We have all heard riveting stories about how the Executive Assistant to the CEO received an email with an attachment bearing an enticing name like “Executive Bonuses.xlsx” or “Recruitment Plans.xlsx”. Clicking on the attachment unleased a series of events that resulted in the crown jewels of the enterprise being compromised. While this truly happens (and may be how some Russians hacked the Democratic National Council recently), we took a moment to probe the question of whether an extra dollar spent protecting the endpoint has a better ROI than a dollar spent on application protection. The answer lies in the eventuality of success from either method of attack for a malicious actor. Let’s analyze it.
Cybercriminals are constantly baiting unsuspecting users, like you and me, who are quietly going about our daily lives, surfing the digital ocean and collaborating with others through email. Some of us get reeled in while others have developed a sixth sense or use digital certificates and will not easily become victims of such “phishing” expeditions.
If a “phished” target does become a victim, clicking on the dreaded attachment can exploit a vulnerability in another active application like Adobe Reader, MS Word or Excel, etc. The exploit for the vulnerability establishes a connection to the cybercriminal’s command and control center and installs various tools in the cybercriminal’s war chest. Some of these malicious tools may allow the cybercriminal to “visit” the victim’s machine on-demand while other tools may collect the victim’s key strokes, read documents or even crack passwords if they are hashed. What makes matters worse is that many users use the same password across the multiple websites the victim accesses regularly. This egregious behavior on the part of the victim opens up more doors for the cybercriminal.
Almost all endpoint cyber security vendors provide simple and effective recommendations on how to avoid becoming a victim of a phishing attack. As a result, it is very hard to compromise sophisticated users like IT staffers, who often have passwords to enterprise databases where the crown jewels of the enterprise may reside. Most such sophisticated users patch their computers regularly and the vulnerable versions of Adobe Reader and such may not even be available for exploitation. Furthermore, most sophisticated enterprises that deal with sensitive high value user information have started to leverage multi-factor authentication before they let privileged users in. Email providers like Google Mail use such means. Some enterprises like banks will use multi-factor authentication for allowing access to not just privileged users but every user. Using stolen credentials to get access to privileged information is therefore getting increasingly difficult.
So is the cybercriminal taking a long shot with a phishing attack? Perhaps. We believe phishing attacks are typically conducted by less sophisticated cybercriminals, often referred to as “script kiddies” who are hoping that the victim hasn’t patched their computer and are gullible enough to click on phishing links. If all the stars align, in the end, the script kiddie may get sophisticated information about the victim, one victim at a time.
Now let’s think about why a hacker would target an application directly as opposed to through a series of low probability events cascading from an endpoint phishing infiltration. Here are 4 good reasons why we think more ambitious hackers would target an application:
- The pot at the end of the rainbow is loaded with more (and better) gold. The application offers a greater potential for getting sophisticated information such as credentials about a large collection of users who congregate at those web sites.
- More unpatched surface. Unlike personal use applications that are started and stopped frequently, it is significantly harder to take a farm of webservers offline for patching than it is to patch and reboot a laptop. Due to the complexity of the web application, a patch in a 3rd party library may break the functionality of the web application.
- Higher chance of privilege escalation on key systems. Some web facing applications run with root privileges; therefore a compromise of the web application may result in the access to databases with mission-critical information.
- The app generally leads directly to the data. Unlike an infiltrated endpoint, the app is a direct conduit to corporate data. An endpoint is the first step of a kill chain that eventually may have to exploit an application or escalate privileges on an app to get to more valuable assets.
Ultimately, we believe hackers understand this trade-off and it makes a difference in hacker type between endpoint and application malicious actors. While both vectors have the proverbial script kiddies mounting dial for dollar type campaigns, the application vector also adds a more sophisticated type of hacker in the equation.
In our view, the hackers targeting zero-day vulnerabilities in web facing applications (both at binary and interpreted code levels), are more sophisticated cybercriminals given the order of magnitude higher technical complexity involved in the attack, as well as scarcity of information about zero-day vulnerabilities.
We conclude that while the odds of success through an application or an endpoint-initiated cyber kill chain are low either way, the crown jewels that can be stolen are far more valuable and the odds of success higher through an application-based attack than through an endpoint-initiated kill chain.
Application protection and endpoint protection are clearly up for debate and we welcome your views on this with us over time. Of course, we realize that organizations must protect against both vectors of attack, but our main consideration here was on the value of an incremental dollar of investment, particularly considering that endpoint security makes up a much higher percentage of IT security budgets today than application security.