HEAT: Examining the next-class of browser-based attacks.
Dave Bittner: Hello, everyone, and welcome to CyberWire-X, a series of specials where we highlight important security topics affecting organizations worldwide. I'm Dave Bittner. Today's episode is titled Turning Up the Heat: Highly Evasive Adaptive Threats. The global pandemic has prompted an unprecedented shift in enterprise IT and security over the last two years. Remote and hybrid workforces and the accelerated shift to the cloud mean that business users are spending about 75% of their workday in the browser, and attackers have adapted their tactics, techniques and procedures to take advantage of the expanded attack surface this new normal provides. In this edition of CyberWire-X, we'll take a closer look at browser-based threats and vulnerabilities and explore the notion of highly evasive adaptive threats, which our show's sponsor, Menlo Security, refers to as HEAT.
Dave Bittner: A program note - each CyberWire-X special features two segments. In the first part of the show, we'll hear from industry experts on the topic at hand, and in the second part, we'll hear from our show sponsor for their point of view. And speaking of sponsors, here's a word from our sponsor, Menlo Security.
Dave Bittner: To start things off, I speak with Daniel Prince, professor of cybersecurity at Lancaster University. Later in the show, I'm joined by Nick Edwards from Menlo Security for his perspective on highly evasive adaptive threats and what he and his colleagues at Menlo Security believe can be done to stop them.
Daniel Prince: It's really interesting, from a security perspective, looking at the way that the landscape's really changing. So it wasn't that long ago that we were really talking about bring your own device, and that was the big security threat. But with, you know, the pandemic accelerating the move to online, cloud-based services, it's - you know, it's - for me, it's really about the bring your own browser kind of the threat. We've lost - you know, we're not even worried about - we've lost control of the actual device completely, and now it's the applications on the devices that we use on a day-to-day basis that are providing that portal onto the work platforms that we use and we need to survive in our daily lives. And so what's interesting there is that something that was an application is now the essential part for us to be able to do our work, and it was never designed for that.
Daniel Prince: And it's - we've got a history of this all the way through. From when we, you know, first started out, we had a - you know, an open internet, and then we put firewalls in, and then everybody kind of said, well, firewalls are a pain, so let's just put everything over the open ports on the firewall. So everything became kind of based on web communications traffic, and then we moved away from having static devices to mobile devices, like laptops and tablets and phones, and everybody then starts to bring those into the office, so we lost control of that. And now we've - again, you know, we've lost control of those - the actual physical devices, and now we're just looking at these portals onto our work applications. So it's a really interesting trend. In some ways, we're concentrating the risk more and more into smaller and smaller areas, and this is part of the latest trend focusing the risk of security threats into a web browser.
Dave Bittner: It strikes me that it's almost as if the browser is an operating system unto itself, where, you know, so much is coming through it. So much is dependent on the ever-increasing capabilities of the browsers. And, of course, with that comes vulnerabilities.
Daniel Prince: Yeah. Fundamentally, it comes down to this idea that the browser is an information retrieval tool. I mean, that's what it was designed for, fundamentally. So we're - you know, we're taking, you know, a flathead screwdriver and trying to use it for a - you know, a star or Phillips screw or a Pozidriv screw.
Dave Bittner: (Laughter) Right.
Daniel Prince: So we've got this - we've got the wrong tool, in some ways, for this. And that - you inherently then get this issue that, if you've got the wrong tool, you're going to get security problems 'cause people have designed it for a completely different purpose. And another example of this that I kind of use when I'm teaching is around GPS. I mean, GPS is a global positioning system. And to do that, it has a very accurate timing capability. And so when these systems started to appear in ships or wherever else they were deployed, people went, oh, this is great. We've got an accurate timing capability, so let's use that for other purposes. But if you then start to corrupt that timing signal, then you can start to corrupt other signals. And it's the same kind of issue here. We've got a system - web browser - that's being used for a purpose that it was never intended. And as you say, the purpose is to kind of act as the interface to an operating system, and that comes with inherent problems, and then you layer on top of that that it is around the users using it. You know, it's not a system-to-system issue. It's a user interface issue. You get all of those additional problems of user security problems - the user security issues that come along with that.
