by Nick Kael
Posted on May 3, 2022
Roughly one year ago, the Cybersecurity and Infrastructure Security Agency (CISA) issued a Capacity Enhancement Guide for Federal Agencies on securing web browsers to defend against malvertising. In that guide, they noted the ease with which web browsers, as the primary mechanism of user-internet interaction, can be exploited to enable malicious actors to spread malware. Malvertising in particular is engineered to bypass protections against pop-ups and website redirects, and then generate forced redirects or deliver malicious payloads.
While the previous CISA guide about securing web browsers addressed federal agencies, smart businesses and not-for-profit organizations would have done well to adopt the recommendations, as we advised at the time. Now, CISA has officially expanded its guidance to these sectors with the new Securing Web Browsers and Defending Against Malvertising for Non-Federal Organizations Capacity Enhancement Guide.
In a format and text that is a bit clearer than the version for Federal agencies, CISA sets out four main recommendations:
As the CISA guidance notes, “malvertising and poor web browser security go hand in hand” so keeping web browsers updated and secure is an essential first step. Standardizing the browsers used in an organization simplifies updating and patching processes and reduces the organization’s attack surface.
Implementing ad blocking software is in principle, an excellent idea. In theory, the software can reduce the number of malicious ads and redirects to phishing sites that can reach users’ browsers and prevent third parties from collecting data. However, in many cases, ad blockers themselves can present danger. Many use browser extensions with high levels of privilege, including access to all data traffic between the user device and the network. Some offer pay-for-play arrangements with advertisers under which their ads remain unblocked. More seriously, numerous instances of malware disguised as ad blockers have been uncovered. As such, this recommendation should be applied with caution.
Domain name system technologies provide an additional layer of protection by blocking domain names known to be used in ransomware, phishing and other malware campaigns. Definitely a good additional layer of protection, as far as it goes.
All of these technologies can significantly reduce the amount of malvertising that reaches organization endpoints and networks. But malware is a zero-sum game: If any gets in, the consequences can be dire. CISA-recommended steps like securing web browsers and implementing ad blockers and DNS technologies all rely on prompt updating and/or detection of known threats and known malicious domains. If updating is not prompt or does not succeed, protection is weakened. And regardless of how consistently and quickly updates and patches are applied, these technologies cannot protect networks against unknown malware or newly created malicious sites.
That is why, to address malvertising and other web-based threats, CISA says that “browser isolation implementation is a strategic architectural decision embraced by major corporations.” That is, by organizations that are committed to the zero trust “premise that all web traffic is untrustworthy and potentially harmful” under which browser isolation operates.
Remote Browser Isolation (RBI) processes all website data in isolated, short-lived containers located in the cloud. Only safe rendering data is sent to the browser on the endpoint, where the user interacts with it as with the original website – only securely. The most sophisticated solutions, like Ericom Software’s ZTEdge Web Isolation integrate RBI with technologies including secure web gateways, web content filtering, and content disarm and reconstruction (CDR) to remove malicious content in files before they’re downloaded.
Most importantly, because no website code reaches the browser, the network stays safe from even zero-day threats and newly created phishing sites – regardless of whether all patches and updates have been applied.
Implementing browser isolation is a more strategic approach than the other steps recommended by CISA in this guidance. That is largely because it is a broader and more powerful solution that offers benefits that go well beyond malvertising protection.
For instance, remote browser isolation solutions eliminate or reduce the need for website allowlisting and blocklisting and for anti-phishing training, since they can block all active web code from reaching endpoints. Many also support policy-based controls that allow admins to choose which types of websites and/or specific websites can be accessed, and by which users; types of sites that can be viewed on a read-only basis; and which data can – or cannot – be shared on which sites.
Admins may apply scalable policies ranging from selectively isolating only traffic that is most likely to be malicious up to comprehensively isolating all downloads, attachments and links. And as mentioned above, many solutions include CDR solutions to address risks from weaponized attachments.
Despite being directed toward private organizations and referencing how pandemic-related remote work has increased opportunities for unauthorized access to workers’ system endpoints, this Capacity Enhancement Guide on Securing Web Browsers does not explicitly address two services of particular concern, web-based conferencing and instant messaging (IM) web apps that use end-to-end encryption. Because distributed businesses depend on heavily on these services, malicious actors are increasingly exploiting them for malware delivery, using malvertising as well as other methods.
Uniquely among RBI providers, ZTEdge Web Isolation incudes patent-pending technology that enables Zoom, Microsoft Teams, Google Meet and other online conferencing meetings to be fully isolated, including video, screenshares and chat. It also secures organizations from malware sent in encrypted IM chats.
CISA’s recent Capacity Enhancement Guide on Securing Web Browsers provides important and valuable information and actionable recommendations for businesses, not-for-profit organizations, and other digitally connected organizations. Savvy, security-first organizations – especially those that are currently upgrading to zero trust, or those planning to do so — should consider CISA’s strong recommendation regarding browser isolation: “Over its life cycle, browser isolation may yield cost savings, based on reduced costs for maintaining ad blocking software, lower incident response and recovery costs, and bandwidth efficiencies.”
Using black hat SEO to achieve high rankings for particular search terms, threat actors can sit back as victims flock to their malware-infected websites.
As one of the keys to implementing least-privilege access, microsegmentation is an essential element in the Zero Trust toolbox.
In this post, we update the layered security concept for the age of Zero Trust, cloud computing, application-based work and work-from-anywhere.