Attackers pair remote access malware with exploits in deliverable payloads.
Web Attack Vectors: Flash Is Fading, but Users Must Remain Vigilant
Adobe Flash has long been an attractive web attack vector for adversaries who want to exploit and compromise systems. However, as the amount of Adobe Flash content on the web continues to decline— and awareness about Flash vulnerabilities grows—it is becoming more difficult for cybercriminals to exploit users at the scale they once enjoyed.
Adobe itself is moving away from full development and support of the software platform and has encouraged developers to adopt newer standards such as HTML5.⁷ Providers of popular web browsers are also taking a strong position on Flash. For example, Google announced in 2016 that it will phase out full support for Adobe Flash on its Chrome browser.⁸ Firefox is continuing to support legacy Flash content, but it is blocking “certain Flash content that is not essential to the user experience.”⁹
Flash may be fading, but exploit kit developers are helping it endure as an attack vector. However, there are signs this may be changing. After three leading exploit kits—Angler, Nuclear, and Neutrino—abruptly disappeared from the threat landscape in 2016, our threat researchers observed a significant decline in Flash-related Internet traffic. (See “Disappearance of Major Exploit Kits Presents Opportunities for Smaller Players and New Entrants,” page 20.) The actors behind the Angler exploit kit heavily targeted Flash vulnerabilities to compromise users. The Nuclear exploit kit had a similar focus on Flash. And Neutrino relied on Flash files to deliver exploits.
Users must remain cautious and should uninstall Flash unless they need it for business reasons. If they must use it, they must stay current with updates. Using web browsers that feature automatic patching capabilities can help. As noted in “Web Attack Methods: ‘Short Tail’ Threats Help Adversaries Lay the Groundwork for Campaigns” on page 13, using secure browsers—and disabling or removing unnecessary browser plugins—will significantly reduce your exposure to web-based threats. Java, PDF, and Silverlight
Both Java and PDF Internet traffic experienced notable declines in 2016. Silverlight traffic has already reached a level that is not worthwhile for threat researchers to track regularly.
Java, once the dominant web attack vector, has seen its security posture improve significantly in recent years. Oracle’s decision in early 2016 to eliminate its Java browser plugin has helped to make Java a less attractive web attack vector. PDF attacks are also increasingly rare. For that reason, they can be easier to detect, which is why many adversaries now use this strategy less often.
However, as with Flash, cybercriminals still use Java, PDF, and Silverlight to exploit users. Individual users, enterprises, and security professionals must be aware of these potential roads to compromise. To reduce their risk of exposure to these threats, they must:
Application Security: Managing OAuth Connection Risk Amid an App Explosion
- Download patches
- Use up-to-date web technology
- Avoid web content that might present risk
When enterprises shift to the cloud, their security perimeter extends into the virtual realm. However, that security perimeter quickly dissipates with each connected third-party cloud application that employees introduce into the environment.
Workers want to improve their productivity and stay connected while on the job. But these shadow IT applications create a risk for enterprises. They touch the corporate infrastructure and can communicate freely with the corporate cloud and software-as-a-service (SaaS) platforms as soon as users grant access through open authentication (OAuth). These apps can have extensive—and, at times, excessive—access scopes. They must be managed carefully because they can view, delete, externalize, and store corporate data, and even act on behalf of users.
The cloud security provider CloudLock, now part of Cisco, has been tracking the growth of connected third-party cloud applications across a sample group of 900 organizations representing a range of industries. As Figure 4
shows, there were about 129,000 unique applications observed at the beginning of 2016. By the end of October, that number had grown to 222,000.
The number of applications has increased approximately 11 times since 2014. (See Figure 5
.)Classifying the Riskiest Applications
To help security teams understand which connected third party cloud applications in their environment present the most risk to network security, CloudLock developed the Cloud Application Risk Index (CARI). The process involves several evaluations:
- Data-access requirements: Organizations answer the following questions, among others: What permissions are required to authorize the application? Does granting data access mean that the application has programmatic (API) access to corporate SaaS platforms through OAuth connections? Can the application (and by extension, the vendor) act on behalf of users and take actions with corporate data, such as viewing and deleting?
- Community trust rating: Peer-driven and crowd-sourced evaluations are used for this assessment.
- Application threat intelligence: This comprehensive background check by cybersecurity experts is based on an application’s various security attributes, such as security certifications, breach history, and analyst reviews.
Risk Scores and ExamplesAfter categorizing
third-party cloud applications using the CARI, CloudLock assigns a risk
score for each app on a scale of 1 (lowest risk) to 5 (highest risk).An
app that would score 1 on the scale might have, for example, minimal
access scopes (it can see email only), a 100 percent community trust
rating, and no breach history.An app that would score 5
on the scale might be one with full account access (it can see all
emails, documents, navigation history, calendar, and more), an 8 percent
trust rating (meaning, only 8 percent of administrators trust it), and
no security certification.
CloudLock used the CARI to categorize the 222,000 applications it had identified across the 900 organizations in its sample. Of those total applications, 27 percent were deemed to be high risk, while the majority fell into the medium-risk category. (See Figure 6
.) Half of those organizations had OAuth connections related to a popular gaming application that was released in the summer of 2016.
Through our analysis, we have found that all organizations, regardless of their size, industry, or region, have a relatively even distribution of low-, medium-, and high-risk applications (Figures 7
).Cutting Through the Noise
To identify suspicious user and entity behavior in corporate SaaS platforms, including third-party cloud applications, security teams must sift through billions of user activities to define normal patterns of user behavior in their organization's environment. They must look for anomalies that fall outside those expected patterns. Then they need to correlate suspicious activities to determine what might be a true threat that requires investigation.
An example of suspicious activity is excessive login activity from several countries in a short period. Say that normal user behavior in a certain organization is for employees to log in to a specific application from no more than one or two countries per week. If one user starts logging in to that application from 68 countries over the course of one week, a security team will want to investigate that activity to confirm that it is legitimate.
According to our analysis, only 1 in 5000 user activities—0.02 percent—that are associated with connected third-party cloud applications is suspicious. The challenge for security teams, of course, is pinpointing that one instance.
Only with automation can security teams cut through the “noise” of security alerts and focus their resources on investigating true threats. The multistage process of identifying normal and potentially suspicious user activities that is described above—and illustrated in Figure 9
—hinges on the use of automation, with algorithms applied at every stage.