Dave Bittner: I suppose there's two sides to it because we talk about the shift to cloud services and so many of the things that we do in business day to day have moved to the cloud or are provided as a service, and there are security advantages to that. But at the same time, you're pushing things out there. Everything's coming through this one funnel that is the browser, so it's sort of a situation where, you know, things giveth and things taketh away in a way.
Daniel Prince: Yeah, definitely. And you see a lot of organizations moving to this online environment, being able to provision once a good virtual machine that you know is securely set up, and if there are any issues, you can just roll it back to a known good state. And that comes with, you know, lots of really strong security outcomes. But as you say - and sort of going back to some of the previous points - it's concentrating the risk on this application, which was designed for a purpose that was never intended. And so you get all the potential security issues and, you know, data compartmentalization issues that we know how to fix in operating systems and in fact in other applications as well. But we've never really experienced in this way when using a web browser.
Daniel Prince: And so those interactions now of these security issues - the isolation, the compartmentalization, the types of things that we've seen implemented in operating systems - they've - you know, to protect us against malicious attacks. And now we're going to have to start thinking about how do we put those into a web browser? Because it is this really useful interface. And in some ways, it comes down to this classic operational capacity versus security. You can never have everything, and it's depending on how much money you want to put in. And it depends on how much resource overall you want to put in, depends on the security and the functionality that you have. And the reliance on these types of web browser kind of models is that you're hoping that whoever is providing the web browser is doing a good enough job to provide the security there.
Daniel Prince: But if you look at the plethora of web browsers that are out there, and if you talk to any web developer, you know, they will complain bitterly about trying to support multiple web browsers to get things that get their web pages to work. Now we want them to be windows onto operating systems and complex business processes. So there's a - you know, there's a real challenge there. And - but fortunately, I think, you know, one of the things that's going to really push the security forward is because we're going to start seeing a concentration of using web browsers for these types of services. Inevitably, that means that, you know, web browsers are going to have to improve because as soon as one browser gets better with security, the companies are going to mandate using that one for their company and then somebody else will leapfrog that. And so we'll get into this almost like commercial arms race of, you know, web browser - hopefully web browser security increases.
Dave Bittner: What about the threat actors themselves as they adjust and evolve and target those vulnerabilities and, in doing so, become more evasive themselves?
Daniel Prince: Threat actors will go where the easiest target is, generally. That's the general rule. I mean, they - you know, they're like anybody else. They don't want to make their lives difficult to achieve what they want to achieve. And so at the moment, the richness of the target of the web browser and because of the complexity of the services that you can access via the web browser is driving them to target it. And that's because that's where that goal is going to be achieved the easiest. And as I said, the underlying mechanism of the web browser was not designed for this purpose. And so there are lots of really interesting exploitations that you can go at. And it's almost like this is the low-hanging fruit. And it is of interest because of the way that the web browser is now being used to access, you know, the business processes or the interesting information that individuals have access to.
Dave Bittner: Do you suppose this is the shape of things to come that, you know, this trend toward everything flowing through the browser is - that's in our immediate future?
Daniel Prince: Yeah. I mean, even at our university, we've adopted this model for access to certain university systems. So commonly when I'm accessing student record systems, I will access - use a web interface to get onto a virtual machine that is built in a specific way that provides assurances around security. And so it's not just these critical services, but we're starting to see the adoption of this type of approach for broader services that perhaps you would typically in the past run locally just because it's easy for the user. Everything is in one place, and the process of making it easy for the user is really important for that functionality. And so there will be, you know, the next stage on from that, that this will force browsers and browser technology to develop and enhance. And you will see - I'm certain we'll see things like enhancements or accelerators for accessing these types of services. And then we'll see how the threat actors will take advantage of those enhancements. And what's interesting around the kind of the web browser interface for me is this idea that actually because it's just about information retrieval and, certainly, more recently, it's about that kind of separation out so that you can't get that cross-contamination between different websites and different information, it's still very much reliant on the underlying operating system and other applications to protect it, whether that's the network information, whether that's detecting malware. But when everything is sitting inside that browser or targeting a machine that might be remote from that browser and the browser is the way in, the portal onto that, the network tunnel onto that, then you're going to start to see these new types of attacks. And specifically, the protection mechanisms that we had or have are not configured or not set up to really be able to detect that. So it's a new way in. And so it's going to be really important to see how the underlying security mechanisms of, like, the operating systems and malware services and so on adapt to be able to pick up these kind of evasive attacks that are coming in via the web browser.
Dave Bittner: That's Daniel Prince. He's senior lecturer in security and protection science at the School of Computing and Communications at Lancaster University.
Dave Bittner: Next up is my conversation with Nick Edwards. He's VP of product at Menlo Security, our show sponsors.
Nick Edwards: Browsers, as a technology, have been continuing to increase in terms of their horsepower, their technical capabilities, what they can do for users. And I think that's driven by, you know, a broad range of things, you know, not the least of which is the consumerization of, you know, what was historically kind of, you know, high-end enterprise IT functionality to make the web more useful and more kind of meaningful for both users and people who are kind of marketing or selling to users. So things like dynamic creation of content that is targeted to you based off of cookies or what kind of the, you know, vendor might be kind of aware of with your background and your profile, all these things make it so that the browser can give much more focused content. It can change that content depending upon what the geography is or what the user's trying to do, and make it more customized, you know, regardless of platform, whether you're coming in from a mobile device, whether you're coming in from a laptop, whether you're on a Windows machine or a Mac machine, whatever it might be. Just the browsers have become more powerful, and their kind of innovation curve is probably, you know, one of the fastest in the broader kind of IT industry. And given where the browsers are, that means that customers and, you know, users who are accessing enterprise technologies are able to capitalize on that to do their enterprise job.
Nick Edwards: You know, I think when you look back, let's just say, 20 something years ago, you know, in the early days of technology, so to speak, of the internet, you know, you would go to work, and everything that you would need to do for your job was kind of located on that physical machine that you were working on, you know, whether that is, you know, kind of the spreadsheets, the documentation files, you know, any kind of advanced applications. Typically, all that was happening on your desktop, your PC. And now, all of that stuff, you know, typically, is outside of, you know, your, quote, unquote, "desktop," meaning the data that you are accessing lives somewhere outside of, you know, your corporate, you know, boundary. The applications that you're using are not necessarily hosted internally. They're hosted kind of on a third-party SaaS platform, and your browser is rendering that functionality.
Nick Edwards: So I think it's kind of the marrying of the advancements of the browser from kind of an internet technology perspective and then allowing that to be leveraged for, you know, legitimate business use cases that really make kind of the browser such a central part of our jobs and our personal lives on a regular basis. I think the last time we looked at the data, users spent 75% of their time in the web browser on a daily basis, whether that's kind of web conferences, whether that's using, you know, file-sharing tools, whether that's, you know, operating kind of a web mail interface, whatever it may be. And, you know, historically, what we've seen is bad guys go where the people are, and they're going where the browser is.
Dave Bittner: Yeah. You know, I think of my own personal use, and I think it tracks exactly what you're describing here, how, you know, even things like day-to-day stuff like email, you know, where I used to have a dedicated email client on my machine, it's a lot easier to do it on the browser. And also, there's that convenience of being able to not have to lug a computer home. I can just log in from my home computer or on my phone or - you know, so there's lots of upside to this. But as you all are pointing out here, there are some security concerns as well.
Nick Edwards: And so it's really harder for these tools to keep pace with that and to be able to prevent the ultimate rendering and execution of code in the browser in a way that would not disrupt the user experience and create all of these problems from a usability point of view. And so I think that's one of the big trends that I think underlines what we're seeing from kind of this highly evasive adaptive threats is that, you know, the cybercriminals, you know, have had time to really unpack and to look for the weaknesses in existing security stack, and that, kind of married with the advanced functionality and capabilities of the browser, make it a really hard problem for kind of legacy approaches to solve.
