as COVID-19 have also driven that increased adoption. Needless to say, attackers have also followed suit. Without going too deep into the actual takeaways from the report—because it's a great report to read—it really helps you as a digital business to assess risk and make the right decisions. Then you can see that the report talks in-depth about the top five threats and we delve into some of the threats that really matter in terms of the application security side of things.
One of the key findings in the report—which is not surprising to application security professionals—is that 3 of the top 5 threats are application security-related issues that caused data breaches. Another well-known industry report, the Verizon DBIR June 2020, also mentions, "Over 80% of breaches within hacking involve brute force or the use of lost or stolen credentials." This sounds a lot like account takeover attacks that we’ve previously discussed. How does brute force come into play here?
Deepak: Excellent question. So let's double click into the pure facts that you mentioned. There are two reports that you are talking about here. One is the Forrester report, where three of the top five threats are app security related. It goes deep into bots as well as API protection that you need to look at. Also, some new client-side threats are emerging. It also takes a look at what's happening in the industry, because you have to remember, the Forrester report is an extensive survey that was performed.
Looking at the Verizon Data Breach Investigations Report (DBIR), that is actually based on industry data regarding data breaches. If you look at what happened 2019, there's a bit of a reality and there's a bit of disconnect as well. The reality there is that 80% of the breaches that involve application security or web applications were essentially brute force for the use of lost or stolen credentials. That's critical to remember, because what's happening now is that hackers are actually going after known credentials. They’re stealing your known admin passwords or even just executing plain account takeover attacks. An account takeover can happen at different levels. It could just be your privileged accounts that are being taken over or just your user accounts that are being taken over. Both privileged and user accounts being taken over individually result in big problems, but it's really a combination of the two.
Finally, the Forrester Report talks about exploiting vulnerabilities. The Verizon data breach report, on the other hand, talks about how vulnerabilities have not played a major role within the data breach incidents. Vulnerabilities do exist, and hackers are exploding them, but not nearly to the same extent as they're exploiting stolen credentials. That's what this kind of sheds light towards. And information like this is what we expect security professionals to look into and figure out if that's what they need to protect against. Whether you're talking about data breaches, should you buy protection towards brute force or the use of stolen credentials? Or more towards stopping or patching vulnerabilities? This is what you have to answer for your business’ use case.
Forrester Research also provides more details on recent breaches and how they have exploited unauthenticated API endpoints and poor access control. What can you tell us about these endpoints and how APIs can be protected?
Deepak: This is one of the key emerging areas where we see cyberattacks happening. And that's primarily because the growth in API attacks is driven by the simple fact that they are easier and more economical to mount, while also being harder to detect than legacy, browser-based, typical botnet attacks. What you need to figure out is, what are these APIs? Today when you write a mobile application, it relies on an API. What's happening today is APIs are getting exposed when used by a mobile app. And that same API is also used by your web application to provide a rich content or the rich user engagement.
These APIs are also used between businesses. Let's say you're using a payment provider. You're going to use the payment provider’s API. Let's say you're going to use inventory management or reviews—you're going to start using a lot of APIs very quickly. And before you know it, you have a lot of APIs. This is where the attackers are looking at and saying, "Hey, our website today has a lot of these API links. Let's see if I can go after the API part of it." A lot of times developers, being developers, are going to focus on innovation and less about security. This is where you'll find unauthenticated API endpoints or poor access control, because this developer was told to go and develop the feature, innovate and increase revenue. As a result, they were less worried about the security issues that come with that. Now, how do you protect these APIs? There’s no simple, straightforward answer, but you can see what happened with web application security.
To protect your APIs, there are a number of considerations to make. You have to consider both an API security gateway, as well as API protection from bots. This way, you’ll make sure that your APIs are not leaking out PII data and not being used to expose your business logic. If APIs are there for ease of use in terms of showing the pricing for your website, somebody could just be using that API call to figure out your pricing strategy. That's where you need to make sure that you have bot protection that's behavior-based, using machine learning, and using that behavior modeling to actually provide a constant, real-time feedback loop that can be updated to stop these bots in their tracks.
Third-party code and digital skimming attacks such as Magecart were discussed in the Forrester report as well: “Even if you regularly test your web components against code injection attacks, third-party components are outside your code control.” Can you describe these attacks in more detail?
