Zero Trust Network Access (ZTNA)

Why the Browser Continues to be the Top Threat Vector Exploited by Cyber Criminals

Actively defending your users’ browsers, and not relying on them to recognize threats, using remote browser isolation is critical to protecting your network.

Ask yourself this question, “How do you interface with the internet?”

Take a second and think about it; typically, how do you, and everyone who works for you, do your job daily? What is the one standard tool that everyone, and machines in most instances, use to interact with the most extensive threat environment on the planet?

It’s the browser. Odds are you’re reading this right now via browser. I would bet my paycheck that on any given day, you and everyone that works with you, and those that you love at home, probably interact with the internet via a browser. We are still trying to figure out a way to connect our brains directly to the internet; but, for now we use the browser, folks.

Now ask yourself a couple of additional questions. “Where do threats actively operate?” “Where are your users most likely to interact with malicious content?” The answer: on the internet.

So, if we take those two elementary truths and combine them, what does that mean? It means that your users are active on the internet via a browser and continuously operating in a real-world threat environment via the browser. Logic would then dictate that you extend your control plane out to that user on the internet via the browser. Additionally, reasoning also indicates that your controls and detection mechanisms, which typically reside closer to core infrastructure, don’t currently help defend your security posture when your users are operating via browsers that you have no control over.

Essentially, this means that if you are not actively defending the user’s browser when they interface with malicious content, you are taking a significant gamble that they will defend themselves against an infection because they may be unaware that an infection is taking place. Unfortunately, the infection will quickly work its way toward your core infrastructure, compromising your network and organization.

Let’s discuss some more prevalent attack types that leverage the browser. Contrary to what most people think, browsers are not secure. They are simply a means of interfacing with the internet and the content users are seeking. Most people rely on threat intelligence to categorize and defend themselves from malicious links and URLs. However, threat actors have discovered that it’s difficult to continuously create new URLs and domains with slight variances that will slide right past threat intelligence software.

A realistic example of this is a simple attack method that continues to work. A user is targeted or spear-phished via a malicious link outside of common secure email channels they access via their browser. Think of sites such as LinkedIn, Facebook, Slack, and others where malicious links can easily entice a user to share information, most likely credentials, or download software that is likely an executable file that gives the threat actor administrative rights to the user’s machine. Because there are no controls levied on the browser infection, it reaches the edge of the network’s core infrastructure. At that point, it’s just a gamble on whether or not the infection is detected or the user’s credentials are leveraged to cause further infection.

Another simple threat actor tactic leverages the browser to evade HTTP traffic inspection by using sophisticated phishing pages that appear genuine but have cloaked CSS manipulations at the browser code level. For example, a threat actor would use a JavaScript obfuscation method that would dynamically generate malicious content after the HTTP traffic passed through an inspection engine. That malicious content is then dynamically developed in the web browser on the endpoint, which means that security controls therein are rendered ineffective. This attack method bypasses security controls and reaches the endpoint, effectively making the browser an agent on the machine.

Now you might ask yourself the question, “but, wouldn’t our phishing training that we gave our team protect us?” Unfortunately, the answer is, “No.” A thousand other organizations that had training have been successfully phished and exploited. Phishing training is necessary to help people understand the risks, but it is not a preventive control. Additionally, detection is different from prevention. If your organization relies on the WAF and other solutions, which usually are set up in monitor mode to operate at the edge of the network, not on the internet, where the threats are active, then the detection comes after the attack. Which is risky to say the least.

Detecting and remediation are essential and should be vital to any organization’s strategy. Still, if you are not defending the users on the internet, you are gambling on the reality that your organization might or might not detect an attack. Additionally, if that attack managed to slide by other controls and the user has shared their credentials, the likelihood that you will notice such an attack is exceptionally low because now you have an authenticated and authorized user and agent operating in your network.

Good security means being proactive, not reactive. If an organization is proactive in its methodology and strategy, it will actively seek to push controls outside its perimeter along the lines of a zero trust approach. In doing so, they help their users operate more securely and reduce their risk while preventing infections that are statistically known to target an organization via these methods.

Also, employing controls via the browser, the mechanism users leverage to access the internet, exponentially increases the control plane for the security operations team and the organization and reduces the reliance on humans to be a defensive solution, which is an unrealistic expectation.

Over the past few years, these types of exploits and attacks have increased in frequency. And yet we continue to see organizations relying on phishing training and basic antivirus controls or detection mechanisms at the edge of the infrastructure, when we know unequivocally that it is wise to push our control plane out to the users on the internet. Five years ago, the technologies around remote browser isolation needed to be better to do this and not negatively affect the user experience. That is no longer the case. Remote browser isolation is an effective solution that reduces risk, improves user security, minimizes threats on the internet, and extends the control plane outward to the Internet, where it can be effectively employed.

If your organization is seeking to engage in a zero trust strategic approach, now is the time to start looking at some of these newer and more nuanced security solutions, or you can continue to take the gamble and let your users operate unprotected on the open internet and maybe you’ll detect the threat before it gets to your network; maybe you won’t.

Chase Cunningham

Chase Cunningham

Chief Strategy Officer | Ericom Software
Creator of the Zero Trust eXtended framework and a cybersecurity expert with decades of operational experience in NSA, US Navy, FBI Cyber, and other government mission groups, Chase is responsible for Ericom’s overall strategy and technology alignment. Chase was previously VP and Principal Analyst at Forrester Research; Director of Threat Intelligence for Armor; Director of Cyber Analytics for Decisive Analytics; and Chief Cryptologic Technician, US Navy. He’s author of the Cynja series and Cyber Warfare: Truth, Tactics, and Strategies.