Strengthen Your Web App Defenses Using Behavioral Analysis and Attacker Deception

PUBLISHED ON May 7, 2019
LAST UPDATED January 13, 2022

For many enterprises today, Web and cloud applications are critical components of the business. And for the ever-increasing number of companies conducting business online, they are the business. 

Keeping those Web applications protected against the many and always evolving cybersecurity threats needs to be a top priority for organizations. If Web apps are hacked or hit with malware, that could result in stolen data, system downtime, slow performance, and other issues that can lead to high costs and lost business.

The problem is, many organizations continue to rely on a defensive and reactionary posture with regard to securing applications, the same approach they have taken for years.

To be successful at preventing incidents, companies need to shift from defense to offense with their security strategy, moving from a rules-driven approach to incorporating behavioral analysis and active attacker engagement and deception.

Change, however, is often difficult even when it’s an imperative and that is often the case with security. Many people struggle with change, so there are cultural issues to address. When the security team is accustomed to doing things a certain way there might be resistance to changing the approach. Here are three steps that can help with the transition from one approach to the other.

  1. Catalog your applications and application programming interfaces (APIs). Organizations need to know what is out there in terms of applications, and that traffic aligns to what the API is expecting. You can use an automatic tool for this purpose, but it doesn’t provide a management portal. Once you understand applications and APIs, and the role they play in your environment, you are enabled to create a better security model.
  2. Find good candidate areas for engagement and deception (for example, login pages, expensive API calls, etc.). You are trying to validate real users rather than machines or bots. The security team can apply deception techniques to validate that a person is a true user rather than an attacker or a bot. If someone is a real user, he or she will not recognize that a deception tool has been deployed. Send additional fields that an automated entity might try to fill out but a real user would not complete. In this way, the deception validates if the user is real.
  3. Deploy a cloud native Web Application Firewall (WAF) with advanced engagement and deception capabilities, in the cloud or in the fabric of the microservice architecture. These solutions use threat detection and neutralization tools that are based on attacker behavior. They are capable of identifying threats in real-time, with a high level of precision. They’re also designed to eliminate false positives and latency issues and enable organizations to maintain deep visibility into security vulnerabilities.

With behavioral analysis, profiling is initially used to understand what good behavior looks like to set a baseline against which to compare potential problems. By looking at different, discrete activities from an entity or an end user, you can identify potentially problematic behaviors that you use deception in order to validate.

As part of this process, look at different discrete behaviors such as whether users are trying to mask who they are, whether they are attempting to use multiple logins, and how fast they are trying to interact with the Website. By collating these discrete behaviors, you can then allocate risk and validate via deception before blocking. This results in a more open approach and less blocking of non-risks (aka desirable traffic), which was a problem with first-generation WAFs.

Applications are constantly changing. If you’re relying solely on the older, signature-based approaches to web application protection you simply can’t keep up with the constant changes. The goal is to have a dynamic, adaptive security strategy.

ThreatX offers one such solution that combines application and attacker behavior profiling and analysis to enable businesses to make the transition from defense to offense and protect the full spectrum of applications from complex, dynamic threats like bots, scrapers, credential stuffing, and DDOS attacks. Want to learn what it’s all about? See the technology in action during a 20-min live demo on Thursday, May 9 or request a personal, 1:1 demo with one of our security experts.

About the Author