Deepak: Absolutely. Before I get into Magecart attacks, let me introduce you to a concept called Shadow Code. This is similar to where, if you rewind back a couple of years, IT folks were talking about Shadow IT. This is where you had departments in organizations downloading or using applications without the authorization of IT. Shadow Code is similar—it’s when developers start including third-party code in their applications, sometimes without approval or any kind of safety validation. I touched upon this when discussing APIs because of the rate at which they are forced to innovate. But this is where they're increasing the attack surface. About 70% of website code today is third-party code. When you have this third-party code and third-party libraries and tools, it's essentially like inviting strangers into your house, creating security vulnerabilities.
If you look into a lot of these client-side attacks that go after Shadow Code, over the last couple of years, you will have noticed British Airways, Macy's and a lot of other digital retailers were affected by this. The Forrester report actually goes into quite a bit of detail regarding that. At the end of the day, these are attacks that happen directly on the user’s browser, meaning it's your website code that's being modified without your permission, but you don't know it. You, as in the website operator, won't be able to detect that because you probably have website controls on the server side, but not on the client side of things. So think of this as like the age-old cross site scripting that used to happen on the server side, but with a new twist that it's happening on the client side.
Another statement in the Top Cybersecurity Threats In 2020 report reads, “Web application firewalls may detect or block some bot attacks, but they won’t stop the influx of attempts—nor will they protect against other forms of fraud.” Why don’t WAFs do the job here, and what’s the solution?
Deepak: One important figure that’s important to remember, which I referred to previously, is that about 70% of your website code today is actually third-party code that doesn't even go through a web application firewall. That’s extremely important. The other thing about web application firewalls (WAFs) is that they were built to protect from protocol-level greeters—”protocol” meaning there's a certain set of rules, the way the web traffic is supposed to work. There are HTTP GET and POST requests, and WAFs for businesses detect what we call protocol anomalies, or hackers trying to abuse the protocol. Here, the new emerging threats are not abusing your protocol, but actually abusing what we call business logic. They're coming in through the front door.
This is where a WAF fails. WAFs are kind of a requirement, but they can't really get to that point of dynamically analyzing real-time behavior, right? Today, you can't find WAFs in the market that can do it just because of what capabilities exist within a WAF. So they end up blocking legitimate traffic or allowing malicious traffic for these reasons. A lot of times WAFs tend to block or break application functionality, which leads to lost revenue. For this reason, a lot of people end up turning off these WAFs or they just keep it for compliance reasons. In today's world, where the likes of Facebook and Google have kind of created a fail-fast kind of mentality, applications are changing quite a bit. The WAF’s rule-based approach is not going to help protect against web application threats.
When choosing a solution to protect yourself, you should consider your application, the change you need to make to your application, and probably include some kind of secure coding functionality to compliment what a WAF is doing. You could avoid using a content management system and steer away from technologies that will lead to SQL injection attacks. Applications are, again, moving away from being susceptible to code injection attacks or such. And attackers today are not going after your protocol vulnerabilities—they're actually using stolen credentials or brute forcing them, which is where the WAF wouldn't help. These are the different data points for why WAFs don't end up being as effective: because of today’s changes in the threat landscape, as well as the changes in the way applications are coded and developed.
The Forrester report was put together to ease the challenge of prioritizing IT spend and combat bad bots so companies can stay focused on revenue growth. What would you say are some best practices for web app owners and developers to adopt to protect themselves?
Deepak: There's no shortage of threats to look at, but this is where I would say if you're a digital business. You may be better off to invest your time to learn about these advanced application security threats—especially for those that manage e-commerce businesses or digital versions of stores. The online store is the most important part of your business—it's the most important store today, to be honest.
These new threats are attacking your front door, and they're no longer attacking your infrastructure. This means that attackers are abusing the business logic of your websites, mobile applications and APIs. When you do think about how to protect against this, you need to look at how these attacks affect you, whether it's account takeover, whether it's web scraping or carding attacks or any of these attacks that are automation driven. Think about it and see how it maps to your business risk.
The best way I can advise here is to make security a business-level discussion. Talk about how these threats are affecting your business model or competitive edge. If you're a media company today, web scraping has to be considered an existential threat. If you're an e-commerce company, there are multiple automated threats: web scraping, account takeover, or attacks that break your gift cards. You need to evaluate what's happening there. If you have a million users, an account takeover attack can easily compromise up to 1% of your users. That means right away, thousands of users are impacted by that. On average in the US, it costs about $250 per user for website owners to remediate this—even though the website owner is not the source of this credential leak. It's a complex world that we live in today, but I’ll reiterate: reports like the one from Forrester are the ones that will help you figure out how to protect yourself based on your priorities as a digital business.
Download The Top Cybersecurity Threats in 2020 report by Forrester Research here.