Photo found here: https://unsplash.com/photos/xekxE_VR0Ec
Imperva Client-Side Protection gives users ample data about JavaScript executable connections. Find out what risky connections look like.
Imperva’s Client-Side Protection solution offers unprecedented visibility into outgoing JavaScript connections in a scalable, manageable way. Security professionals can analyze the data it provides to identify and mitigate dangerous formjacking attacks.
We’ve already identified some of the characteristics of these attacks in previous posts. Now we can identify some of the red flags that security professionals should be looking for when using Client-Side Protection to guard against Magecart-style skimming attacks.
Watch the webinar on How to protect your website from client-side attacks like Formjacking and Magecart
Getting Started with Client-Side Protection: Running Discovery
The first thing that Client-Side Protection will do for new users is run a discovery process. During the first few days of operation, the software will monitor all outgoing connections and determine the identities and intents of each one.
Client-Side Protection looks at these connections in real-time, every time the website under protection makes one. It provides visibility into the requests users make as they interact with website applications, allowing security professionals to see every Javascript request made to the application.
After a period of time, no new connections will be made visible. This indicates that the discovery period is complete. Security professionals can browse through the captured data and understand the connections the website makes at any point.
The discovery process is important because it forms the backdrop against which new connections are scrutinized. Client-Side Protection will flag new connections as they occur, and security professionals will have to examine them using verified, legitimate connections for comparison.
What Connection Data Does Client-Side Protection Make Available?
Inside the Client-Side Protection software, users can select any connection and click on View More to review the data collected on it. Some of the fields that the software makes available include:
- Registered Date. This field tells you when the domain was registered. Long-lived domain will generally receive greater scrutiny over time, generating a reputation.
- Date Discovered. This is the date the Client-Side Protection discovered the connection to this service.
- Last Updated. This is the date when the domain was last changed or updated.
- SSL Certificate Validation. This field mentions whether the destination domain has a valid SSL certificate or not.
- Usage Category. If the service offers information about data usage, you will see its category here. This shows the data’s intended purpose
- Registrar. You can identify the organization that registered the domain here.
- Organization Owner. If the domain owner isn’t using a privacy service like WhoIs, you will see the domain’s registered owner here. Otherwise, you will see the name of the privacy service.
- Additional Insights. Imperva has included quick links to useful databases that security professionals often use here.
- Resource Types. This will tell you what kinds of resources the website under protection is sending to this domain.
Users will also see how many IP sources the software has detected for the service in question, and what browsers are being used to connect. All of this information can generate red flags on impending or ongoing attacks.
Security professionals can also export a list of sources to clear records with their application teams, or review sources through third-party sources like Virus Total, available under Additional Insights.
Red Flag #1: New Connections to Newly Registered Domains
Client-Side Protection allows security professionals to spot and mitigate formjacking attacks that rely on new connections. These can happen at any time, and rely on compromised executable scripts that make unauthorized connections to unsecured domains.
In this scenario, you may see a new connection pop up after a change or update to the website. Since Client-Side Protection has already performed discovery, you already know what services the website is connecting to, and you can verify each of those connections in real-time.
If the new connection shows a recent registration date, however, there is cause for concern. Cybercriminals often have to register brand-new domains using lookalike names to impersonate trusted services.
How likely is it that a reputable payment processor or marketing analytics service only managed to register its domain yesterday? Connections made to newly registered domains are suspicious, and should be scrutinized carefully.
Newly registered domains that look very similar to well-known ones also merit extra attention. For example, it’s worth checking if “test.google.analytics.com” actually belongs to Google, and whether its SSL certificate belongs to the company.
Red Flag #2: IP Sources Have Bad Reputations
Client-Side Protection will soon include a feature integrating Imperva’s Reputation Intelligence tool into its dashboard. This will allow security engineers to review the reputation score for each individual IP the protected website is connecting to.
Reputation intelligence is core to Imperva’s Cloud WAF service, leveraging insights generated across the entire Imperva landscape, and aggregating the input of third-party security providers to get up-to-date data on the reputability of individual IPs in real-time.
When this feature rolls out, it will grant users the ability to request IP reputation data directly from the Client-Side Protection dashboard. IPs with bad reputations indicate servers that have been compromised by cybercriminals in the past, or that are actively hosting botnets and issuing malicious commands.
Red Flag #3: Suspicious Source Browsers
Discrepancies between the source browser type and the type of request being made might indicate malicious activity. The source browser should fit within a reasonable expectation of what a legitimate service may use.
For example, a highly automated marketing technology company is probably unlikely to use a consumer mobile browser to access JavaScript executable requests coming from your website. The usage of multiple headless browsers may also indicate suspicious activity, and warrant further investigation.
Some attacks only target specific browsers. Client-side Protection offers visibility into browser extensions and plugins making requests to the application. This can mitigate cyberattacks that only target one or two browser types.
Red Flag #4: Unnecessary Requests
The bottom half of the View More dashboard gives comprehensive insight into individual requests being made on behalf of the service in question. Here, you can analyze the actual code being used to make requests, and identify the resources being requested on a case-by-case basis.
A service that makes requests outside of what it strictly needs to operate is clearly suspicious. In this case, you would want to verify the resources a service needs with the application team, identifying whether requests for scripts, data transfers, or other information are necessary.
Block Mode Explained: How Client-Side Protection Handles Suspicious Services
If your analysis discovers suspicious JavaScript connection behaviors, you can set Client-Side Protection to Block Mode, which automatically blocks newly discovered dependencies, pending review.
Block mode doesn’t affect existing connections tagged as needing review, however. This allows security professionals to quickly secure websites while they perform analyses and verify connections.
Related Content:
Client-Side Protection: How Formjacking Attacks Work (and How to Prevent Them)
Client-Side Protection: New JavaScript Exploits Bypass Website Security Policies