Protecting the navigation layer from cyber attacks

Opinion by Laura Mather

Cyber attacks are no longer largely committed by teenagers trying to look smarter than their friends. In the past few years, organised crime has become increasingly involved, and these criminals have many more resources and much more motivation for both financial and political gain.

Cyber attacks are no longer largely committed by teenagers trying to look smarter than their friends. In the past few years, organised crime has become increasingly involved, and these criminals have many more resources and much more motivation for both financial and political

Not only does this make the attacks more sophisticated and therefore more challenging to detect, but it also makes the consequences of a successful attack much more severe.

This trend is compounded by the richness of functionality and data that is available through a web server. Navigating the website is the primary way users access this information, whether it is on the internet or on intranets, via web browsers or through mobile applications. This layer of the network, the navigation layer, has become highly attractive as an attack vector.

Cyber criminals are finding increasingly creative ways to attack the navigation layer. From using the registration flow (to harvest email addresses) to scraping data from intranets, these attacks will not be identified by a web application firewall, an intrusion detection system or any other mechanism.

Predictive analytics play a critical role in protecting the navigation layer. Predictive analytics means monitoring every session on a website (both pre- and post-login). Models are created around how the population accesses the website. Each new web session is compared against the population models and, if the web session is statistically different from the population, an alert is sent to the website team.

This is predictive in that for each new web session, a model exists against which it can be compared and, as the web session begins to deviate from what the model predicts, an anomaly is identified.

Gartner recently released a paper on the layers of website fraud prevention. While this paper focuses specifically on financial websites, it is also applicable to any website with valuable functionality or data. This includes e-commerce sites, healthcare sites, almost any corporate intranet and government sites.

This article gives a quick explanation of the five layers of fraud protection and then focuses on the navigation layer and how it can be protected by predictive analytics of web sessions. The five layers of protection of online properties are:

  1. End-user layer – anti-virus, sand-boxed web browsers

  2. Navigation layer – discussed in detail here

  3. Transaction layer – looking at the attributes of a login or money movement action to determine if it looks suspicious. This includes things like IP address, geo-location, machine ID, amount of transaction, etc

  4. Cross-channel layer – looking for patterns of someone calling customer support and then performing suspicious money movement activity on the website, for example

  5. Link analysis layer – have I seen this IP address or other attribute before in relation to malicious activity?

Of the five layers of fraud protection, the transaction layer is the most commonly deployed. This is important, but it is commonly agreed that a multi-layered approach is necessary.

Of the other four layers, cross-channel detection and link analysis are the most cumbersome to deploy. Additionally, end-user protection can be challenging since the only way to be fully protected is to ensure that all end-users have the protective technology.

Hardware protection at this layer (a secure USB for example) is expensive to deploy. Furthermore, at this level it is difficult to ensure that all end-user hardware and software is covered.

The second layer that can be protected is the navigation layer. The good news is that one of the simplest layers of protection to deploy is predictive analytics at the navigation layer. It involves no changes to html or applications and the process uses the http and https feeds off the span port of the switch, so it is completely out of band.

There are predictive analytics models that train themselves and automatically adjust to changes in traffic patterns. As websites consider a defence-in-depth strategy, protecting the navigation layer through predictive analytics should be one of the options that is seriously considered.

Laura Mather is founder of Silver Tail Systems

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events