Dave Bittner: So you all are using this term, HEAT, which stands for highly evasive adaptive threats. Can we break that into those sort of two component pieces, as they sit in my mind, which is you have the evasive part, and then you have the adaptive part? What are you all tracking in terms of those two angles?
Nick Edwards: Sure. So the evasive part is really around its ability to go kind of evade the legacy security tools that are in customer environments. You know, it's like, you know, if a bank robber is going to go to rob a bank, they're going to really study the bank. They're going to analyze what tools they have. Where are the cameras? Where's the security guard, and what's the shifts? You know, where is the secret button that the teller is going to push? - all these sorts of things. And they use this same approach when it comes time to trying to, you know, deliver ransomware or other things. They'll really spend time trying to research, you know, who the victim might be and understand as much as possible about, you know, kind of their security profile and, you know, build capabilities that will evade these traditional tools of, you know, firewalls, sandboxes, proxies, secured gateways and so forth.
Nick Edwards: And then the adaptive aspect is really around its ability as a threat to, you know, adapt to the environment, to kind of, you know, leverage the capabilities that are, you know, existing and resident on that user's platform, device, whatever it may be, to have a higher success rate at being able to ultimately kind of land the payload, to deliver the drop of malware or ransomware or whatever it might be. And so that's where, you know, kind of we'll see oftentimes that some of these attacks will, you know, be kind of OS aware. They will be, you know, kind of technology capable aware of whatever the browser is doing, what kind of a browser it is, what version of it, so to speak. And all of these things ultimately will capitalize on this core ecosystem of the internet that we use on a regular basis. So it makes it really hard because you can't block, you know, all of the unknown websites in the world because you will just break the way the internet works. And, you know, end users will complain to their IT department - hey, I'm trying to go to my, you know, kid's soccer team's, you know, registration site, and I can't go to it. What's up, you know? So...
Dave Bittner: (Laughter) Right.
Nick Edwards: And the bad guys know this. So they'll do things like, you know, squat on URLs. They'll buy URLs. They'll just wait on them. They'll allow them to develop somewhat of a - kind of a benign profile in URL filtering platforms, and then they'll strike, you know? And they'll use that, knowing that, you know, the first couple of attacks it'll lever will bypass any of that coarse URL filtering and ultimately have some success with that - so kind of really being adaptive to the attack environment that they're operating in and the users that they're going after and whatever type of technology they may have in place, you know, from the endpoint, the browser, kind of further upstream in the network security stack.
Dave Bittner: So what are you and your colleagues there at Menlo Security advocating here? How can people best protect themselves against this sort of thing?
Nick Edwards: Well, so in general, I mean, I do think that, you know, the industry has done well with these prior notions of defense in depth, you know? Which means that, hey, look, you know, you don't want to rely on any single tool to keep you safe. So, you know, do the smart things, like, you know, multifactor authentication, you know? It doesn't stop malware completely, but it's a good component to the tool. Endpoint security, EDR, these sorts of things - again, you know, good tools to have, good hygiene. Being able to do anything from a threat intel perspective, you're going to want to be able to collect telemetry and analyze that stuff. So all those things are really relevant. But when you look at kind of the upstream set of devices that have historically provided security, you know, when you're talking about proxies and firewalls and so forth, there's a component of the defense in depth model that just doesn't deliver value to stop these types of attacks. And our perspective is that, you know, kind of a platform that is focused on the browser, focused on analyzing the content that's in the browser and delivering kind of clean data is what's needed. And that's one of the things that we've done really well in terms of our investments in technology and intellectual property is kind of usher for a new approach to this using browser isolation as a key functionality. And that's kind of our philosophy and our approach, and that's what we're able to deliver to customers today to keep them safe from these types of HEAT attacks.
Dave Bittner: What exactly do you mean when we're talking about isolation here? How do you define that?
