Over recent years we have seen a huge increase in web-browser-based attacks and as per an article published by Morphisec almost 3.2 million dollars a year is spent by companies just to rectify these.
What makes these attacks lethal:
There are various factors that contribute towards it:
- Most of the users are not aware of secure usage of internet
- Presence of browsers in wide range of systems
- Increased use of APIs which run on browser
- Lack in understanding of internet usage pattern for team (Like sales, programming e.t.c)
- Support of multiple apps by browser (ActiveX,JavaApplet,pdf,e.t.c)
- Wide range of attacks using web-browser
- Browser extensions which behave as downloaders
What are the common attacks:
Drive-by Downloads: The most common type of attack which uses the browser as a threat vector. There are 3 days in which this is commonly done.
- A person visits a malicious website and without him knowing the file is it downloaded into his system.
- The other way the same attack is accomplished is when a user clicks on a link without him understand what the click might do.
- When a user clicks on a phishing link received via email
- As you can see all the methods of accomplishing this attack are via “Social Engineering” (where a human’s tendency to make mistake is exploited) , MITRE ATTC&K Techniques: T1189.
Browser redirection: A user accesses a URL however it automatically shows another URL which victim does not know. This is a social-engineering-based attack where the user might receive a phishing mail, MITRE ATTC&K Techniques: T1185.
Bugs and vulnerability in browser: Considering that web-browsers are extremely complex software there are lots of vulnerabilities that have been detected in them. Over the past several years, we have seen a fair number of vulnerabilities. Below is a snapshot from vuldb. MITRE ATTC&K Techniques: T1185.
Clickjacking attack: In this type of attack a victim clicks on a link thinking it will open a new page/download a song etc however it turns a code is executed without the user’s knowledge thus a threat gets downloaded without the user knowing it.MITRE ATTC&K Techniques: T1555.003
Man In the Browser Attack: In this attack, the attacker installs malware in the victim’s machine which infects the internet web browser. Now every activity performed by the victim is shared with the attacker (in simple terms Infostealer). When the victim tries to access sensitive data then the same is relayed to the attacker. MITRE ATTC&K Techniques: T1555.003.
Adware: Adware is a type of threat that can do either of the 2 things:
- Get installed as Browser plugin
- As a software in the system
However its major aim is to collect information about the user’s behaviour and provide him selective advertisements. As such Adware is not a major threat (many security vendors even do not consider them to be a serious threat) however considering that many of these are not widely known an attacker can use this to perform any of the threats mentioned earlier (Those are red-alert threats). MITRE ATTC&K Techniques: T1176, T1189, T1217
Also Read: Threat Hunting Using Windows Scheduled task
- Many a times even after closing the website user visited they keep running till browser is closed.
- Most of them create persistence.
- In commonly used browsers like Chrome, Microsoft Edge, Internet explorer, firefox you have popup-blocker. Ensure that it is turned on by default. This will add a check where user will need to allow popup for the site
- Enabling GPO policies to restrict “Automatic” functionalities. e.g: for Chrome we can find GPO templates in
https://support.google.com/chrome/a/answer/187202?hl=en#zippy=%2Cwindows. Using this various features associated with chrome can be controlled.
- Restrict usage of browsers to Chrome or Edge in enterprise to implement better controls.
- Usage of tools like McAfee web-advisor can detect provide suggestions while accessing website hence providing better security. The same can be accomplished using almost all endpoint security tools (commonly known as Brower Intrusion Prevention System).https://www.mcafee.com/en-us/safe-browser/mcafee-webadvisor.html
- Hardening of policies in proxy to ensure only those websites which are good will be accessed in the environment.
Log Sources to detect these threats:
Considering that web-browsers are applications not much is known about the security logs stored however following tools can be used for indirect checks:
- Proxy logs: Considering that most of the proxies are embedded to browsers as PAC file they will be able to track almost all traffic. Attacks like clickjacking and browser redirection can be detected using “Referer URL”
Also Read: Latest Cyber Security News – Hacker News !
- Firewall: Due to priciness of proxy most of the organizations prefer to use proxy for external purpose while internal machines still send traffic through firewall directly to internet. A layer 7 firewall can detect almost all traffic (if SSL inspection is enabled then its even better). However unlike proxy this needs a bit more work and analysis to be done.
- EDR tool: Endpoint Detection and Response is a tool which can monitor all applications in environment and based on anomaly they can throw alert. An open source EDR like open EDR by comodo and Wazuh can help.
Source/Credits/Written By: https://www.linkedin.com/in/vasudev-c/