Beyond the Web Application Firewall: A Proactive Defense

 
In the modern day, there are many tools at a developer’s and company’s disposal that aid in securing web applications, networks, devices, and data. Some of these tools include Web Application Firewalls (WAFs), Endpoint Detection and Response  (EDR) systems, Antivirus (AV) software, and possible Artificial Intelligence (AI) integrations for each of these tools.

However, just as a tractor is to a farmer, these tools are most effective when used to augment the abilities of a skilled operator and lose significant value when deployed alone with default configurations. Attackers can use methods such as padding oracles, encoding, and many other more advanced attacks to bypass all these “reliant” tools. As defensive tools have evolved, attackers have adapted and developed more sophisticated attacks to compromise organizations that rely solely on these tools for defense.

From a professional penetration tester’s perspective, these solutions are capable of mitigating or preventing many attacks that were performed during numerous engagements. However, some of the worst problems that are found are either when exploits or bypasses are performed on a WAF, for example, when the web application at its core was found to have multiple exploits.

Organizations that rely solely on these tools are often the most severely compromised when the tools are bypassed or defeated, and significant vulnerabilities are exploited in the underlying application. In one case, leveraging a WAF bypass to affect a SQL injection attack opened a major pain point for the penetration test.

According to a report by Qualys¹, less than one percent of vulnerabilities contributed to the highest risk and were routinely exploited in the wild in 2023. Some of the most targeted vulnerabilities were:

• CVE-2021-34473, CVE-2021-31207, CVE-2021-34523: These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers and enable remote code execution². They were exploited by several ransomware groups, such as LockBit 2.0 and BlackMatter³.
• CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065: These vulnerabilities, known as ProxyLogon, also affect Microsoft Exchange email servers and enable remote code execution². They were exploited by several threat actors, such as HAFNIUM, DearCry, and Conti³.
• CVE-2021-21972: This vulnerability affects VMware vCenter Server and allows remote code execution². It was exploited by several malware campaigns, such as RotaJakiro, Epsilon Red, and DarkRadiation³.

Some examples of recent cyberattacks that exploited vulnerabilities in these security solutions or bypassed them altogether are:

• In July 2023, the Port of Nagoya, Japan’s largest port, stopped operations after a ransomware attack that bypassed its EDR and WAF solutions⁴.
• In July 2023, the Tampa Bay Zoo was targeted by a cyberattack by an apparent offshoot of Royal ransomware that stole the information of its employees and vendors⁴.
• In 2023, the cyber landscape was shaken by TA505, also known as the CL0P Ransomware Gang, that masterminded a high-profile cyberattack by exploiting zero-day vulnerabilities in key platforms like GoAnywhere MFT, PaperCut, MOVEit, and SysAid¹.

The security solutions that are commonly used by developers and companies, such as EDRs, WAFs, AV, and AI, are not sufficient to protect against the ever-evolving and sophisticated malware and web application attacks that exploit their vulnerabilities and bypass their defenses, especially with the advent of AI. Therefore, it is essential to develop secure web applications and implement network and computer security controls at the core, following best practices and standards, to reduce the risk of data breaches, cyberattacks, and regulatory fines.

How EDRs, WAFs, AV, and AI Can Be Bypassed

First, let us start with some definitions:

• EDR or Endpoint Detection and Response systems are security solutions that are used to continuously monitor end-user devices to respond to and detect threats such as malware, ransomware, and suspicious activity.
• WAF or Web Application Firewall uses filtering methods and monitors HTTP(S) traffic to and from the web application and the internet. This protects web applications from attacks such as SQL injection, Cross-Site-Scripting (XSS), and many other types of web-based cyber-attacks.
• In the context of cybersecurity, AI can help with threat detection, prevention, and mitigation by leveraging AI techniques such as deep learning, machine learning, and natural language processing. AI can also automate cybersecurity tasks, improve security operations, and enhance cyber threat intelligence. These models are prevalent in AV, WAF, and EDR solutions.
• AV or Anti-Virus is the most known out of the four types of protections in place. While not a firewall, it is still used in the context of firewalls to aid in detecting malicious code and software,

All these types of protections likely use some form of AI and  Machine Learning (ML) to understand what an attack might look like. It uses a series of algorithms, signatures, fingerprints, and patterns to see what action might deviate from the norm.

