COVID-19 continues to significantly embolden cybercriminals’ phishing and fraud efforts, according to research from F5 Labs.
The report found that phishing incidents rose 220% during the height of the global pandemic compared to the yearly average. The number of phishing incidents in 2020 is now set to increase 15% year-on-year, though this could soon change as second waves of the pandemic spread.
The three primary objectives for COVID-19-related phishing emails were identified as fraudulent donations to fake charities, credential harvesting and malware delivery.
Attackers’ brazen opportunism was in further evidence when certificate transparency logs (a record of all publicly trusted digital certificates) were examined.
The number of certificates using the terms “covid” and “corona” peaked at 14,940 in March, which represents a massive 1102% increase on the month before.
“The risk of being phished is higher than ever and fraudsters are increasingly using digital certificates to make their sites appear genuine,” said David Warburton, Senior Threat Evangelist at F5 Labs.
“Attackers are also quick to jump onto emotive trends and COVID-19 will continue to fuel an already significant threat. Unfortunately, our research indicates that security controls, user training and overall awareness still appear to be falling short across the world.”
Names and addresses of phishing sites
As per previous years’ research, fraudsters are becoming ever more creative with the names and addresses of their phishing sites.
In 2020 to date, 52% of phishing sites have used target brand names and identities in their website addresses. By far the most common brand to be targeted in the second half of 2020 was Amazon.
Additionally, Paypal, Apple, WhatsApp, Microsoft Office, Netflix and Instagram were all in the top 10 most frequently impersonated brands.
By tracking the theft of credentials through to use in active attacks, criminals were attempting to use stolen passwords within four hours of phishing a victim. Some attacks even occurred in real time to enable the capture of multi-factor authentication (MFA) security codes.
Meanwhile, cybercriminals were also got more ruthless in their bid to hijack reputable, albeit vulnerable URLs – often for free. WordPress sites alone accounted for 20% of generic phishing URLs in 2020. The figure was as low as 4,7% in 2017.
Furthermore, cybercriminals are increasingly cutting costs by using free registrars such as Freenom for certain country code top-level domains (ccTLDs), including .tk, .ml, .ga, .cf, and .gq. As a case in point, .tk is now the fifth most popular registered domain in the world.
Hiding in plain sight
2020 also saw phishers ramp up their bid to make fraudulent sites appear as genuine as possible. Most phishing sites leveraged encryption, with a full 72% using valid HTTPS certificates to seem more credible to victims. This year, 100% of drop zones – the destinations of stolen data sent by malware – used TLS encryption (up from 89% in 2019).
Combining incidents from 2019 and 2020, 55.3% of drop zones used a non-standard SSL/TLS port were additionally reported. Port 446 was used in all instances bar one. An analysis of phishing sites found 98.2% using standard ports: 80 for cleartext HTTP traffic and 443 for encrypted SSL/TLS traffic.
The future of phishing
According to recent research from Shape Security, which was integrated with the Phishing and Fraud report for the first time, there are two major phishing trends on the horizon.
As a result of improved bot traffic (botnet) security controls and solutions, attackers are starting to embrace click farms.
This entails dozens of remote “workers” systematically attempting to log onto a target website using recently harvested credentials. The connection comes from a human using a standard web browser, which makes fraudulent activity harder to detect.
Even a relatively low volume of attacks has an impact. As an example, Shape Security analysed 14 million monthly logins at a financial services organisation and recorded a manual fraud rate of 0,4%. That is the equivalent of 56,000 fraudulent logon attempts, and the numbers associated with this type of activity are only set to rise.
Researchers also recorded an increase in the volume of real-time phishing proxies (RTPP) that can capture and use MFA codes. The RTPP acts as a person-in-the-middle and intercepts a victim’s transactions with a real website.
Since the attack occurs in real time, the malicious website can automate the process of capturing and replaying time-based authentication such as MFA codes. It can even steal and reuse session cookies.
Recent real-time phishing proxies in active use include Modlishka2 and Evilginx23.
“Phishing attacks will continue to be successful as long as there is a human that can be psychologically manipulated in some way. Security controls and web browsers alike must become more proficient at highlighting fraudulent sites to users,” Warburton concluded.
“Individuals and organisations also need to be continuously trained on the latest techniques used by fraudsters. Crucially, there needs to be a big emphasis on the way attackers are hijacking emerging trends such as COVID-19.”
The US Cybersecurity and Infrastructure Security Agency (CISA) has released a list of 25 vulnerabilities Chinese state-sponsored hackers have been recently scanning for or have exploited in attacks.
“Most of the vulnerabilities […] can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services, and should be prioritized for immediate patching,” the agency noted.
The list of vulnerabilities exploited by Chinese hackers
The list is as follows:
The vulnerability list they shared is likely not complete, as Chinese-sponsored actors may use other known and unknown vulnerabilities. All network defenders – but especially those working on securing critical systems in organizations on which US national security and defense are depending on – should consider patching these as a priority.
