Security architects always tell their clients that a good security program requires layers of defense. Despite what some vendors may tell you, any single layer of has the potential to fail. Multiple layers of security allows one system to catch an attack another may miss. In a hosted application environment those layers typically include firewalls, intrusion detection systems (IDS), and server security. But, as the threat to web applications continues to evolve more organizations are adding Web Application Firewalls (WAFs) to the layered security model.
Lessons from South Korea Ransomware
In June a South Korean web hosting company, Nayana, had more than 150 of their servers compromised by a Linux port of the Erebus ransomware. The ransomware locked out 3400 of Nayana’s clients and kept the company at least partially offline for a month. It also cost them more than $1 million in ransom to get all of their customer data restored.
It appears that Nayana was running a number unpatched servers across their server farm which contributed to the success of the attack. But, the truth is, any organization that is hosting applications online could fall victim to attack.
The Rise of Watering Hole Attacks
As organizations continue to improve their internal security attackers are becoming more creative at finding ways to gain access to target networks. One of these methods is the watering hole attack. A watering hole attack is one in which the attacker compromises a website that she knows employees of a target organization visit and then uses that website to launch attacks against employees of the target organization.
For example, if an attacker has not had any success gaining access to a targeted Non-Governmental Organization (NGO), but she knows that employees of that organization visit an industry-specific news site she may try to compromise that site instead. Using known vulnerabilities in the Content Management System (CMS), SQL injection, or cross-site scripting techniques she can gain access to the news website. Once she controls the website she can put a trojanized PDF or Microsoft Office Document on the website or redirect traffic to an exploit kit she controls and compromise visitors to the website. Meanwhile, the website owner remains completely unaware of what is happening.
Web Application Firewall (WAF)
These types of attacks are where the WAF shines and fills in gaps left by the IDS and firewall. A WAF is a dynamic firewall that sits between visitors to your web application and the servers that host the application. The WAF intercepts all traffic to your web application looking for malicious requests and alerting on them or blocking them outright. Helping to keep your application, and your customers, safe.
A WAF differs from a traditional firewall in that it does more than just block specific IP address or ports, it does a deeper inspection of web traffic looking for signs of a cross-site scripting attack or possible SQL injection. It is also customizable, allowing you to write rules specific to your application. For example, if your application is hosted on a platform that has a known vulnerability, but you have not had a chance to patch it yet, you can write a rule that looks for traffic attempting to exploit that vulnerability and block the traffic until you can get the vulnerable system patched.
A WAF also differs from a traditional IDS because it has more heuristic capabilities. The attack surface of an application is always changing and attackers are always finding new ways to launch attacks against web applications. While the attack surface may change, there are certain things that attackers have to do, irrespective of the attack. They have to scan for the vulnerability and they have to launch unusual traffic patterns in order to compromise the server. Unlike a traditional IDS, which requires patterns on which to match, the WAF can look for unusual traffic activity and automatically block that traffic. Anomalous traffic, such a burst of activity from a suspicious IP address block or a probing of non-public facing pages, can be automatically blocked. Even if the traffic does not match a known “bad” pattern.
This heuristic capability carries over to attacks that attempt to DDoS your application. Not necessarily broad attacks against the website, but DDoS attacks specifically designed to deny access to your application. WAFs can monitor for DDoS patterns and block that traffic, even though the traffic originates from a large number of geographically diverse hosts.
WAFs can be deployed in two configurations. Customers can choose an on-premise WAF, such as the Barracuda WAF. They can also deploy a cloud-based WAF, such as those offered by Sucuri, CloudFlare, StackPath and Imperva’s Incapsula.
If you are interested in learning more about how to protect your web application and help better protect your customers with a WAF please contact us.