You will probably not be surprised when I mention that the threat landscape continues to evolve (and devolve). Back in the day, phishing emails were super easy to spot with their broken grammar, misspellings, and obvious unknown senders. Over time, the threat actors have leveled up their game. With the advent of high-quality phishing frameworks and AI, the barrier to entry has been significantly lowered. Even unskilled actors can create phishing campaigns that are very difficult to detect. As has always been the case, the human in the loop is the first line of defense against these attacks; however, we all know how that can turn out. So, how do we, as defenders, prevent these attacks?

Historically, indicators of compromise (IOCs) were a key tool in the defenders’ arsenal. We could block access based on domains, URLs, and IP addresses. To some extent, these are still valuable today and cannot be discounted. Campaigns live on for a period of time before the IOCs may change. In this model, there are two main sticking points. The first is the simple fact that “someone must die”. Victim 0 (0…n actually) become impacted by the attack. Only the hard work of the security teams, once they discover the anomaly, unearths the IOCs of the attack. This can become even more widespread if the attack is not targeted towards a specific company but is more industry or even worse spray-and-pray targeting. This brings up the second issue with IOC based detections — time to propagation. Initial investigations may take hours to days before they yield any evidence. Once the evidence is gathered and verified, then those IOCs need to be disseminated to the wider audience, This, too, may take hours to days to be distributed to any party that may be affected. Honestly, in many cases, those IOCs are used to find additional machines that may have already been compromised.

That takes us to the next evolution in detection capabilities, content inspection. This is a big step forward from IOCs alone. Now we’re getting somewhere as things aren’t nearly as static as network-based IOCs. With this new capability, we can try and find some content in the items coming across the network and catch some new, unknown stuff. The challenge here is that the matching criteria needs to be unique enough to not cause false positive detections but constant enough that a simple change won’t invalidate the detection. This ratchets up the cat and mouse cycle because the threat actors figure they’re being detected and make changes to avoid detections and now the old detections no longer work.

There have been some great advances in dynamic analysis, things like sandboxing and code inspection. These are great tools for files that contain executable content (binaries, scripts, macros, etc.) but are not as efficient for web-based content as we will discuss later. Fun fact: many network based false-positive IOCs come from dynamic sandboxing analysis not properly vetting network traffic.

Let’s take a quick diversion here to talk about a few things. Although there is a major push to remove products and platforms from the corporate security stack, defense in depth is still and will always be a thing. For example, while we already discussed why IOCs aren’t the greatest, they still do have a place and shouldn’t be thrown out. Today’s users spend a significant amount of time working inside their network browsers. Whether that’s searching for information, interacting with AI, working on shared documents and/or forms, scrolling through social media, or even playing games, your users are in their browsers for a large percentage of their day and that’s a scary place to be! Given that https is almost universal (in fact non-https is flagged as a security risk these days), unless you happen to be running a SSL man in the middle security solution (MiTM) then you have zero visibility into the web content. It gets worse with the advent of DNS over https (DoH) as you have potentially lost even more visibility. Given that many intrusions start with phishing or some other web-based access, this can be a major blind spot in your corporate security plan. EDR/XDR solutions are not adept at browser security. Antivirus is helpful for some things as well but again, browsing and browsers are not their game. EDR, XDR, and AV may stop malware from running on a local endpoint, it may detect and block a C2 callback but it will not thwart credential theft, that allows threat actors unfettered access into your networks and likely endpoint solutions may not detect them because there is a lack of anomalistic access. They will also likely not stop the initial info-stealer from exfiltrating cookies and other key information.

Those are just the external threats. As protectors of our infrastructure, we also have to deal with the issue of insider threat as well. As we all probably already know from our annual security training, there’s two classes of insider threat, malicious and inadvertent. Although the intent is different, unfortunately, the outcome is the same. For both of these cases, browsers can play a key role in the exfiltration of data and as mentioned previously, a significant amount of security solutions are blind to this avenue.

One of the biggest sticking points with attempting to mitigate insider threats is how to ensure your security solution does not impede daily required activities. While it is true there is a balancing act between security and useability, companies cannot afford to block important time critical tasks.

The last area I’d like to bring attention to is your (possibly legacy) web apps. Controlling access to those apps can be both problematic and costly. Often times this leads to additional software in your security stack which your overworked IT staff is forced to maintain and runs the risk of adding potential security issues as vulnerabilities are found in that technology. You can add to that the continuing issue of controlling who has access to those environments as staff and contractors come and go on a regular basis.

To further this problem, with today’s remote workforce or even employees who bring their laptops home to work at night, unless you’re requiring a full VPN connection, your in-office security stack is not going to help. The reality that most companies can’t support full VPN tunnels for their staff means that you’re more than likely running split tunnels. More than 50% of your users’ web traffic will be out the split unprotected side. This means you will have no visibility into it or any detections that may be made. Zero visibility makes it harder to identify risky users.

Now that we’ve laid out the problem, what is the solution? Conceal allow us to look at content put into context. Stand-alone many things can be deceiving but when you step back and look at the bigger picture, a clearer pattern can emerge. Context allows for better detections of seemingly benign activities and also has the benefit of reducing false positives at the same time. Stay tuned as we dive deeper into the benefits of putting content into context.