Mitigations are also available
If patching is not possible, the risk of exploitation for most of these can be lowered by implementing mitigations provided by the vendors. CISA also advises implementing general mitigations like:
- Disabling external management capabilities and setting up an out-of-band management network
- Blocking obsolete or unused protocols at the network edge and disabling them in device configurations
- Isolating Internet-facing services in a network DMZ to reduce the exposure of the internal network
- Enabling robust logging of Internet-facing services and monitoring the logs for signs of compromise
The agency also noted that the problem of data stolen or modified before a device has been patched cannot be solved only by patching, and that password changes and reviews of accounts are a good practice.
Additional “most exploited vulnerabilities” lists
Earlier this year, CISA released a list of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals, the NSA and the Australian Signals Directorate released a list of web application vulnerabilities that are commonly exploited to install web shell malware, and Recorded Future published a list of ten software vulnerabilities most exploited by cybercriminals in 2019.
Admins and network defenders are encouraged to peruse them and patch those flaws as well.
F5 introduced Shape AI Fraud Engine (SAFE), a new SaaS solution that eliminates fraudulent online transactions that get past existing fraud tools.
Leveraging Shape’s industry leading expertise, SAFE utilizes a battle-tested AI engine to evaluate each online transaction across a variety of telemetry, environmental, and behavioral signals to accurately understand user intent and block human fraudsters—before the fraud occurs.
Legacy fraud tools rely on weak data signals and static rules to try to catch increasingly clever fraudsters. Often, these tools can’t clearly determine if the user’s intent is good or bad, and resort to putting additional burden on good users to prove their legitimacy through hurdles like multi-factor authentication (MFA) challenges. The result: bad experiences for good users, as well as financial losses and frustration when fraudsters get by ineffective defenses.
In contrast, SAFE is a fully managed, AI-powered offering that stops fraudsters in real time, resulting in up to 90% less friction for known good users. As a fully managed service that can detect and block evolving threats, SAFE protects modern and traditional applications, helping organizations accelerate digital efforts and lessen the often-overwhelming workload on fraud teams.
The impact of modern fraud
Businesses need a totally new approach to online fraud prevention. Most find they are still losing tens of millions of dollars annually to online fraud, despite a growing collection of fraud tools in their arsenal.
Juniper Research estimates that online fraud losses—from sources including new applicant and account fraud, account takeover fraud, loyalty program fraud, and digital payments fraud—are projected to exceed $48 billion per year by 2023.
“The need for innovation in fraud prevention becomes more urgent when you factor in the accelerated shift to online channels driven by the current global health situation,” said Sumit Agarwal, Vice President, Analytic Products at F5, and co-founder of Shape.
“We’re seeing fraudsters launch increasingly sophisticated attacks that take advantage of COVID-driven shifts and overall economic distress.”
How SAFE overcomes today’s industry challenges
Stops fraud, faster: SAFE identifies fraudulent transactions along the entire user journey, from new account creation and login to checkout, send payment, and other actions. SAFE uses AI to accurately detect and block malicious intent, and has the intelligence to help applications scale and adapt performance, security, and other important services as needed.
SAFE typically identifies twice as much fraud per month when compared to other current fraud tools. One large North American bank detected 250% more account takeover fraud in 60 days with SAFE than with their existing tools, resulting in the elimination of an additional $10M in fraud losses per year.
Reduces friction for real customers: Fear of fraud can cause organizations and application owners to impose friction on legitimate users because their existing fraud tools can’t accurately distinguish real customers from fraudsters.
Through a combination of proprietary telemetry and advanced AI, SAFE significantly reduces friction on legitimate activity by safely removing MFA challenges for known good users.
Increases effectiveness of fraud teams: SAFE actively blocks fraud without the need for fraud teams to write or maintain rules, and is delivered as a fully managed service, with ongoing tuning done by Shape fraud experts.
In addition, by stopping fraud at the application perimeter, SAFE reduces the amount of time and resources fraud teams have to expend on manual investigations. For one customer, SAFE identified that 67% of fraud cases could be safely blocked instead of investigated.
For another, SAFE identified 33,000 malicious transactions in a six-week period that could be blocked instead of investigated.
Leveraging the power of the shape network
Application owners face two core sources of online fraud against their applications: bots and other forms of malicious or abusive automation, and real humans with bad intent.
Through machine learning, Shape distinguishes automated traffic (bots) from humans, as well as malicious traffic from benign, and provides dynamic defenses to prevent fraud and abuse, while enhancing user experience.
SAFE leverages analytic insights gained from defending many of the largest and most attacked applications in the world to accurately identify and stop fraudsters in real time.
SAFE is part of a comprehensive solution set from F5 that helps modern applications protect themselves with the aid of AI. Today’s adaptive applications grow, shrink, defend, and heal themselves based on the environment they’re in and how they’re being used, which can enable organizations to increase revenue, reduce costs, improve operations, and better protect users.
F5 Networks announced the appointment of Elizabeth Buse, former CEO of Monitise PLC, to its Board of Directors. Ms. Buse, 59, joins F5’s Board, effective today, and brings broad financial services industry expertise and public company board experience.
With Ms. Buse’s appointment, F5’s Board expands to 12 members, 10 of whom are independent.
“Elizabeth’s experience as a CEO of a global financial services technology company and her understanding of both the internal and consumer-facing application challenges faced by companies of that scale will be immensely valuable perspective for F5 and our Board,” said François Locoh-Donou, president and CEO of F5.