Some of the main challenges security solutions face is the constant evolution and sophistication of techniques and methods that attackers can use to evade or bypass them. Some might say the friend of my enemy is my friend, and in this case, AI is a double-edged sword. If it can be used to detect an attack, it can also be used to evade detection. For example, evading EDR solutions that monitor the behavior and activities of endpoints, attackers have been known to use Control Panel and Dynamic Link-Library (DLL) side-loading, code injection, userland API hooking, and ChatGPT to hide their malicious code.

By evading WAFs that are known to filter and block malicious web requests, attackers can use XSS, SQL injection, cross-site request forgery, and parameter tampering to inject malicious code, execute commands, and steal cookies. This can be accomplished in many ways, by using custom polyglots for XSS, or encoding payloads in multiple formats. Just ask your local AI chatbot in the right way and it can craft you a nasty payload in less than a minute.

To evade AVs, which scan and detect malicious files, attackers can use polymorphic and metamorphic malware, file-less malware, and obfuscation to change their code, avoid writing to disk, and hide their signatures.

To evade AI, which uses machine learning models to analyze and classify data, attackers can use adversarial machine learning, data poisoning, and model stealing to generate malicious inputs, corrupt the training data, and copy the models.

Below is a list of tools that have been used in recent attacks using these methods:

• TrickBot, Emotet, and Ryuk ransomware for EDR evasion
• Magecart, Mirai, and Shellshock for WAF evasion
• Stuxnet, WannaCry, and NotPetya for AV evasion
• Deepfake, GPT-3, and DeepLocker for AI evasion

Why Developing Secure Web Applications and Implementing Network and Computer Security Controls Are Essential

With all that said, these solutions add an extra layer of protection, but they are not infallible. Rather, they should be used as the intended tool that they are to help further add a layer of protection to the security onion. Secure design of your infrastructure, web applications, and devices should be the core focus and most hardened portion of your line of security.

Some helpful security measures that complement these solutions include:

• Developing secure web applications following best practices and standards, such as the SANS SWAT Checklist, the Microsoft Secure Development Lifecycle, and the OWASP Top 10
• Implementing network and computer security controls following best practices and frameworks, such as the IBM Security Controls, the Fortinet Network Security, and the Forcepoint Network Security, as well as security standards such as the NIST guidelines, PCI DSS, and many others.

Some of the major benefits you will see as your infrastructure continues to grow, your applications get more complex, and you employ more people will be:

• Reducing the risk of data breaches, cyberattacks, and regulatory fines
• Enhancing the performance, reliability, and scalability of the applications and the network
• Improving the reputation, trust, and customer satisfaction of the company
• Saving time, money, and resources in the long run

Recommendations

While these firewall technologies may add an extra layer of protection, companies become reliant on such solutions to protect their applications, devices, and networks and think it is part of the development process. It should be conveyed with the utmost urgency that the focus should be on developing secure web applications and implementing network and computer security controls at the core.

Some recommendations or suggestions to improve your security posture include:

• Regular penetration testing, be it before every release, quarter, or yearly (some regulations such as PCI-DSS require this)
• Conducting regular security audits and assessments
• Updating and patching security solutions and software
• Educating and training your employees and customers on security awareness and best practices
• Seeking professional guidance and assistance from security experts and vendors

RedLens InfoSec, CampusGuard’s trusted security team, is eager to partner with you to mitigate risks in your organization and strengthen your cyberdefenses. Contact us today to get started.

References

1. Qualys Report
2. CISA 2022 Top Routinely Exploited Vulnerabilities
3. CSO: 15 most exploited vulnerabilities of 2021
4. Cyber Management Alliance: July 2023: Recent Cyber Attacks, Data Breaches & Ransomware Attacks
5. Cloudflare: What is a WAF? Web Application Firewall explained
6. Lumu Technologies: EDR Evasion: How Hackers Get Past Endpoint Defenses
7. Snyk: Web Application Security Explained: Risks & Nine Best Practices