Combat Attacks Where They Most Often Start: Applications

Originally published by TrueFort.

Written by Mike Powers, TrueFort.

The application environment is one of the most targeted among cyber criminals and has reached a point where organizations can no longer pose the question of “if” there will be an attack on, but “when” there is an attack. The attack surface is constantly expanding, and the means of attack are evolving and becoming more sophisticated every day. Whether it is a socially engineered phishing attack, telemarketing scam, or compromised source code, attackers have proven their creativity when it comes to entering secure networks.

Why attack applications?

Applications are a part of every organization, whether it is customer-facing mobile banking application, online shopping, or an application only for employees. They all leverage server workloads that communicate with other applications using different workloads and accessing different databases. To add to the complexity, often there is third party software embedded within the applications and open source applications running in the same environment as crown jewel applications. These software supply chain components help every organization reduce the cost of development and speed the entire development process, but the convenience brings sizable risk.

For example, a banking application that eases transactions by directly integrating with an online shopping platform might have to use a third-party library to transmit payment card and personal data from the bank to the online shopping platform. That same third-party library is used for all customers of the shopping platform who have many different banks. All it takes is for an attacker to compromise that one integrated application and they can compromise all these banks’ applications. Often, that single third-party library is an unnoticed and unmonitored area of each organization.

Vulnerabilities exist, secrets exist

Most security teams do their best to educate their employees to be aware of phishing scams and have implemented identity management and multi-factor authentication, but vulnerabilities still exist. What happens when an attacker gains access using authorized credentials obtained through secrets-in-code? A Secret is a digital authentication credential (API, Token, etc) that is used in applications, services, and infrastructure. This can act like a password to authenticate a specific user or system to perform any number of functions. The difference is that passwords are meant to be protected, but a secret is meant to be distributed. Engineering and Dev teams are constantly modifying code and will sometimes keep access keys accessible to easily make changes, usually in the form of a hard-coded secret in source code. Since code is meant to be copied, distributed, or cloned, it presents an often unknown vulnerability via exposed Secrets. In 2021, GitGuardian detected more than 6 million leaked secrets on the open forum site GitHub. It is not uncommon for developers to publish code on GitHub, but sometimes it is overlooked that the code contains hardcoded secrets. GitGuardian reported that a large share of those published secrets gave access to sensitive corporate resources through applications.

Neutralizing the supply chain risk

Many organizations have made Zero Trust a priority, but Zero Trust alone may not be enough if an attacker is disguised as an authorized user. If an attacker gains access to a secure network through a compromised application using authentication tokens obtained through a leaked secret, they could potentially move through completely undetected. By the time their presence is known, they will more than likely have already compromised sensitive data.

Until now, it was a very time-consuming and manual process for teams to catalog what applications were using which servers, and it was easy to miss the out of line behaviors of authorized users.

Through behavior profiling and real-time visibility into application behavior, micro-segmentation of those applications and workloads is finally possible; malicious activity can be detected early on and organizations can prevent lateral movement across their network, thus minimizing the blast radius around supply chain software you don’t control.

Make sure you’re prepared before software in your applications are hit

Vulnerabilities exist, attacks are going to happen, and organizations who do not have full visibility into their application space are putting themselves at risk. Organizations need a solution that provides real-time visibility and micro-segmentation that is easy to use, cost-effective, and designed to reduce the risk of supply chain attacks.