“We are looking forward to her participation as a board member and to the insights she will bring as we continue to evolve our application security and delivery offerings to support the increasing demands our customers and their applications face daily.”
Ms. Buse served as Co-Chief Executive Officer and Chief Executive Officer of Monitise PLC during 2014 and 2015, after retiring from Visa, Inc., a leading global payments technology company, as Executive Vice President of Global Services, a position she held from 2013 to 2014.
Ms. Buse held various senior leadership positions at Visa during her 16-year tenure, including Group President for Asia-Pacific, Central Europe, Middle East, and Africa.
In addition, Buse has served on the board of U.S. Bancorp since 2018. She previously served as a director for Monitise PLC and for Travelport Worldwide Ltd.
Ms. Buse holds an MBA from Hass School of Business at the University of California, Berkeley, a Del Amo Fellow in Spanish Linguistics from Universidad Complutense de Madrid, and graduated magna cum laude with a BA from the University of California, Los Angeles.
BT Security has announced the key partners that it will work with going forward to provide industry-leading managed security services to customers. The decision follows BT’s largest-ever appraisal of its security suppliers, and a comprehensive review of the security vendor ecosystem as a whole.
BT’s decision to refine its security partner base was driven by the recognition that many of its customers find it difficult to navigate today’s complex security landscape.
The huge range of suppliers and products in the market can be bewildering, and lead to the adoption of multiple overlapping systems. This in turn can render security estates difficult to manage, burdened with unnecessary costs and, ultimately, with lower overall levels of protection.
BT Security is reflecting its customers’ desire to reduce complexity by having a leaner set of partners and clearly laying out its view of the best providers for specific security requirements.
The confirmed partners were agreed following a detailed evaluation of their respective capabilities across all security control and threat management technologies. The final selection provides BT’s view of the security market’s leading providers, who will support a harmonized portfolio of solutions to its customers going forward.
Kevin Brown, Managing Director of BT Security, said: “Our new security partner ecosystem showcases the benefits of BT Security as a Managed Security Services Provider. We’re able to use our deep experience and insight of the security ecosystem to help our customers navigate what can be an incredibly confusing market.
“We’re also ensuring that BT Security customers will benefit from working with the best suppliers from across the security industry.”
McAfee, Palo Alto Networks and Fortinet were selected as BT Security’s ‘Critical Partners’. Each of those companies will provide a range of services and products that will be incorporated into BT Security’s global portfolio, as well as providing holistic support to its commercial and operational activities.
BT Security will also work with these partners to develop a roadmap of security solutions which continue to reflect evolving customer demands and integrate the latest developments in security automation.
Lynn Doherty, Executive Vice President of Global Sales and Marketing at McAfee, said: “We’re proud to partner with BT to fight against cybercrime and accelerate new business environments for our customers as they look for more solution integrations, deeper engagement and faster modernization efforts.
“Together through our strategic service provider partners, like BT, McAfee is able to deliver world class security services that enable organizations to evolve their defenses into areas like Secure Access Service Edge (SASE) and Extended Detection and Response (XDR).”
Alex Zinin, VP, Global Service Provider Business at Palo Alto Networks, said: “We’ve been working closely with BT Security for several years to bring innovative cybersecurity solutions to our joint customers.
“We are honored to be selected as one of their critical partners to continue this close collaboration, in recognition of the breadth of our security capabilities across multiple market segments. This comes at a time when it’s never been more essential for communications and security to be closely aligned to help all organisations with staff working remotely.
“We look forward to working together as we strive to make each day safer and more secure than the one before.”
John Maddison, Executive Vice President of Products and Chief Marketing Officer at Fortinet, said: “Digital Innovation is disrupting all industries, markets, and segments, leading to increased risk as cyber threats take advantage of this disruption.
“To protect against known advanced threats as well as unknown sophisticated attacks, Fortinet enables organizations to apply security anywhere and protect all edges – including WAN, cloud, data center, endpoint, identity, and home – while reducing the number of required products to save costs and remove complexity.
“We’re proud to partner with BT Security to help customers address the most critical security challenges and protect data across the entire digital infrastructure.”
Microsoft, IBM and Cisco were all confirmed as ‘Strategic Partners’ for BT Security. This categorization reflects not only their relationship with BT Security, but also their broader activities and remit across the whole of BT.
BT Security also confirmed a further nine ‘Ecosystem Partners’, who will be incorporated into its global portfolio of solutions for customers due to their complementary technology capabilities. These partners are Skybox, Forescout, Zscaler, Check Point, CrowdStrike, Okta, Qualys, Netscout and F5.
Through deeper strategic relationships, BT Security and its partners will work together to provide better customer experience and protection, while those selected partners will also be BT Security’s main collaborators as they look to develop future customer solutions.
BT Security will regularly review the partnerships to monitor the latest vendor developments, while continuing to assess the wider industry for new and emergent security companies and technologies.
Attackers are bypassing a mitigation for the BIG-IP TMUI RCE vulnerability (CVE-2020-5902) originally provided by F5 Networks, NCC Group’s Research and Intelligence Fusion Team has discovered.
