Attack-path mapping your applications

Contrast Security’s 2023 Cyber Bank Heists report showed that hackers and cybercrime cartels from Russia, North Korea and China have mastered the growing complexity of attack surfaces and are hiding behind that complexity to hijack application programming interfaces (APIs) and to launch attacks against customers. 

According to the report, 50% of financial institutions have experienced attacks against their APIs. Attackers love to exploit vulnerability-plagued applications and APIs, which enable them to drill holes that they can crawl through to get at your data. APIs can also be used to island hop, which occurs when an adversary hijacks an organization’s digital transformation and uses it to launch attacks against their customers and partners. To protect against this threat, you need observability. 

Can you observe whether you’re under attack — now? 

Most Chief Information Security Officers (CISOs) are unaware when their organization’s applications or APIs are under attack. For that matter, most CISOs might not know if they’ve already been attacked, which leaves a brand open to exploitation by hackers coming after an organization, its customers, its suppliers and its partners.

The reality is, adversaries get into systems primarily through application and API attacks. They manage to stay in those systems and move laterally primarily because Extended Detection and Response (XDR) platforms don’t provide visibility into the application layer. The blind spot has been observability into whether applications are vulnerable, or whether they’re in the process of being poisoned and used to launch supply chain attacks. Frankly, defenders could never see below the waterline: This is why dynamic attack-path mapping of applications is critical. 

Many, if not most, security practitioners have been unable to see the weaknesses their apps carry, can’t map out the intricate tendrils of the connections they make and don’t have the ability to detect the threats in the murky waters through which they swim. As it is, according to the 2022 Cloud-Native Cloud Security report, 97% of companies experience observability challenges with cloud-based applications. Among other problems, those challenges include:

• Insufficient visibility into how microservices interact with each other​
• Not knowing the context around critical vulnerabilities (e.g., “do we even have that library installed?”) 
• Not knowing which data stores are affected
• Not knowing if your threat models are even remotely correct
• Lack of actionable insights
• Getting detailed knowledge of specific systems or applications available for security teams
• Lack of security-focused perspective for developers

Contrast’s new Security Observability feature lets you peer below the waterline

That’s why I was thrilled when Contrast previewed new security observability that improves organizations’ visibility into their most critical applications and APIs. 

Runtime Application Security Observability provides a digital security blueprint that shows how applications work, including the attack surface and how each route invokes security mechanisms, uses dangerous functions and makes back-end connections.

As demonstrated at Black Hat in August, Contrast Security Observability will bring application attack-path mapping that shows exactly how apps are being abused or misused, answering questions such as:

• What services are used by my application?
• What APIs does my application call?
• What files does my application access?
• What databases does my application connect to?
• What backend connections are made by the application?
• Is the application currently being attacked? 
• How has the application been hijacked or polluted to attack the infrastructure of your company, as well as that of your constituency? 

This always-on attack-path mapping feature will be available in initial releases of Security Observability starting immediately, initially with limited mapping of internal-only microservices. General Availability, slated for early 2024, in January or February, will bring full attack-path mapping. When it arrives, it will deliver continuous monitoring and deep insights based on actual application behavior. By creating a security blueprint of how the application behaves — including attack surface, security mechanisms, dangerous methods and backend connections — security teams will gain ground truth.   

The capability will empower security teams with enhanced Application Security (AppSec) observability, transforming security assessments with accurate runtime insights into application architecture and software composition. This visibility is of utmost importance to threat hunters, pen testers, CISOs and incident responders. Situational awareness is paramount when it comes to providing visibility into when an application can be poisoned, whether it already has been poisoned or if it’s being used against you.

Contrast Security Observability provides these unique capabilities:

1. Early threat detection: Observability allows organizations to monitor their digital infrastructure in real time. This means they can spot abnormal behavior or potential threats as they happen or even before they escalate into a significant breach. Early detection is critical in mitigating the impact of cyberattacks.
2. Incident response: When a security incident does occur, observability provides valuable data for incident response. It helps security teams quickly understand the nature and scope of the attack, which is essential for containing it and recovering from it. This data can be used to analyze the attack vector, understand vulnerabilities and improve security measures. It allows experts to reconstruct the timeline of the attack; identify the attacker's entry points; and understand the tactics, techniques, and procedures (TTPs) used.
3. Anomaly detection: EDR and XDR platforms can analyze data and identify unusual patterns or behaviors that may indicate a security breach. By continuously monitoring network traffic, user activity and system logs, organizations can set up alerts for suspicious activities and respond proactively. The telemetry from Contrast Observability will enhance XDR platforms and provide MDR firms with visibility into adversary lateral movement within applications. Observability will enhance situational awareness per anomalous behavior of users and entities across applications. 
4. Compliance requirements: Many industries and organizations are subject to regulatory requirements that mandate strong cybersecurity measures and reporting. Cybersecurity observability helps in meeting these compliance requirements by providing detailed logs and records of security-related events.
5. Improving security posture: By continuously monitoring their systems and networks, organizations can gain insights into their vulnerabilities and weak points. This information can be used to make informed decisions about security investments and to prioritize efforts to enhance the overall security posture.
6. Threat intelligence: Observability can be combined with threat intelligence feeds to provide context around potential threats. This helps organizations understand the broader threat landscape and adapt their security strategies accordingly.
7. Continuous improvement: Cybersecurity is an ongoing process. Observability allows organizations to learn from past incidents and adapt their defenses accordingly. By analyzing historical data, they can identify trends and emerging threats, helping them stay ahead of cybercriminals.
8. Reducing dwell time: Observability can help reduce dwell time — the duration a threat actor remains undetected within a network — by quickly identifying and responding to threats, minimizing the potential damage caused by cyberattacks.
9. Application and API inventory and server map:  Observability brings the value of defense-in-depth, accurate inventory that supports teams as they’re handling high-risk software supply chain security incidents such as Log4Shell. 
10. Dynamic runtime SBOMs: You can create Software Bills of Materials (SBOMs) anywhere, anytime, incorporating real-time changes and ensuring that you always have an accurate view of your software inventory.

Contrast’s new Cybersecurity Observability will provide the visibility and insights needed to protect against cyber threats in an evolving threat landscape. In 2023, understanding behavioral anomalies of applications is paramount. With Contrast Security Observability, it’s now possible to “observe” what lurks below the waterline. 

Click here to read more about how to illuminate your AppSec with Security Observability. 

Related:

• Podcast writeup: Learn about the hidden dangers of traditional AppSec tools and why Runtime Security is replacing them (blog)
• Report: Cyber Bank Heists: Threats to the financial sector (PDF)
• Brand protection in an era of island hopping (blog)
• Your WAF doesn't have your back (blog)
• Financial cybercrime trends: Reverse BEC & ‘shoxing’ (blog)