Advanced Hacking Groups are Targeting Applications, and With Good Reason

Attackers are constantly trying to gain access to private resources. Today, more than ever, the focus for attacks is the Application, and this is no random act. The organizational shift to agile, cloud-based environments, along with the adoption of microservices and API-first architecture, makes for a complex application stack with many dependencies. This is compounded by the fact that applications are automatically built and run by Continuous Integration and Continuous Delivery pipelines, and auto-scaling capabilities.

This shift is great for agile application development, providing the organization with immeasurable value. However, it adds to the application stack and pipeline chaos, creating an enormous challenge for modern application security teams. Agility makes management of the application security posture much harder for security teams, as they struggle to keep up with the ever-growing gap. 

Advanced attackers and hacking groups are also taking notice.

A prime example is one of the biggest and most elaborate hacks of recent years — the SolarWinds’ Orion attack, attributed to highly advanced state actors. A unique and fascinating aspect of this attack was the manner in which the attackers used the application’s own CI pipeline to introduce their manipulated malicious application, and used SolarWinds’ updates distribution system to spread the malicious signed application automatically to unsuspecting SolarWinds clients.

“It’s one of the most effective cyber-espionage campaigns of all time,” said Alex Stamos, Director of the Internet Observatory at Stanford University and the former Head of Security at Facebook in an interview with NPR. “In doing so, they demonstrated not just technical acumen, but the way they did this demonstrated that they understand how tech companies operate, how software companies operate.”

What is alarming to application security teams is that such an attack, compromising the application stack or CI/CD pipelines, would be very hard to mitigate by modern organizations. Application development has become increasingly agile and dynamic, creating a constantly growing blind spot for security teams. These blind spots may be tracked by reporting systems that are too disruptive for application security teams to maintain, thereby becoming rapidly unmanageable.

“This was an intelligence collection operation meant to steal information, and it’s not the last time that’s going to happen, This is going to happen every day.

…And I think there’s a lot that we all need to do to work together to stop this from happening.“ Warned Adam Meyers of CrowdStrike, who led the forensics investigation of the SolarWinds attack.

Another relevant attack vector which was recently published was dubbed dependency confusion. This vulnerability allows an attacker that knows (or guesses) the name of an internal private dependency package to run arbitrary code as part of a local developer environment, CI build scripts, or in production environments. The vast and growing use of dependencies in modern applications creates an attack vector that can potentially affect almost every modern R&D organization. 

How did we get here?

The “dependency confusion” attack is also a great proof of concept for just how much modern application security teams struggle to assess their security posture, and how dramatically a specific vulnerability can affect it. Application security teams found it difficult to list their organization’s existing private dependencies. Teams that were able to comprise such a list struggled to determine which internal package was recently built, which package was being used by which service, which package was developed by which developer, etc. This chaos made it hard for security teams to assess the organization’s application security posture, leaving the application wide open for breaches and malfunctions.

Unlike attacks targeting data or user’s privileges, these two examples  compromised the application stack — its source code, developers’ privileges, or the application CI/CD and production environments. Attacks targeting applications are gaining growing popularity and are increasingly more lucrative for malicious actors…

In the not-so-distant past, the majority of application information security relied mostly on infrastructure hardening, followed by policy monitoring and investigations of any violation. In such a mindset, organizational security posture could be managed as long as the organization maintained a secured network policy, separating the well-defined internal private resources from external public resources (e.g. via a network firewall policy), and kept the server’s infrastructure up-to-date, patched, and properly configured.

The application security part of the process was confined to the development lifecycle mostly by threat modeling, penetration testing, and developer training.

These were never easy tasks, but the growing maturity of infrastructure security products provided a reasonable balance between maintaining organizational security posture while enabling infrastructure growth. While the infrastructure asset management security tools have matured into the age of posture management platforms, in the application security realm this shift is just beginning, as more and more organizations adopt agile security postures that do not hold application development back and allow ongoing management of the organization’s application security posture.

What's next for application security?

The current goal for application security experts of all levels is clear: eliminate chaos. This is significantly easier said than done — the application stack is as complex as can be with multiple distinct efforts and various security reports and sources: compliance, bot detection, application PII handling, penetration tests, threat-modeling, code review, SCA, SAST, DAST, developers training, security policies, bug bounty programs, and more.

Application security teams are constantly trying to “close” the AppSec gap but are at a loss as to what their priorities should be in order to gain the most value. To efficiently prioritize, they must assess their application security posture, define KPIs across the board, and have the ability to view organizational trends over time. 

AppSec agility, enabled by maturation and adaptation of posture management processes, is critical for all organizations. The application security posture management mindset will undoubtedly be at the heart of cybersecurity as an industry in the coming years. Without the required changes in AppSec management the chaos will only grow, leaving organizations critically vulnerable to highly sophisticated attacks. The approaches used in existing security products will not suffice in the long run, and must be adapted in order to adequately map, manage and resolve the gaps.

Application security teams struggling to maintain their current gapped security posture, now have a unique chance of gaining ownership of the application security posture in their organization. Organizations are putting more effort into application security, but only if AppSec will be quick to adopt the posture management approach can they be sure they are moving in the right direction.

‍

About the author

Omer Yaron is the Head of Research at Enso Security, the first Application Security Posture Management (ASPM) tool used daily by AppSec teams to enforce, manage and scale a robust AppSec program, all without interfering with development.