On CVE-2020-5902 (K52145254) @TeamAresSec reported publicly at 18:24 the mitigation could be bypassed, we saw it used in the wild at 12:39 for the first time – upgrade don’t mitigate – https://t.co/sSr4JIZwu3 pic.twitter.com/PMfG0rCpyQ
— NCC Group Infosec (@NCCGroupInfosec) July 7, 2020
“Early data made available to us, as of 08:05 on July 8, 2020, is showing of ~10,000 Internet exposed F5 devices that ~6,000 were made potentially vulnerable again due to the bypass,” they warned.
F5 Networks has updated the security advisory to reflect this discovery and to provide an updated version of the mitigation. The advisory has also been updated with helpful notes regarding the impact of the flaw, the various mitigations, as well as indicators of compromise.
CVE-2020-5902 exploitation attempts
CVE-2020-5902 was discovered and privately disclosed by Positive Technologies researcher Mikhail Klyuchnikov.
F5 Networks released patches and published mitigations last Wednesday and PT followed with more information.
Security researchers were quick to set up honeypots to detect exploitation attempts and, a few dats later, after several exploits had been made public, they started.
Some were reconnaissance attempts, some tried to deliver backdoors, DDoS bots, coin miners, web shells, etc. Some were attempts to scrape admin credentials off vulnerable devices in an automated fashion.
There’s also a Metasploit module for CVE-2020-5902 exploitation available (and in use).
Any organization that applied the original, incomplete mitigation instead of patching their F5 BIG-IP boxes should take action again:
🚨 For those orgs who applied the F5 BIG-IP and BIG-IQ mitigation rather than patching 🚨
there’s a bypass to the mitigation being used in the wild now.
— Kevin Beaumont (@GossiTheDog) July 8, 2020
this is not good. If you applied the workaround… you need to patch! (or finally isolate your admin interface) https://t.co/RlWb61qZoh
— SANS ISC (@sans_isc) July 8, 2020
They should also check whether their devices have been compromised in the interim.
F5 unveiled Silverline Shape Defense, a security solution that protects websites from the rising tide of fake internet traffic.
With this new fully managed service, customers can better focus on their users and safeguard businesses against bots, credential stuffing, scraping, and other automated attacks that result in fraud and abuse—leading to compromised efficiency, loss of revenue, and damage to the brand.
Silverline Shape Defense uses artificial intelligence to accurately determine in real-time if an application request is from a human or a bot, and further differentiate between a bad actor and authorized individual.
This approach stops bad traffic without introducing login friction for legitimate users. Businesses benefit from reduced online fraud losses, lowered operating costs, and an improved user experience. Silverline Shape Defense leverages the power of the entire Shape network which blocks over one billion application attacks a day.
With the launch of Silverline Shape Defense, customers can now protect their applications with an integrated, comprehensive set of fully managed security solutions that also include Silverline DDoS Protection, Silverline Web Application Firewall, and Silverline Threat Intelligence.
“The addition of Shape Defense on Silverline will allow our customers to protect their applications and digital initiatives against malicious cyberattacks without the overhead of a large security team, like those at a typical Fortune 500 company,” said Gail Coury, Silverline VP and GM at F5.
“F5’s Silverline managed security services improve not only application security and performance but also bridge the resources gap of skilled cybersecurity professionals that are needed to address the latest cyber threats in real-time.”
Silverline Shape Defense helps organizations protect their applications quickly and easily. The solution:
- Can be deployed in 30 minutes or less, without advanced application security expertise
- Determines if login attempts are being made by real users instead of bots
- Is entirely seamless and transparent to real users
- Features an easy-to-use admin interface that illuminates site traffic and how it is being protected
- Offers an entirely cloud-based solution as a fully managed service: no hardware, nothing to install, and always up to date
F5 Silverline Managed Services deliver expert protection to businesses around the world, including the following benefits:
- Comprehensive application security, including industry-leading anti-bot, WAF, and DDoS services from a single vendor
- Simplified buying, deployment, and ongoing support, including 24×7 Security Operations Center resources
- One integrated portal provides a single view for all Silverline services, including configuration proxy and routing, visibility into threat details, attack analytics, and actions taken by SOC experts
- A global application security footprint, with F5 Silverline Managed Services local points of presence in geographies around the world
In January, F5 completed its acquisition of Shape Security to add protection from automated attacks, botnets, and targeted fraud to F5’s portfolio of application services. Silverline Shape Defense is the first deliverable in a long-term strategy to provide Shape services to organizations of all sizes and in various industries.
Attackers are actively trying to exploit CVE-2020-5902, a critical vulnerability affecting F5 Networks‘ BIG-IP multi-purpose networking devices, to install coin-miners, IoT malware, or to scrape administrator credentials from the hacked devices.
CVE-2020-5902 is a critical remote code execution vulnerability in the configuration interface (aka Traffic Management User Interface – TMUI) of BIG-IP devices used by some of the world’s biggest companies.
To exploit CVE-2020-5902, an attacker needs to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.
“By exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution. The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network,” the researcher noted.
“RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation. This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan. Fortunately, most companies using the product do not enable access to the interface from the internet.”
Shodan shows around 8,500 vulnerable devices available on the internet, nearly 40% of which are in the U.S.
F5 Networks published security advisories for both flaws last Wednesday, just as the U.S. was looking forward to the long Independence Day weekend.
