Johannesburg, 21 May 2021
The Web application firewall (WAF) has been a staple of enterprise cybersecurity for decades. Almost every business has a solution for filtering, monitoring and blocking traffic to its servers.
But the fact that WAF technology is popular does not mean it is also effective. That’s why major companies like Twitter, Nintendo and Zoom all suffered data breaches in 2020.
It’s almost certain that all of these companies – and every other major enterprise to suffer a catastrophic data breach – had some kind of application firewall solution in place. It’s equally certain that whatever that solution was, it wasn’t enough.
The truth is that firewall technology is becoming antiquated when compared to the sophisticated technologies that cyber criminals use to defraud their victims. It falls on executives and business leaders to recognise this and put better security systems in place.
WAF technology doesn’t work on compromised accounts
Even the most advanced perimeter firewall cannot identify and mitigate an account takeover attack. This is because these kinds of attacks end up using your own security infrastructure against you.
An account takeover attack is any kind of cyber attack that involves an unauthorised user gaining access to an account inside an organisation. This can range from compromising the CEO's e-mail account to phishing employee data or even guessing passwords to regular users’ accounts.
Firewalls can only detect attacks injected into isolated Web requests. While this is certainly useful for things like distributed denial of service (DDOS) attacks, it doesn’t work when the attacker is already inside your network.
How hackers get into networks
The most typical scenario is a hacker gaining illicit access to a network by phishing one of its users. Phishing is the practice of fraudulently impersonating reputable companies in order to lure people into revealing personal data – like their account names and passwords.
According to Verizon’s 2020 Data Breach Investigations Report, 22% of breaches involve phishing. Seventy-four percent of organisations in the United States experience a successful phishing attack.
Cyber attackers create extensive and sophisticated phishing campaigns that target end-users, employees or even executive stakeholders. This is a significant threat for large companies that might have thousands of individual accounts – it only takes one slip-up for the hacker to gain a foothold on the inside.
Ninety-six percent of phishing attacks occur by e-mail. The process of hijacking an employee’s e-mail account is incredibly simple now that cyber-criminals have access to phishing as a service vendors who can automate the process for them. It should come as no surprise that the dozens of scam e-mails you probably receive every day are not actually written manually.
Once hackers compromise an account, they slowly begin extending their reach throughout every level of the organisation. They look for opportunities to find and exfiltrate sensitive data – and the organisation’s firewall sees nothing more than a regular user account accessing data.
How to stop account takeovers and credential stuffing attacks
Security professionals around the world have been giving the same advice for years: Create unique passwords for every account. Use long passwords that are hard to guess. Enable multifactor authentication.
Users, employees and even high-level executives have routinely found themselves defrauded by cyber criminals due to bad password policy. Regardless of how strict your organisation is about passwords, it’s not always possible to ensure every single user responds proactively.
This is especially true when it comes to enterprises with a large attack surface. Inevitably, some customers will re-use passwords. Some employees will click on a malicious e-mail link. Some junior accountants will get an urgent message from the CEO saying they have to pay an (entirely fictitious) invoice right now.
These attacks happen when cyber criminals compromise privileged accounts. They can do this either by specifically targeting high-profile users, or by systematically working through your entire database of users.
The first approach is a typical example of an account takeover. The second is called a credential stuffing attack. In a credential stuffing attack, hackers use extensive databases of stolen credentials and try to match them with online logins. Anyone who has ever re-used a password is a prime target.
In order to prevent these kinds of attacks, organisations need to invest in data exfiltration protection. This technology differs from the Web application firewall approach because it assumes that hackers will enter your network. Once they do, it prevents them leaving. Your security team can then launch an effective investigation and find out exactly how they got there.
Technical analysis: How data exfiltration could have prevented the Nintendo credential stuffing attack
In April 2020, Japanese video game giant Nintendo confirmed that 160 000 user accounts were compromised by unknown perpetrators. The attack exposed user account credentials, passwords and credit card information to hackers.
In this case, the attackers used purpose-built account checker software to quickly run through an enormous database of leaked credentials. The application systematically input known usernames and passwords (from previous data breaches) into the Nintendo Switch store login. The application then exfiltrated eight points of data from the victim’s Nintendo account:
- Nintendo eShop balance;
- Gold Points balance (reward points for buying Nintendo Switch games);
- Credit card type;
- Credit card expiration date;
- PayPal subscription ID;
- Currency denomination;
- First six digits of credit card number; and
- Last four digits of credit card number.
The fact that an automated software application read this data out of Nintendo’s log files means that it had to operate in a way fundamentally different from how a regular user works. This is where data exfiltration protection could have potentially prevented hackers from gaining access to Nintendo users’ log information.
While an advanced firewall solution may be able to identify unusual behaviour on an account, it cannot prevent the exfiltration of account data from within the authorised account. Once a hacker inputs the right username and password combination, there is no way to protect that account other than through sophisticated data exfiltration services.
BlackFog is a cyber security vendor that specialises in data exfiltration for enterprises and small businesses. Find out how we can fill the gaps in your firewall-based perimeter security solution.
Share