Doug Dooley, Chief Operating Officer at Data Theorem, discusses full-stack application attacks and why organizations are vulnerable to these types of security breaches.
Security: What is your background? What is your current role and responsibilities?
Dooley: My background dates back to 20 years in the information security industry, starting back at Neoteris (later acquired by NetScreen and Juniper), where we pioneered and commercialized SSL-VPN technology. More recently, I was a venture capitalist leading security and cloud investments at Venrock. My early involvement and investments in Evident.io (acquired by Palo Alto Networks PRISMA Cloud), Niara (UEBA security acquired by HPE), and VeloCloud (SASE acquired by VMware) allowed me to help shape and hopefully positively improve the security industry. My current role is the Chief Operating Officer at Data Theorem, where we have pioneered modern application and API security. My primary responsibilities are tied to product strategy and go-to-market efforts.
Security: What are full-stack application attacks, and why are organizations vulnerable to this type of data breaches?
Dooley: Full stack application attacks are a growing class of external hacking which remains the #1 reason for data breaches today (70 percent external actors, 45% hacking tactics), according to the most recent 2021 Data Breach Incident Report. Full-stack attacks can be characterized as an external attack that exploits vulnerabilities at multiple layers of an application, including the client, API and underlying cloud services. For example, an attack that harvests credentials from a mobile application (iOS or Android) to exploit authorization rules within embedded REST or GraphQL APIs is the start of a full-stack attack. Those exploited APIs allow the attacker to take advantage of storage services (e.g., S3 buckets) and cloud-hosted databases (e.g., ElasticDB, Firebase, MongoDB) to extract thousands or even millions of sensitive data records.
Security: What are the consequences of full-stack attacks?
Dooley: Unfortunately, the consequences of full-stack attacks can be devastating to a business or organization whose reputation is often tied to their ability to protect their customers’ identity, location, financial, and health information. Not only can businesses lose the trust of their customers, but they can also lose the confidence of their investors. We know of one company that saw more than $13B of market cap value lost during a two-week fiasco of security exposures. The recent data breaches at Capital One Bank and Microsoft Bing are both textbook examples of full-stack attacks. In the case of Capital One, a skilled attacker named Paige Thompson was able to use multiple application layers to exploit and extract sensitive data from Capital One. The first layer was at the Web app layer by taking advantage of their WAF (Web App Firewall). From there, Thompson successfully executed SSRF (server-side forgery attacks) on the API services layer of those web applications. And lastly, she was able to extract sensitive data from the AWS cloud metadata service. Each layer of the stack helped Thompson unlock the next layer until she reached her destination of getting sensitive data that can later be monetized on the dark web. In the case of Microsoft Bing, the problem initiated in their mobile application where authentication was disabled. From the mobile layer, an attacker utilized the embedded APIs lacking authentication protection to find thousands of records unencrypted. The underlying Azure cloud ElasticSearch database revealed users’ geolocation, search queries, and Firebase tokens (credentials). In both examples, attackers exploited the full stack to access sensitive data hosted in cloud services.
Security: What are some tips and best practices you have seen end users employ to mitigate this increase in full-stack attacks?
Dooley: As more applications get built and deployed in the public cloud, IT security teams are significantly increasing their efforts focused on application and API security. In the traditional on-premise data center, IT security teams put the majority of their attention on perimeter defenses such as network firewalls, intrusion detection systems, and endpoint defense agents. However, these traditional security tools are failing to protect cloud-native applications. The best security teams have all shifted their efforts and investments toward automated security protections on API, Cloud, Mobile, and Modern Web applications. Further, Identity and Access Management (IAM), designed for cloud-native application stacks, is employed more often. Organizationally, DevOps and Security teams are figuring out better ways to help one another, especially by utilizing more security automation sooner in the CI/CD process. Lastly, IT security teams are starting to organize around a new security program called Attack Surface Management, primarily driven by cloud-native applications with a more dynamic and ever-changing attack surface. The Agile development process further fuels software innovation by allowing organizations to add new features and capabilities to their applications on a weekly and even daily basis. Rapid application development and innovation are driving digital transformation for most organizations, but without a renewed approach to security, hackers have more opportunities and attack surfaces to exploit for their benefit. Full-stack attacks are not going away any time soon, but with increased attention and investment in DevSecOps and security automation, IT security can help mitigate their organizations’ risks and protect their brand and reputation.