Both the company and the U.S. Cyber Command urged admins on Friday to check whether their F5 BIG-IP web interfaces were exposed on the internet and to implement the offered patches before the weekend starts.
As of this morning we are seeing an uptick in RCE attempts against our honeypots, using a combination of either the public Metasploit module, or similar via Python. Also a large wave of attacks coming from 🇨🇳 which do a ping back via:
— Rich Warren (@buffaloverflow) July 6, 2020
What to do?
According to F5 Networks, BIG-IP networking devices are used as server load balancers, application delivery controllers, access gateways, etc. by 48 of the Fortune 50 companies. They are used by ISPs and governments.
As noted before, F5 Networks released fixed software versions last week as well as helpful risk mitigation advice if patching is impossible at this moment.
For organizations that didn’t get around to any of it, Microsoft cybersecurity pro Kevin Beaumont offers the following advice:
So people are scraping secrets (credentials) off BIG-IP boxes in an automated fashion. If you didn’t patch before the weekend I think you will need to rotate creds and check logs after patching when you’re back in work.
— Kevin Beaumont (@GossiTheDog) July 5, 2020
SANS ISC handler Dider Stevens has also provided helpful links and advice.
Applications are a gateway to valuable data, so it’s no wonder they are one of attackers’ preferred targets.
And since modern applications aren’t a monolithic whole but consist of many separate components “glued together” over networks, attackers have at their disposal many “doors” through which they can attempt access to the data.
Easy targets will remain popular
Some of these doors are more popular than others. According to the latest Application Protection Report by F5 Networks, attackers love to:
“PHP is a widespread and powerful server-side language that’s been used in 80% of sites on the web since 2013. It underpins several of the largest web applications in the world, including WordPress and Facebook,” F5 analysts explained the attraction.
2. Engage in injection attacks and formjacking (the latter especially when targeting the retail sector).
In 2019, formjacking payment cards was resposible for 87% of web breaches and 17% of known breaches in total (up from 71% and 12% in 2018). In 2019, the retail sector was the most significant formjacking target. 81% percent of retail breaches were from formjacking attacks, while nearly all other sectors tended to be breached most often through the access tier.
“The lesson is clear: for any organization that accepts payment card via the web, their shopping cart is a target for cyber-criminals,” the analysts pointed out.
3. Getting access to accounts (and especially email accounts) via phishing, brute forcing, credential stuffing or using stolen credentials.
“Access tier attacks are any that seek to circumvent the legitimate processes of authentication and authorization that we use to control who gets to use an application, and how they can use it. The result of this kind of attack is a malicious actor gaining entry to a system while impersonating a legitimate user. They then use the legitimate user’s authorization to accomplish a malicious goal— usually data exfiltration,” the analysts explained.
Attackers use a number of tactics to keep these attacks unnoticed, but organizations also have a lot of defensive options at their disposal to prevent them.
4. Go after unmonitored, vulnerable, poorly secured or misconfigured APIs.
“In the days of monolithic apps, whatever core business logic generated value needed to be supported by a user interface, storage, and other meta-functions. Now it is sufficient to develop a single specialized service, and use APIs to either outsource other functions to bring an app to market, offer the service to other app owners, or both,” the analysts explained.
Their widespread used makes them a big target, and a combination of factors make them rich targets:
- They are often configured with overly broad permissions
- Lack of visibility and monitoring.
There are solutions to these problems
Attackers go where the data is, and that’s why organizations in each sector/industry should develop risk-based security programs and tailor controls and architecture to reflect the threats they actually face, the analysts advise.
To counter access attacks, organizations should implement multi-factor authentication where fitting and possible, but should also consider:
- Checking passwords against a dictionary of default, stolen, and well-known passwords
- Making sure the system can detect and prevent brute force attacks by, for example, using CAPTHA, slowing down sessions, setting up alarms, etc.
- Creating simple methods for users to report suspected phishing
- Encrypting or eliminating confidential data from the organization’s email caches
- Enabling logging (to be able to discover what the attackers did when they gained access).
Spotting and foiling injection and formjacking attacks can be done with securing servers, patching injection vulnerabilities,employing change control, using web application firewalls (WAFs), through testing and watching of all third-party components on sites with forms accepting critical information, and so on.
But organizations should be aware that the injection landscape is constantly changing, and they have to follow the trends and adapt.
Finally, organizations can mitigate the risk of API attacks by:
- Making (and maintaining) an inventory of their APIs
- Deploying authentication for them and storing credentials securely
- Limiting their permissions
- Monitoring them (by logging connections and reviewing them)
- Encrypting the API connections
- Testing APIs
- Implementing API security tools.
Informed by customer use cases, prominent industry attack practices, and threat intelligence from F5 Labs, F5’s extensive portfolio safeguards all applications without impacting the end-user experience or slowing time-to-market.
As a leader in WAF and API security technology, F5 delivers application security with consistent policies and controls across hybrid- and multi-cloud environments.
“Our security strategy is rooted in what customers are trying to accomplish—optimum app performance with maximized uptime, lower overall costs, and reduced losses due to fraud or abuse,” said John Morgan, VP and GM of Security at F5.
