Technology Sectors
The navigation layer of the Website: A 2012 target for cybercriminals
 |
|
Jesse McKenna |
Since the commercialization of the Internet, there has been an evolution with how cyber criminals are conducting malicious activities on Websites. They are finding more and more ways to steal information, commit fraud, game Website logic and impact business operations. Central to the explosion of cybercrime in recent years is the continued evolution of rich Internet applications and exposure of critical business operations to the Web.
As more business operations, both internal- and external-facing, move to Web-enabled platforms in 2012, the more opportunities criminals will have to find loopholes, mine for valuable data and exploit legitimate Website functionality.
A new attack vector in 2012
Cyber criminals are becoming more creative and automating their way of exploiting vulnerabilities and business logic flaws at the navigation layer -- which includes all behavior on a Website and may be referred to as a “clickstream.”
In 2012, I expect that the industry will begin to recognize a new class of attacks that directly target the navigation layer, which will automatically extend the reach of criminals to personal and mobile devices.
The navigation layer
Simply put, the navigation layer is how users of Web services access and interact with various resources and functionality of Websites. Purchasing a digital camera on an e-commerce site, balancing your checkbook, using online banking and interacting with project plans on a company Intranet are all examples of activities that take place in the navigation layer.
The reason this is such an attractive target for criminals is that the functionality that enables their criminal activities, in large part, has to be made available to legitimate users. As long as there are Websites, criminals will be looking for ways to take advantage of the data and functionality made available through those sites. Although certainly not an exhaustive list, a significant portion of online criminal activity can be seen in the categories of business logic abuse, data scraping and architecture probing.
Traditional security struggles to protect the navigation layer
The cybersecurity challenge facing businesses and organizations is that it is notoriously difficult to detect and defend against business logic abuse, data scraping, architecture probing and other types of attacks executed through the navigation layer.
Traditional approaches that leverage deep-authentication of users, transaction risk modeling, link analysis, event correlation, etc. are still critical to have in place, but are rendered largely ineffective when confronted with “low-and-slow” processes scraping site data or with attacks carried out by networks of hundreds of PCs infected with criminal-controlled malware. Moreover, criminals are continually changing their attack strategies and developing new methods of exploiting Website functionality. Keeping detection systems up-to-date with the latest attack vectors is incredibly challenging.
Defending against attacks in 2012
All of this may seem overwhelming, and rightfully so. However, there are a few aspects of this type of criminal activity that begin to level the playing field.
First, these attacks all take place through the navigation layer and Website owners control this layer. Although the functionality exploited by criminals typically is required for the use of legitimate users, businesses and organizations can have visibility into every aspect of the traffic going through the navigation layer. The ability to monitor this wealth of traffic is invaluable for detecting attacks coming through the Website and for performing forensic investigations of past events to better inform detection and mitigation decisions in the future.
The other area where businesses and organizations have an advantage is that criminals, in order to execute their attacks, have to behave differently than normal users of a Website. Normal users do not try to log in using tens, hundreds or thousands of different passwords. Nor do they crawl entire product catalogs on e-commerce sites or submit nonsensical chunks of data to Web applications in the hopes that it will break. By leveraging full visibility into the navigation layer, it is possible to perform behavioral analytics on every click on the Website and rapidly identify the outliers -- those Web sessions that are not behaving like everyone else using the Website.
As Web applications and Web-enabled devices continue to rapidly evolve, the attacks on the navigation layer will continue to keep pace -- using the latest functionality for something other than what it was intended for. But, by maintaining full visibility into the navigation layer and on every click occurring on the Website, these evolving threats can be detected and mitigated in near real-time, thus preventing the often dramatic impacts of attacks that have gone unnoticed until the damage has already been realized.
Jesse McKenna is a fraud analyst at Silver Tail Systems. He can be reached at:
