It is Monday morning, and as you slide into your desk chair, preparing for your first teleconference of the day, you get the worst news known to Information Security and IT teams everywhere—your company has been the victim of a data breach on your website. Your team immediately springs into action to set up an incident response bridge to contain and eradicate the breach.
Once the incident response starts to wind down the recovery phase, the next phase is to transition into recording lessons learned to prevent future data breaches using the same technique. One of the considerations is the motivations and capabilities of the attackers. To non-IT folks, this might seem tangential to the incident response, but as most security professionals know, understanding attackers is important to understanding how to best prevent future data breaches.
Targeted data Breaches.
Targeted attacks are considered one of the largest threats facing any organization. They can cost billions of dollars and cause sufficient damage to a company’s revenue, profitability, and reputation. These attacks are so damaging because they are not opportunistic “smash-and-grab” operations conducted for immediate gain.
Instead, truly targeted data breach campaigns are carefully researched, involving months or years of reconnaissance. They use a wide variety of techniques and vulnerabilities and are usually conducted to steal some form of closely held data, whether payment or credit card data, customer/patient data, or intellectual property.
Examples of targeted data breaches include a successful credential-stuffing attack on social media network accounts in 2020. The credentials used in the attack were attributed to a well-reconned spear phishing attack and a data breach at a hotel chain in which attackers using employee’s credentials accessed 5.2 million hotel guest records.
As a sign of the times, a teleconference provider became a victim of a data breach in 2020, with over half a million user credentials offered for sale, including those of financial institutions, banks, and colleges.
These targeted data breach attacks are the result of a carefully and patiently coordinated plan. The methods might include spear phishing campaigns, social engineering, malware, web and application programming interface (API) vulnerability exploitation, or any combination of methodologies. Even though these hacks make the news and do huge damage, they are not common because of the effort required to perform targeted attacks.
Opportunistic data breaches.
While every cyberattack feels targeted and deliberate during an incident response, the fact is that most successful data breaches are opportunistic rather than intentional and researched. Cybercriminals are not willing to spend the level of money or time required to break into an organization unless they can guarantee success and a large payoff in a data breach. Most cybercriminals would prefer to find an easier target to attack that requires less effort.
Cybercriminals readily have tools and automation to perform continuous bot-driven reconnaissance. These vulnerability-scanning bots perform site discovery and probing to gather information about web and API apps and their underlying infrastructure, which can later be used to launch a more focused attack.
Reconnaissance with a vulnerability scanning bot is like an old hacking method called war-driving that was popular back when wireless networking was new and immature. Attackers would drive around looking for insecure Wi-Fi access points that could be connected to and used to attack devices on the network. Running a vulnerability scanning bot is even easier—it can be operated without being physically near the target.
Bots are used to scan a site or API and determine variables such as the server operating system, webserver daemon, the presence of typical administration utilities such as phpMyAdmin or tools in /cgi-bin, and the specific version of the Content Management System (CMS) and its plugins. That information can then be mapped to known vulnerabilities, such as those listed in the Common Vulnerabilities and Exposures (CVE) database. CVE identifiers can then, in turn, be mapped to exploit tools and code that the cybercriminal can use to cause a data breach.
Given the growing complexity of today’s applications and the difficulty of patching them, this is a highly effective reconnaissance technique as part of a data breach campaign. As apps have evolved from monolithic, linear services to microservices, which can be hosted in many logical locations such as cloud providers, serverless environments, containers, or sidecars, their attack surfaces have grown.
The CVE database is sponsored by the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). The information gathered in CVEs is designed to function as a metaresource to aggregate and share data on vulnerabilities. Each CVE entry has an ID number, a description, a public reference, a list of vulnerable software versions, and links to exploit or assessment tools. However, the number of vulnerabilities listed in CVE has rapidly grown. Over 21,000 vulnerabilities were announced in the first half of 2024 alone, and the backlog of unanalyzed CVE submissions has also been growing.
Attackers can use their scanning bots to probe for unpatched vulnerabilities and then use automation to exploit them because they can access the CVEs and any publicly available exploit code. While this poses some risk, the CVE website Frequently Asked Questions states that the published vulnerabilities are already public.
Cascading data breaches.
Another type of attack can be thought of as a cascade or pivot inside an industry. In the 2020s, many companies have been forced to jump into the digital world to maintain revenue and employee productivity because of lockdowns and travel restrictions. Many companies, particularly those in the mid-market, have had to create or grow their e-commerce capabilities quickly and have done so by using open source or off-the-shelf CMS, shopping cart, or collaboration software to reduce development and deployment time. It is common to find that as one company uses a tool successfully, it is adopted by its competitors, resulting in all the companies in that industry using the same software.
While this approach has many positives, such as saving time and money while increasing competitiveness, this monoculture also has downsides. Cascading data breach, campaigns often start opportunistically when a particular vulnerability is discovered by their vulnerability scanning bot during reconnaissance. After further analysis of the vulnerability, the attacker realizes that this vulnerability also exists in other organizations within the same vertical industry as the target company. Astute attackers also recognize that they can use the “Googledorking” technique to find organizations that use the same software. For example, a search on Google for “’by shopify’ intitle:‘Your Shopping Cart’ inurl: /cart” can be used to find eCommerce websites built on the Shopify platform. These searches can be fed to a vulnerability scanning bot to accelerate the time to discover vulnerable websites.
Keeping up with vulnerability patching is an arduous and growing process for large enterprises and can overwhelm smaller companies. For the opportunistic attacker, finding a lucrative industry segment is a monoculture with unpatched vulnerabilities can be a data breach bonanza.
Virtual patching reduces data breach opportunities.
Most attacks are opportunistic in one way or another. As web and API infrastructure becomes increasingly complex with the advent of cloud service providers, microservices, containerization, serverless, and API-first strategies, keeping track of assets is a huge issue.
How, then, can companies keep themselves safe but also competitive?
As any incident response team knows, you can only protect assets you know about. One of the first things any organization should do is to build and maintain a web asset inventory and versions of all the software inside what information security teams call a “Software Bill of Materials (SBOM). They can emulate attackers using a web and API vulnerability scanning bot for beneficial purposes. There are a variety of scanners from service providers, such as Vercara’s UltraAPI Discover (for APIs).
Once you know software versions and vulnerabilities, a way to protect against exploits is to use a modern, API-capable Web Application Firewall (WAF) and API Bot Manager. All these solutions can add a virtual patch to the application to prevent vulnerabilities from being discovered by vulnerability scanning bots and exploited by the attacker running them.
Blocking categories of attacks.
As much as we have talked about the tactical use of virtual patching to block exploits against your specific version of applications, a WAF can also block classes of exploits such as SQL injection very easily. When a CVE is announced as a SQL injection vulnerability in your version of web applications, and you have SQL injection countermeasures enabled sitewide, you are also protected from that specific CVE. In this manner, a well-tuned WAF can protect you from non-public or recently disclosed vulnerabilities before you have time to analyze them and react.
Protection as a service.
As we noted earlier, attackers are opportunistic. They are defined by their ability to scan for and exploit web application and API vulnerabilities. If they discover that a particular piece of exploitable code has been widely adopted throughout an industry, a logical next move is to see if others in the same field have picked it up. In this case, the sooner you deploy a virtual patch, the sooner attackers look elsewhere.
Want to know more? Contact us to learn how virtual patching and incident response can protect your business from data breaches.