“Security remains a key area where we see conflict between increasing business velocity and implementing adequate protections. F5’s application security solutions free developers to focus on the application business logic and customer experience while also providing world-class threat protection with policy and control consistency across on-prem and cloud environments.”
Digital transformation efforts often result in hundreds of apps hosted across multiple clouds and on-premises. Modern architectures include distributed microservices, containers, and APIs. Combined, these have radically changed (and increased) the attack surface for applications.
Simultaneously, CI/CD workflows make it critical for security to be addressed throughout the life of an app, as the cycle time for moving apps from development to production is declining rapidly.
The challenge, then, is how to manage security policies across multiple environments with both consistent controls and operational efficiencies. IT personnel must be equipped with better tools such as machine learning and AI to protect against increasingly sophisticated attacks on applications and APIs.
F5’s application security portfolio spans four solution areas that correlate directly to the areas organizations must protect to deliver applications and services: Application Layer Security; Trusted Application Access; Application Infrastructure Security; and Intelligent Threat Services.
Application layer security guards against application attacks
Application layer security comprises security at or near the application, typically referring to layers 4 through 7 of the OSI model. This area focuses on protecting applications against exploits, deterring unwanted bots and other automated attacks, and reducing utilization costs in the cloud.
F5 solutions guard against application threats, such as application layer denial of service, malicious scripting, and injection attacks.
Further, with the Shape acquisition F5 has the ability to provide game-changing defenses in depth across the application layer, with Shape Enterprise Defense already mitigating more than one billion application layer attacks tied to app fraud and abuse every day.
Trusted application access enforces customers’ fine-grain access control policies
Secure access solutions generally sit in front of applications, in prime position to enforce access security policies.
The F5 identity-aware proxy also adds value by enabling single sign-on (SSO) and multi-factor authentication policies to help organizations realize the benefits of modern authentication and authorization protocols like OAuth/OpenID Connect—as well as take advantage of contemporary identity services such as Microsoft Active Directory—to integrate SSO with their on-premises applications.
This approach boosts access controls to protect against account takeover, phishing, and other threats in support of a Zero Trust model integrated into an organization’s overall risk management framework.
Application infrastructure security defends against encrypted threats and network attacks
Extending beyond applications, app infrastructure protection defends the systems on which applications depend. These security solutions expose threats hidden within encrypted traffic and protect against network attacks, DDoS, and protocol abuse.
As an example of F5’s approach, the company offers a managed service focused on DDoS through Silverline to help protect customers from volumetric or reflected amplification attacks.
Additionally, Aspen Mesh further addresses microservice security challenges by providing role-based access control with Traffic Claim Enforcer, allowing enterprises to easily enforce the level of least privilege, and with Secure Ingress that enables applications to connect securely to the Internet.
Intelligent threat services thwart sophisticated attacks
As the final area detailed in F5’s approach, these services feed security intelligence into all the other areas. It combines multiple security data feeds from F5, Shape, crowdsourced, open source, and third-party inputs.
More than just data collection, F5’s intelligent threat services use advanced analytics to transform the data sets into tactical intelligence that is both relevant and consumable by portfolio solutions.
Cross-platform visibility and analytics help increase accuracy and predict malicious behavior to ensure that attack traffic is clearly distinguished from legitimate use.
These horizontal services also enable organizations to gain an overarching view of risk so their efforts can be more effectively managed, which is of particular importance for multi-cloud environments.
Based on the identified areas above, F5 solutions reduce friction and enable agile security across organizations in an accessible and progressive way, while leveraging Shape Security’s leading capabilities in machine learning and AI.
To accomplish this, the company differentiates not only on technical proficiency, but also on flexibility of deployment and consumption (such as via use-based models, SaaS, and managed service offerings), as well as enhancements through APIs and an ecosystem of security partners that extend app protection.
With the addition of Shape, F5 is poised to incorporate more machine learning and AI into its offerings at a much deeper level, giving customers superior application protection that can more easily be improved, orchestrated, and automated.
The F5 application security portfolio
Essential App Protect – As a SaaS offering, the solution provides apps with out-of-the-box protection against common web exploits, malicious IPs, and coordinated attacks—with no previous security expertise required. The Essential App Protect service can be activated with a few UI clicks or API calls, with deployment that can be easily dropped into a DevOps toolchain to deliver valuable security controls for any application.
Behavioral App Protect – This cloud-delivered solution looks beyond signatures and rules to provide next-generation application defenses that require no ongoing tuning, deep technical expertise, or management. Behavioral App Protect leverages machine learning and crowdsourced threat intelligence data to deliver superior security efficacy with significantly reduced TCO.
F5’s adaptive analytics detect malicious behavior in real-time, enabling the accurate identification and mitigation of bad actors, protecting all applications across multiple clouds.
NGINX App Protect – The solution brings F5 WAF technology to the NGINX platform, delivering superior performance and security with lower latency and easy integration into modern CI/CD toolchains. It simplifies the tool sprawl that can otherwise come with contemporary applications (as well as the modernization of legacy applications) and enables security to be enforced closer to the point of code in today’s application and API environments.
Aspen Mesh Secure Ingress – The solution simplifies the way operators secure traffic entering Kubernetes clusters, and also streamlines how application developers can ensure app security. Aspen Mesh Secure Ingress enables platform operators to retain a strategic point of control to enforce policies while allowing application developers to move quickly and deliver customer-facing features reliably and securely.
Many organizations are starting to realize the benefits of increased scale and velocity of application deployment in their businesses, according to F5 Networks.
This value, however, can bring significant complexity as organizations maintain legacy infrastructure while increasingly relying on multiple public and private clouds, implement modern application architectures, and face an evolving and sophisticated threat landscape.
At the same time, organizations are adopting more application services designed to accelerate deployment in public cloud and container-native environments, like service mesh and ingress control.
App services requirements evolving
Survey data indicates this trend will accelerate as organizations become proficient in harnessing the data their application ecosystem delivers—creating advanced analytics capabilities and better business outcomes.
The survey shows that as companies manage legacy, multi-cloud, hybrid-cloud, and modern architectures to deliver applications, their requirements for app services are also evolving.
To address limited skill sets and integration challenges, organizations are choosing open ecosystems that offer standardization. Respondents prize application services that are both secure and easy to use.
Matured IT and business process optimization initiatives
80% of organizations are executing on digital transformation – with increasing emphasis on accelerating speed to market. As organizations progress through digital transformation initiatives, IT and business process optimization initiatives mature.
Many organizations have moved beyond the basics of business process automation and are now scaling their digital footprint with cloud, containers, and orchestration. This in turn is driving the creation of new ecosystems and massive growth in API call volumes.
87% of orgs are multi-cloud, most still struggle with security
Organizations are leveraging the public cloud to participate in industry ecosystems, take advantage of cloud-native architectures, and deliver applications at the speed of the business.
However, organizations are much less confident in their ability to withstand an application-layer attack in the public cloud versus an on-premises data center. This discrepancy illustrates a growing need for easy-to-deploy solutions that can ensure consistent security across multiple environments.
73% of orgs are automating the network to boost efficiency
Unsurprisingly, given the primary drivers of digital transformation – IT and business process optimization—the majority of organizations are automating the network.
Despite challenges, organizations are gaining proficiency and moving toward continuous deployment with more consistent automation across all key pipeline components: app infrastructure, app services, network, and security.
69% of orgs using 10 or more application services
As newer cloud-native application architectures mature and scale, a higher percentage of organizations are deploying related app services such as ingress control and service discovery both on premises and in the public cloud. A modern application landscape requires modern app services to support scale, security, and availability requirements.
IT operations still responsible for app services
63% of organizations still place primary responsibility for app services with IT operations, yet more than half of those surveyed are also moving to DevOps-inspired teams.
Operations and infrastructure teams continue to shoulder primary responsibility for selecting and deploying application services. However, as organizations expand their cloud- and container-native app portfolios, DevOps groups are taking more responsibility for app services.
F5 Networks introduced NGINX Controller 3.0, a cloud-native application delivery solution to help organizations increase business agility, mitigate risk, and enhance their customers’ digital experiences.
Built to unleash productivity and efficiency, the 3.x series offers the first multi-cloud, self-service platform that removes the friction between DevOps, NetOps, SecOps, and app developers.
NGINX Controller combines a broad set of app services, including load balancing, API management, analytics, and service mesh with an application-centric approach. As a result, it reduces the tool sprawl that thwarts organizations’ efforts to speed their application deployments.
Further, it provides significant performance and insights along with a lower total cost of ownership.
“This is our first major product introduction since we joined forces with F5 in May, and it highlights the unique value proposition of NGINX and F5 together,” said Gus Robertson, SVP and GM of NGINX at F5.
“Controller 3.0 provides the foundation for developer and DevOps self-service, at scale. We’ve designed the user experience to be centered on the asset that businesses care about most: their apps. This is a big departure from previous infrastructure-centric solutions.
“Plus, customers’ apps can now be configured by a new API. We’re excited to hit this major milestone. Stay tuned as we continue adding value in each monthly release.”
Streamlining the delivery of code to customers
As a cloud-agnostic solution, NGINX Controller empowers customers to easily deliver and automate a more comprehensive, consistent set of app services across multi-cloud deployments. DevOps teams will appreciate NGINX Controller’s integrations with key CI/CD tool vendors like Ansible and Datadog.
The developer portal provides a view into documentation for APIs published through Controller, while the built-in certificate manager stores SSL/TLS certificates securely for easy association with applications. And, it mitigates the significant capital and operational costs of tool sprawl that so many enterprises are challenged by today.
Not only can Controller support organizations as they move into new clouds or adopt new technologies by simplifying and accelerating modern app deployments, it also helps drive business growth.
Empower teams with self-service capabilities
Traditional application delivery and API management solutions are often more tuned to the underlying infrastructure than the applications themselves, leading to difficulty in managing app performance and maintaining app visibility.
With NGINX Controller 3.0, customers can achieve productivity and efficiency gains for modern app-focused teams while assuring appropriate governance.
DevOps, NetOps, SecOps, and AppDev personnel enjoy self-service management and monitoring for their own apps based on role, as well as orchestrated workflows that promote seamless collaboration across functional teams.
As they look to understand application health and performance in an easy-to-consume manner, they’ll find an intuitive dashboard populated with real-time, app-centric data.
