Cybercriminals continue to find ways around web application firewalls, but there are better options for preventing attacks.

Web application firewalls (WAF) have been a staple of enterprise cybersecurity for decades. Almost every business has a solution for filtering, monitoring, and blocking traffic to its servers.

But the fact that WAF technology is popular does not mean that it is also effective. That’s why major companies like Twitter, Nintendo, and Zoom all suffered data breaches in 2020.

It’s almost certain that all of these companies – and every other major enterprise to suffer a catastrophic data breach – had some kind of application firewall solution in place. It’s equally certain that whatever that solution was, it wasn’t enough.

The truth is that firewalls as a technology are becoming antiquated when compared to the sophisticated technologies that cybercriminals use to defraud their victims. It falls on executives and business leaders to recognize this and put better security systems in place.

WAF Technology Doesn’t Work on Compromised Accounts

Even the most advanced perimeter firewalls cannot identify and mitigate an account takeover attack. This is because these kinds of attacks end up using your own security infrastructure against you.

An account takeover attack is any kind of cyberattack that involves an unauthorized user gaining access to an account inside an organization. This can range from compromising the CEOs email account to phishing employee data or even guessing passwords to regular users’ accounts.

Firewalls can only detect attacks injected into isolated web requests. While this is certainly useful for things like distributed denial-of-service (DDoS) attacks, it doesn’t work when the attacker is already inside your network.

How Hackers Get Into Networks

The most typical scenario is a hacker gaining illicit access to a network by phishing one of its users. Phishing is the practice of fraudulently impersonating reputable companies in order to lure people into revealing personal data – like their account names and passwords.

According to Verizon’s 2020 Data Breach Investigations Report, 22% of breaches involve phishing. 74% of organizations in the United States experience a successful phishing attack.

Cyberattackers create extensive and sophisticated phishing campaigns that target end-users, employees, or even executive stakeholders. This is a significant threat for large companies that might have thousands of individual accounts – it only takes one slip-up for the hacker to gain a foothold on the inside.

96% of phishing attacks occur by email. The process of hijacking an employee’s email account is incredibly simple now that cybercriminals have access to phishing-as-a-service vendors who can automate the process for them. It should come as no surprise that the dozens of scam emails you probably receive every day are not actually written manually.

Once hackers compromise an account, they slowly begin extending their reach throughout every level of the organization. They look for opportunities to find and exfiltrate sensitive data – and the organization’s firewall sees nothing more than a regular user account accessing data.

How to Stop Account Takeovers and Credential Stuffing Attacks

Security professionals around the world have been giving the same advice for years: Create unique passwords for every account. Use long passwords that are hard to guess. Enable multi-factor authentication.

Users, employees, and even high-level executives have routinely found themselves defrauded by cybercriminals due to bad password policy. Regardless of how strict your organization is about passwords, it’s not always possible to ensure every single user responds proactively.

This is especially true when it comes to enterprises with a large attack surface. Inevitably, some customers will reuse passwords. Some employees will click on a malicious email link. Some junior accountants will get an urgent message from the CEO saying they have to pay an (entirely fictitious) invoice right now.

These attacks happen when cybercriminals compromise privileged accounts. They can do this either by specifically targeting high-profile users, or by systematically working through your entire database of users.

The first approach is a typical example of an account takeover. The second is called a credential stuffing attack. In a credential stuffing attack, hackers use extensive databases of stolen credentials and try to match them with online logins. Anyone who has ever reused a password is a prime target.

In order to prevent these kinds of attacks, organizations need to invest in data exfiltration protection. This technology differs from the web application firewalls approach because it assumes that hackers will enter your network. Once they do, it prevents them leaving. Your security team can then launch an effective investigation and find out exactly how they got there.

Technical Analysis: How Data Exfiltration Could Have Prevented the Nintendo Credential Stuffing Attack

In April 2020, Japanese video game giant Nintendo confirmed that 160,000 user accounts were compromised by unknown perpetrators. The attack exposed user account credentials, passwords, and credit card information to hackers.

In this case, the attackers used purpose-built account checker software to quickly run through an enormous database of leaked credentials. The application systematically input known usernames and passwords (from previous data breaches) into the Nintendo Switch store login. The application then exfiltrated eight points of data from the victim’s Nintendo account:

  • Nintendo eShop balance
  • Gold Points balance (reward points for buying Nintendo Switch games).
  • Credit card type
  • Credit card expiration date
  • Paypal subscription ID
  • Currency denomination
  • First 6 digits of credit card number
  • Last 4 digits of credit card number

The fact that an automated software application read this data out of Nintendo’s log files means that it had to operate in a way fundamentally different from how a regular user works. This is where data exfiltration protection could have potentially prevented hackers from gaining access to Nintendo users’ log information.

While an advanced firewall solution may be able to identify unusual behavior on an account, it cannot prevent the exfiltration of account data from within the authorized account. Once a hacker inputs the right username and password combination, there is no way to protect that account other than through sophisticated data exfiltration services.

BlackFog is a cybersecurity vendor that specializes in data exfiltration for enterprises and small businesses. Find out how we can fill the gaps in your firewall-based perimeter security solution.

Our blog has been recognized by Feedspot as one of the top 100 Cybersecurity blogs for 2021!