Nick Edwards: So I would say most basic in terms of a comparison would be - you know, if you're familiar with some of the kind of legacy approaches to security and, you know, in military environments or federal government environments, basically, you had, you know, computers that were never allowed to be on the internet, and they were never connected, and they were used for a lot of internal applications and internal communications, and then you had a set of computers that could be exposed to the internet, and those two kind of networks never touched, you know, so to speak. You couldn't go from one to the other. You had to literally, like, go to another device and log in and do whatever you needed to do. And that created this notion of kind of an air gap.
Nick Edwards: Well, isolation is kind of a similar vision of that but much more capable and much more, you know, kind of competent in terms of what it's able to do from a security perspective without disrupting the user's ability to do their job using the internet tools that exist. And isolation, what it does is, instead of you going to, you know, your favorite website, your sports site, your news site, you basically go through kind of Menlo's platform. Our isolation core says, hey, you know, Dave is trying to go to this website. Instead of that web content going directly to his computer, you know, we're going to render it on our computers, in our cloud. So we basically have, you know, this platform that will render the content. In a sense, it's kind of able to deliver a clean pipe, you know, to the end user's laptop, end user's machine, kind of using isolation as a technology to do that.
Dave Bittner: And what about from a user's point of view? How does this sort of thing affect the types of things they may want to do on a daily basis?
Nick Edwards: So I mean, that's - it's a really good question. I think, historically, in, you know, kind of various attempts to deliver, you know, remote desktops or kind of VDI infrastructure or whatever it may be, you know, usability hasn't been great, you know? And I think as the, you know, kind of web has improved and, you know, you can watch videos that are highly effective and, you know, really well-rendered in high fidelity, or if you're looking at things like gaming or this kind of stuff or maps or any of these things, historically, kind of these remote desktop kind of VDI environments have really struggled to deliver a good user experience. So when Menlo was founded several years ago, we realized that, hey, look, what's going in our favor? Well, bandwidth is only getting better. Cloud computing is only getting more powerful, and browsers are only getting more capable. So we were able to kind of dovetail and leverage those trends to kind of take a step back, reinvent kind of how this type of technology should be delivered to ultimately give a native user experience.
Nick Edwards: You know, we have millions of users on our platform around the world in a varying number of capacities, whether that's, you know, financial customers, military users, you know, entertainment, media, technology, et cetera. And in these cases, you know, when they're trying to do their job, if you can't deliver a quality experience to the users, then, you know, they're going to call the help desk. You know, we all know, like, when we've had problems with rendering, you know, you call IT - hey, what's going on? I can't do this, you know - and then that will quickly get escalated. And the only way you can scale is by taking the time to do it and build it right from the ground up and not kind of try to bolt it on to existing functionality. And that's what's kind of been our approach from day one is let's try to deliver the best user experience, whether they're coming from an iPad, you know, an Android device, Windows or Mac, whether they're coming from a Chrome browser or an Edge browser, whatever it may be, and make sure that we are transparent to the users. And I think, you know, historically, IT has had challenges with delivering effective security because it will come at the expense of friction of users. And I think kind of this type of approach is definitely in kind of the realm of, you know, being able to deliver high-end security, to give great security outcomes without compromising the user experience and their ability to do their day job.
Dave Bittner: Yeah, it strikes me as kind of, you know, being able to remotely detonate all the websites you visit, you know, off-site, right? So, you know, they always say, don't click the links. Don't click the link. Well, some people need to click the links to do the work that they do. And this is a way to have that happen on - you know, on someone else's property but still be able to do the things you need to do.
Nick Edwards: Yeah, exactly, exactly. I mean, it's very much one of the core pillars of the future world of technology, you know, in terms of safety and security is ultimately, like, you know, it's going to be really hard to trust the wide range of websites and applications that exist out there, you know? Even if they're good websites, the software developers may make mistakes and they may get compromised. That still happens, you know? So you can't always even trust, you know, the websites that have historically been known to be good. So you have to have an approach that will essentially, you know, assume that bad things can happen, you know, from websites. And if that's the case, then, well, how do you want to protect against it? Well, you probably want, you know, some technology approach that is analogous to this where instead of that content being delivered directly, it's kind of delivered by a, you know, vendor that can do it well and deliver secure content that doesn't, you know, disrupt the user's day-to-day, you know, existence in a professional or personal basis.
