Countering Web Application Attacks by Persistent Adversaries

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Andrew Peterson of Fastly advises how to think moves ahead of persistent adversaries and consistently counter their web application attacks.

It is impossible to achieve complete application security. Business takes place at warp speed, with engineering teams constantly introducing new code to their web and mobile sites to provide new features and other services for their customers to stay competitive during these uncertain economic times. Adversaries, in turn, are agile and quickly adapt their attacks to fast-changing business conditions. The need for visibility into the behavior of your attackers to be able to respond appropriately to reduce risk has never been greater.

The Rise in Web Application Attacks

Web applications continue to be popular targets for today’s attackers. In fact, according to the Verizon 2022 DBIR, more than half of breaches involved the use of either remote access or web applications. Recently, Fastly observed an increase in the following attacks:

• Application-based DDoS attacks: Although not necessarily new, we have seen an increase in application-based Distributed Denial of Service (DDoS) attacks against websites. One reason for this rise, over network-based DDoS attacks, is because it is cheaper for the attackers – they don’t have to pay as much (compared to what they would pay for traffic from a DDoS or from a botnet provider) if they’re using the application to do the DDoS. These types of attacks target specific parts of your application that are “expensive” to fulfill and can have a very dramatic impact on service delivery for the website itself.
• Application-abuse attacks: We have also seen an increase in application-abuse attacks. These types of attacks are specific to an application. They occur when an intended use or volume of an application is abused by the attacker. For example, Facebook had a system set up for third parties to download user information. Abuse occurred when Cambridge Analytica downloaded measurably more information than they were allowed to do based on the agreed-upon terms of service.

Why WAFs get a Bad Rap

Traditional web application firewalls (WAFs) focus on exploits and attacks – looking for a hack payload, generic to any website, and blocking that attack. Typically, they can’t do much against DDoS because this type of attack is volumetric in nature. In fact, a traditional WAF might actually go offline during a volumetric-based attack. WAFs also lack the flexibility to protect against application-abuse attacks. Content delivery networks (CDNs), too, aren’t inherently effective against application-based DDoS attacks since they have historically focused on network-layer DDoS protection. Today’s defenders need better protection against these attacks as well as greater visibility to see what part of the application attackers are actually focusing their attacks on, which can be different by the day, hour or minute. Attackers are persistent. If you have a public-facing web app, there are always attackers who may be trying to penetrate an organization’s website from all different angles, all the time.

Enter a new generation of WAFs. With these tools, defenders have greater visibility into what attackers are doing now on websites. Since it can take potentially weeks, days, or hours for an attacker to discover an organization’s system and how to exploit a particular vulnerability, defenders – with enhanced visibility – have more time to discover and mitigate potential application-based attacks. This is different from other Layer-based attacks, where there is little time to react and respond if you can see where these attackers are focusing their attacks. In addition to providing greater visibility, next-generation WAFs can identify abuse tactics or misuse tactics that traditional WAFs can’t do. Typically, you would have to buy or create your own homegrown tool to be able to protect against attacks that are specific to your website itself and the functionality of your website.

Preparing for the Next Web Application Attack

As we know, tools alone are not enough to counter sophisticated, persistent attackers. Organizations must also invest in the right people and processes to measurably reduce their risk. For example, you should make sure your security teams are partnering with the engineering and operations teams to be able to utilize visibility into attacker behavior and counter it with their own actions to harden the app code base in the areas the attackers are focused on– before they’re able to exploit it. The upshot is you don’t have to have perfect code before it gets into live production systems. But it does mean these teams need to be tracking threats together and responding appropriately, much like the engineering and operations teams do already for any other outage-type scenario.