Monitor and manage app performance
NGINX Controller provides valuable analytics and insights to help applications adapt, protect, heal, and drive business results, including thresholds tied to uptime and performance.
This gives teams the intelligence to not only improve app performance based on current conditions, but also to incorporate learnings and trend analysis into ongoing development cycles.
The result is a significant reduction in the time it takes to update an application for expanded use cases, or to add security features based on new threats. Users can obtain historical metrics and view events using an API—another design decision made to optimize the DevOps experience.
In addition, flexible storage options are available to ensure that analytics data is always accessible when and where needed, even when disruptions occur. These capabilities provide increased visibility across associated performance metrics so customers can deliver traditional and modern applications at scale.
“Automation within the CI/CD pipeline continues to be a significant means for organizations to more efficiently deliver differentiated apps, services, and digital experiences,” said Tom Anderson, Senior Director, Ansible Automation, Red Hat.
“NGINX Controller helps enable our shared customers to automate throughout the application lifecycle, spurring collaboration between disparate teams and speeding new offerings to market.”
“NGINX has proved to be the most widely adopted software package in our annual Container and Orchestration reports, and is indispensable for running distributed services,” said Michael Gerstenhaber, Director of Product at Datadog.
“We’re excited to see F5 investing in new tools, and to partner with them in providing observability for product teams that deliver reliable, performant solutions to their customers.”
“As companies increasingly rely on modern application architectures to deliver digital experiences to their customers, they need the ability to deploy and manage services across multiple environments and locations,” said Clint Huffaker, Technical Solutions Architect at World Wide Technology.
“We work closely with F5 as a global technology solutions provider and systems integrator, and NGINX Controller gives our joint customers a compelling breadth of offerings to deploy quickly in support of a forward-looking blend of hybrid and multi-cloud deployments.
“We are excited to showcase NGINX and other F5 solutions in WWT’s Advanced Technology Center where customers can see live demonstrations and get hands-on access to the latest IT solutions.”
F5 Networks and Shape Security announced a definitive agreement under which F5 will acquire all issued and outstanding shares of the privately held Shape for a total enterprise value of approximately $1 billion in cash, subject to certain adjustments.
Shape protects the largest banks, airlines, retailers, and government agencies with sophisticated bot, fraud, and abuse defense. In particular, Shape defends against credential stuffing attacks, where cybercriminals use stolen passwords from third-party data breaches to take over other online accounts.
Shape has built an advanced platform, utilizing artificial intelligence and machine learning, supported by powerful cloud-based analytics to protect against attacks that bypass other security and fraud controls.
This acquisition brings together F5’s expertise in protecting applications across multi-cloud environments with Shape’s fraud and abuse prevention capabilities to transform application security.
Together F5 and Shape offer organizations comprehensive, end-to-end application security, potentially saving billions of dollars lost to fraud, reputational damage, and costly disruptions to critical online services.
Shape’s application protection platform evaluates the data flow from the user into the application and leverages highly sophisticated cloud-based analytics to discern good traffic from bad.
With F5’s location in the data flow of traffic in over 80% of Fortune 500 application infrastructures, F5 provides the ideal insertion point for Shape’s security services. Together F5 and Shape will dramatically reduce the time and resources needed for organizations to deploy world-class online fraud and abuse protection.
“We know from the companies we work with that applications are critical to running their business. To drive maximum business value and the best experiences for their customers, these apps need to perform flawlessly while protecting data security and user privacy.
When a website or application experience is degraded by web fraud and abuse, the result is lost revenue, lost brand equity, and customers jumping ship to the competition,” said F5 President and CEO, François Locoh-Donou.
“With Shape, we will deliver end-to-end application protection, which means revenue generating, brand-anchoring applications are protected from the point at which they are created through to the point where consumers interact with them—from code to customer,” continued Locoh-Donou.
“Beyond opening a fast-growing $4 billion adjacent market, Shape’s machine learning and AI-powered capabilities will scale and extend F5’s broad portfolio of application services and expand our ability to optimize and protect customers’ applications in an increasingly complex multi-cloud world.”
“Since Shape’s inception, we observed a consistent pattern in customer after customer: the use of F5 technology to deliver and enable their applications,” said Derek Smith, co-founder and CEO of Shape.
“Now, we look forward to the opportunity to deeply integrate into F5’s platform for application delivery and security—F5 provides the optimum traffic flow insertion point for Shape’s industry-leading online fraud and abuse prevention solutions. This, combined with F5’s global go-to-market scale, means we can jointly protect significantly more customers’ applications and users from sophisticated attacks and malicious traffic.”
Upon closing of the acquisition, Derek Smith and the leadership team will join F5 in key management roles. Shape will remain located in their current Santa Clara headquarters.
GitHub, the world’s largest open source code repository and leading software development platform, has launched GitHub Security Lab. “Our team will lead by example, dedicating full-time resources to finding and reporting vulnerabilities in critical open source projects,” said Jamie Cool, VP of Product Management, Security at GitHub. GitHub Security Lab GitHub Security Lab is a program aimed at researchers, maintainers, and companies that want to contribute to the overall security of open source software. Current … More
The post GitHub Security Lab aims to make open source software more secure appeared first on Help Net Security.