Dave Bittner: What about the actual security of this sort of thing? If everything's being done remotely, how do I know that the folks who are handling that remote part of it don't have access to my own things that I want to keep secret?
Nick Edwards: Yeah. I mean, it's a great question. You know, I mean, obviously, the industry, you know, has had challenges in this area before with respect to who's watching the watchers, so to speak, you know?
Dave Bittner: Right. Right.
Nick Edwards: And I think, you know, a variety of factors come into play there. I mean, one is prospects should really understand and kind of interrogate their vendor's, you know, kind of longevity, who their customers are, what are the security demands of their customers and so forth. So, you know, as an example, Menlo Security - the Department of Defense is kind of standardized on our approach to, you know, kind of browser security, you know, with an initiative that allows kind of Menlo to be, you know, kind of the front line of security for, you know, this browser isolation across a variety of our different service member organizations. And I think that kind of is a very relevant third-party data point that organizations should kind of look for when they're talking to any vendors. OK, like, who are your most demanding customers, and kind of what's their experience been like?
Nick Edwards: And then I think on the other side of the spectrum is kind of understand the company's compliance, you know, engagement. You know, as a vendor, you know, it's always a lot of work, and sometimes it's not trivial work, to comply with things like FedRAMP or Common Criteria or, you know, any of the ISO standards and this kind of thing. But they serve a very valuable purpose, and it allows for, you know, the broader market and industry to have a baseline of expectations. And they can quickly filter out, you know who's able to kind of deliver on the security expectations from a process, procedure and technology point of view based off of these things. So I think kind of it's a combination of both of those things, and hopefully the industry has evolved its approach to trying to sell things and people are hopefully more transparent and operate with candor. And I think that the buyers have gotten smarter and able to kind of see through that and sift through that. So hopefully it'll deliver a better outcome for everyone.
Dave Bittner: What are your recommendations for someone who's intrigued by this, who want to, you know, see if it's the right fit for them? What's - how does - how should they get started in terms of, you know, shopping around and seeing what works?
Nick Edwards: Yeah, so, you know, our overall, you know, perspective on this is obviously, you know, they should start with taking stock of, you know, what do I have in place, you know? Are there any big gaps in terms of technology that I - that I'm missing that my, you know, peers, who are kind of best in breed, best in class, sister, brother companies, have that I don't. And I think that's always a good starting point is taking stock of what capabilities we have.
Nick Edwards: And then thinking about the future and kind of, where is technology going? And using that as kind of to help guide their roadmap for what they're going to deploy. We are strong believers in this notion of technology - of isolation technology - to solve these problems. And, you know, typically, when we engage with customers, you know, we give them the ability to kind of basically test or probe their own environment's susceptibility to these HEAT attacks. We have some things we can run on customers in a consultative manner to say, OK, well, maybe you have some of the salt. OK, well, good. We'll just run these couple of tests and you can see kind of, you know, what level of security controls you have in place. And then you can also go a little bit further and get a better understanding of, you know, how much exposure you might already have in your network.
Nick Edwards: And that's all very important because one of the things we see in these HEAT is primarily kind of about some of the techniques, threats that people are doing to kind of bypass the security staff. But typically, these attacks are often used for, you know, kind of ransomware payloads and that sort of thing. So I think use the opportunity to, you know, investigate your ransomware defenses as a vehicle to hopefully upgrade and try different approaches. And, you know, I think it's Einstein who's credited with the quote of, you know, insanity is doing the same thing over and over again, thinking that you're going to get different results. And I think that should speak to security buyers from a way of, well, like, what we've been doing isn't quite working. What are the technologies that I haven't had that might be maturing in a way that can solve some of these problems. And I think a lot of times that will kind of point back to isolation of the technology.
Dave Bittner: Our thanks to Daniel Prince from Lancaster University and to Menlo Security's Nick Edwards for joining us. CyberWire-X is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity startups and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.