Weaklayer is an open source software system for Browser Detection and Response (BDR). The idea of BDR is similar to Endpoint Detection and Response (EDR). EDR tools are “primarily focused on detecting and investigating suspicious activities … on hosts/endpoints” [1]. In a similar vein, BDR focuses specifically on suspicious activities happening inside the browser. This post describes the technology and threat landscapes and how they lead to the creation of Weaklayer and BDR.

Where Are the Threats

As security practitioners, we need to look for opportunities to disrupt threats. Breaches come from threat actors performing a series of actions. Therefore if we can disrupt or detect these actions, we can avoid breaches or reduce their severity. The 2020 Verizon Data Breach Investigations Report provides an analysis of actions that are working for threat actors [2]. Here are some key takeaways from this report:

  • Phishing is the most effective action, appearing in over 20% of breaches.
  • Additionally, credentials were the compromised data type in approximately 60% of phishing breaches.
  • Using stolen credentials is the second most effective action, appearing in approximately 20% of breaches.
  • The third most popular action is a tie between Misdelivery and Misconfiguration, appearing in roughly 10% of breaches.
  • Approximately 20% of breaches involved actions not in the top 15 actions. Therefore, even outside the top 15 actions in the report, there is a long tail of effective options for threat actors.

As an extrapolation, we can estimate that credential phishing (60% of phishing) appears in roughly 12% of breaches which would give it third place on its own. Another extrapolation is that the top two actions can form a real wombo combo where credentials are phished and subsequently used to gain unauthorized access.

It’s probably no surprise to you that these things work for attackers. Then why do these actions work even though we have knowledge and tools that guard against these attacks? Given the amount of effort put into this problem, I don’t think there is a simple answer that will result in a magic solution.

I (and others) believe the only real solution is defence in depth. We need to attempt to disrupt threat actors wherever we can with multiple layers of defence. It’s not that easy either though! Indefinitely stacking security layers without thought is bound to hinder your organization.

However, if you read to the end, I think you will find a new security layer that has large upside potential with little downside.

The New Operating System

Let’s take a bit of a step back and look at part of the greater technology landscape.

Software as a Service (SaaS) applications are encroaching on our workflows. It is possible to get by without SaaS but there are good reasons for this trend. Here are a few benefits we get by using SaaS:

  • reliability and redundancy without operational overhead
  • easier access across multiple devices
  • faster delivery of new features
  • predictable operational expenditure

Probably the most visible SaaS applications for business are office suites like O365 or GSuite. This isn’t to convince you to use SaaS though. It’s just an acknowledgement that your organization is likely already using it in some form.

Most SaaS applications are used through a web browser. There are good reasons for this as well. Web technology standards provide a common interface for web application developers to use. With this interface, developers can easily reach many users across different operating systems. Additionally, users always update their applications to the latest version by clicking “refresh” in the browser.

In this scenario, web browsers are responsible for:

  • running applications that are delivered as web pages
  • giving computer resources to these applications
  • isolating applications from each other

These are responsibilities normally reserved for the operating system. Therefore, by accepting these responsibilities, web browsers are becoming a new type operating system.

Chromebooks are the ultimate realization of this trend. The underlying operating system (Linux for ChromeOS) is completely hidden from the user and application developer. All that is seen is the browser interface that ChromeOS provides. Many organizations have seen that some of their users can do their entire job within the web browser. With this knowledge, they issue Chromebooks to their employees to save money and reduce attack surface.

However, with these improvements comes a new set of challenges. Visibility into what our organizations do with technology is eroding as more applications move inside the web browser. It becomes harder to measure risk and make decisions about the technological direction our organizations take. Additionally, this eroding visibility makes it harder to detect and respond to threats.

Introducing Weaklayer and BDR

Weaklayer and Browser Detection and Response (BDR) were created with the goal of maximally disrupting threats that are damaging organizations.

As mentioned above, there is already a ton of effort being put into disrupting threats. Therefore it seems arrogant to think that maximally disrupting threats could be achieved by making a new instance of an existing type of tool. It seemed that a more fundamental contribution would be needed to truly move the needle. During exploration for such a contribution, we noticed that web browsers had growing responsibilities without proportional activity in the security space to reflect this.

This lead us to think “What if there was a security data source focused on what happens inside the browser?”

This is where Weaklayer comes in and why we classify it as Browser Detection and Response (BDR). Just like Endpoint Detection and Response (EDR), the system is made of sensors and a server for collecting data from the sensors. However, unlike EDR, the Weaklayer Sensor is a browser extension instead of an endpoint agent. This unique position allows Weaklayer to generate a fundamentally new security data source focused on what happens inside the web browser.

Above, we also talked about the most effective actions that threat actors are using. If we want to maximally disrupt threats, then it makes sense to start with disrupting what is working best for attackers. Therefore, right now, Weaklayer gives you a unique data source to detect when a user falls prey to credential phishing. Weaklayer detects the moment that the user enters their credentials into a web page that they shouldn’t have. This allows you to disrupt the attack (e.g. lock the user’s account), guarding against one the the most effective techniques that threat actors have at their disposal.

Until now we have been establishing the upside potential of Weaklayer and how it can serve as a valuable component of your security strategy. What about the downside though? Introducing additional tools can have unwanted risks like worse user experience and additional attack surface.

These risks are largely mitigated because of the Weaklayer Sensor’s implementation as a browser extension. Browser extensions run inside of the web browser application. The web browser sandboxes extensions so their effects are contained within the web browser. This means that worst case scenarios like security vulnerabilities or performance bugs are isolated to the web browser and do not affect the entire system. Additionally, browser extensions are implemented in programming languages with built-in memory safety, making them immune to entire classes of security vulnerabilities.

However, the technology being introduced here isn’t a magic solution to all security problems. It is a solution targeted at what we think is the weakest layer in existing security stacks. Weaklayer will bolster your defence in depth strategy, and help you disrupt today’s most prominent threats.

Next Steps

If Weaklayer and BDR sound like promising technology to you, please contact us! We are happy to provide more information or answer any questions you have. Additionally, we are offering professional services and creating an enterprise edition of Weaklayer to help you maximize the value of this brand new data source.

Furthermore, we have documentation on how to try out Weaklayer, deploy it yourself and start detecting threats. The Getting Started tutorial will show you how to set up a local Weaklayer Sensor and Weaklayer Gateway for you to explore your own data set. The Kicking Ass with Weaklayer tutorial will show you how to detect credential phishing with Weaklayer data.

References

[1] https://blogs.gartner.com/anton-chuvakin/2013/07/26/named-endpoint-threat-detection-response/
[2] https://enterprise.verizon.com/resources/reports/dbir/