Monthly Threat Report November 2020
Total Page:16
File Type:pdf, Size:1020Kb
NTT Ltd. Global Threat Intelligence Center Monthly Threat Report November 2020 hello.global.ntt report | GTIC Monthly Threat Report: November 2020 Contents Feature article: Security in the app economy 03 Spotlight article: The Trickbot takedown 07 Spotlight article: Snapshot of threats to retail 08 About NTT Ltd.’s Global Threat Intelligence Center 09 2 | © Copyright NTT Ltd. hello.global.ntt report | GTIC Monthly Threat Report: November 2020 Security in the app economy Lead Analyst: Zach Jones, Sr. Director of Detection Research, WhiteHat Security, US It used to be simple; a retailer Attack vectors and security spending when organizations are trying to enable was a retailer and a bank was are misaligned customer access in our ‘there’s an app for that’ world. The problem is that a bank. Initially, the role of According to our 2020 NTT Ltd. represents a pipeline where benign and Global Threat Intelligence Report, 33% software in non-technology malicious traffic alike enter networks of observed attacks globally were sectors stayed behind the straight through firewalls and DMZs. The application-specific and 22% of attacks protocol was never designed for secure scenes, supporting the core were web-application based. This means application delivery so building HTTP competencies of that industry, a total of 55% of attacks detected globally applications is prone to error. Threat like inventory management occurred at the application layer. for retailers and account actors will continue to abuse these virtual According to Gartner Group, the 2020 front doors and windows. They are easy management for banks. Security Market Segment spend is to access and are often the weakest link This is no longer the case. The trend of about USD 59 billion annually. About in the security chain. online consumer behavior which started USD 3.3 billion of that is associated with IT security is familiar with approaches in the dot com era and accelerated after application security – or about 5.5%. Data which focus on controlling known risks the launch of the smartphone has forced from the 2020 NTT Ltd. Global Threat against known components, such as: business to compete to deliver their Intelligence Report suggests the threat customer experience in a digital wild to application security is somewhere 1. Firewalls ensuring internal resources west. Competition has forced industries around 55% of all attacks. Admittedly, this cannot be accessed externally. to take on a new and often unfamiliar role, is not a complete risk evaluation, but if it 2. Port scanning for services known that of a software shop. is even close it suggests that application to expose undesired access or security spending should be more on In every non-technology sector, we hear capability. the order of over 50% of security budget, the same and somewhat contradictory instead of 5.5%. If the total security 3. Detecting systems with vulnerable sentiment, ’We are an X company, not market spend remains unchanged, a unpatched software. a software company, but our most 50% allocation to application security important differentiation is the quality of would mean about USD 29 billion, which the digital experience we deliver to our is an increase of over 800% in spending customers via applications.’ We are all related to application security. In even the Out of the OWASP software companies now. Acknowledging shallowest analysis, this suggests that this fact is critical to understanding top ten application initiatives associated with application why traditional IT security efforts have security are woefully underfunded. security flaws, failed to control the risks introduced by organizations pushing the delivery of their Application security risks just don't look seven fall into the digital business capabilities to new scale like traditional IT security risks 'build' category of at increasing velocity. HTTP is the path of least resistance for application risks. developers to expose critical business capability. This is especially important 3 | © Copyright NTT Ltd. hello.global.ntt report | GTIC Monthly Threat Report: November 2020 Application security does not fall in Application security testing to devote far more than forty hours to the same model as organizational attacking a high value application. Unlike functional tests built specifically controls. Application security risks can Benefits: be simplified into three categories, the for the application they support, ‘ABCs’: application security tests typically 1. Vulnerabilities detected very likely take the form of general tests that to be exploitable risks worth paying 1. Assemble: Risk inherited whenever expose risks which fall into some or attention to. we bring together the components all of the ‘ABC’ categories. Commonly, we rely on as the bedrock of our 2. Continuously scanning production application security testing is conducted applications, like OS packages, applications provides ‘always-on’ by in-house security staff, through frameworks and libraries. detection for newly introduced flaws software-as-a-service vendors, or and evolving threats. 2. Build: Risk created when we security service providers. Regardless 3. Can confirm (or deny) the implement features without security of the method of delivery, a trifecta of effectiveness of add-on security by design or appropriate security techniques has emerged; DAST, SAST controls, application monitoring and controls. and SCA. Understanding the benefits and vulnerability remediation efforts. 3. Configure: Risk created when challenges of each technique will help we deploy our applications to you maximize your return on investment. 4. Mostly agnostic to your application’s technology stack. enable new functionality without Dynamic Application Security hardening defaults and evolving past Testing (DAST) Challenges development setups. DAST tests a running application from 1. Applications must be running in Traditional IT security capabilities provide the perspective of an attacker. The tools environments which tools and testers some visibility to risks in the assemble and techniques are similar to those used can reliably access. User accounts and configure categories, but almost by threat actors. The most common are required for best results. no visibility into the risks of the build DAST tool is a vulnerability scanner which Coordinating environments and category. These risks are created by crawls the user interface in attempts to access can be difficult at the scale of the features developed to meet specific discover the functionality of the backend a large organization. needs of the business and the functions server. The tool manipulates requests to 2. Testing in production engenders the application performs on behalf of a the server to include simulated attacks. an overly cautious approach which user. Notably, seven of the OWASP top The goal is to cause the application to attackers do not share, leaving ten application security risks are flaws exhibit behavior which demonstrates a potential gap between the which fall into the ‘build’ category of evidence the application is vulnerable vulnerabilities detectable by the good application risks. to common categories of application guys vs bad guys. Bolt-on security controls like IDS, IPS security flaws. 3. It is often difficult to achieve and WAFs can be effective at helping Automated DAST is best combined with ‘complete’ coverage for all of a large to manage well-defined IT security manual testing to detect vulnerabilities application’s complex functionality risks. Unfortunately, they often have across the breadth of the application. within a short release cycle. Since inadequate out-of-the-box capability Automation enables the manual tester the testing is done without internal to understand the requirements of to focus on more complex functionality, knowledge, it is difficult for the tester potentially complex web applications including flaws which may exist within the to know for sure that ‘everything’ has and potential risks they expose. This business logic and security controls of an been tested. lack of context is especially true for IDS application. and IPS. WAFs can provide meaningful Static Application Security DAST provides a view into the exploitable capability but require significant time and Testing (SAST) risks which are discoverable by an expertise in configuration, maintenance external threat actor who does not have SAST analyses the application’s and monitoring. Securing a vulnerable inside knowledge of your application. It is source code. Automated analysis can application with bolt on techniques alone an important baseline of your immediate be divided into three types: pattern increases operational costs and leaves exposures and informs necessary actions matching, semantic analysis and runtime some risks unmitigated. to reduce your risk profile. Automated simulation. Each can provide value, but DAST scanning will discover a different it is important to know that all ‘code vulnerability profile than forty hours of scanners’ are not created equal. Pattern manual assessment. Always consider matching is easy to implement and the results in the context of the threat runs quickly but suffers from a tradeoff model which corresponds to the level between false positives and false of resources applied to your DAST negatives. More sophisticated analysis evaluations. Threat actors may be willing will have a higher implementation bar and 4 | © Copyright NTT Ltd. hello.global.ntt report | GTIC Monthly Threat Report: November 2020 will run