As digital solutions have become the norm for most business operations, organizations are increasingly vulnerable to cyber threats. And while the risks involved in accessing a company’s application can be as unique as the application itself, it is crucial to monitor the numerous signals that commonly provide early warnings of potential security breaches.
Your web application is your face to the world and the interface that connects your customers (users or clients) with your backend infrastructure. Allowing external users to interact with your IT systems is vital, but it also exposes your systems to various cyberthreats. Fortunately, there are several signs that can alert you to potential risks.
Abnormal Behavior — Number/Types of Activities
Event Behavior Analytics (UEBA) is a cybersecurity approach that uses advanced computing technologies, such as artificial intelligence, machine learning, and deep learning, to analyze and model normal user behavior.
If the system discovers abnormal behavior, such as an endpoint device trying to communicate with an external server or heavy network traffic outside work hours, it can determine and indicate whether the anomaly is suspicious.
Filling Out Forms Too Quickly
Threat actors often use automated tools to fill out web forms quickly. Such behavior may signal that a brute force or other password-guessing attack is underway, as these techniques rely on maximizing the number and speed of attempts.
Jumping Between Forms Too Quickly
This practice involves using automated tools to fill out forms quickly. For example, a bot can be used for registration several times within a very short interval. Attackers may use automated tools to submit a large number of comments to a specific blog, making it unresponsive.
Jumping to Shipping Before the Cart
Online merchants commonly require their clients to have an account before making purchases. Numerous attempts to jump into the shipping page without providing customer details can signal an attempted attack.
Threat actors have various tried-and-true strategies to steal users’ account credentials. One of the most notorious is phishing emails. Deceiving users into providing their sensitive information is easier than trying to bypass the security solutions that prevent unauthorized access.
If your employees receive suspicious emails that request that they provide their account credentials or open Microsoft Office, PDF, or .exe attachments, this is a clear sign of attempted infiltration.
Repeated Charge Attempts
Some web applications require users to recharge their online accounts with money or “points” to use certain services or functions. Detecting many failed attempts to charge online services, like inserting a gift card coupon code, is a clear signal of a malicious attempt by cybercriminals to guess a working coupon code.
Increased Help Requests
When legitimate users experience difficulties accessing their web apps or online profiles, the issues may be due to slow loading or network congestion. An increase in requests for this type of support can indicate that a cyberattack, such as a distributed denial-of-service (DDoS) attack, is underway.
Applications and APIs Accessed
APIs are used extensively in web applications and microservices to facilitate interactions between software components. If users experience a problem logging into their application, it could be due to an ongoing DDoS attack against the API gateways or attackers targeting the API authentication service.
IP Address Monitoring
Any application installed on an end-user device that wants to access the Internet must open an IP connection. Monitoring all IP connections can reveal if there are established connections with suspicious IP addresses. For example, a threat actor may steal data and send it to external servers silently.
Another example is communicating with Command-and-Control (C2) servers to download malware or to receive encryption keys when executing ransomware attacks. Detecting connections with malicious IP addresses is a clear indicator of a cyberattack.
IP ranges are a set of IPs in a given range used by a particular service/malicious actor. So instead of having a single IP, a service might utilize IPs across a given range. This might mean you need to associate a given risk with a given range of IPs rather than specific single IPs. For example, malicious actors, especially APT and ransomware groups, may utilize specific IP addresses within a particular range to deploy malware that communicates with their command and control server (C&C).
To manage this, these malicious IPs can be stored in a database connected to a security monitoring solution that terminates any incoming/ongoing connections that use these IPs immediately once discovered.
IP Reputation Tracking
IPs have reputations. Various security firms and government organizations monitor IPs and give them a safety rank. IPs known to send spam are given a low score or blocklisted altogether. Your organization can use IP reputation tracking lists to prevent disreputable IPs from accessing its IT environments or communicating with its web applications. This is commonly accomplished via web firewalls.
In IT, velocity refers to the number of times an event occurs. For example, an attacker may use the same IP to log in to different user accounts within a very short period (as with the case of password spraying attacks).
Login and Registration
Time Since Last Login
A user trying to access a particular account too many times within a short time could indicate a brute-force attack. On the other hand, if the user was inactive for a long time and now tries to log in, it is advisable to request more validation factors, such as answering security questions or confirming a one-time password (OTP) sent to the user’s registered phone number or email address.
New Device Login Attempts
When a user first logs in to their account, their device information is registered. This information includes the device type, operating type and version, web browser and version, and installed add-ons. Therefore, it is highly suspicious when there are several attempts to access a user account from a device with completely different characteristics.
Unrecognized Login Requests
When a user tries to log in using a different device or web browser or from a different location, this should be considered a signal of suspicious activity. IP information provides insight into all of these factors and can be used to detect any such attempts.
New Account Creation Attempts
Trying to create many accounts with false, repetitive information or using random letters is considered an alert to malicious actions.
User and Device Information
Browser Type and Version
When a user accesses a web application, your system can retrieve their device’s technical information. A browser’s technical information, known as fingerprinting, can be used to distinguish a single user among millions. Typically, each browser fingerprint provides the following information:
Browser type (TOR browser, Chrome, Firefox, Opera)
Theme used in the browser
Browser local database
HTTP header attributes
Cookies (enabled or not)
Device Type, OS, and Version
A device’s technical and browser information can effectively identify a unique user to help secure accounts from unauthorized access. Some examples of this information include:
Device type (tablet, laptop, smartphone, workstation)
Operating system type (Windows, Android, iOS)
CPU, GPU information
Language installed (English, French, Arabic, German)
Access attempts from a device with different settings from what the user’s history indicates may represent malicious activities.
Impossible Travel/Location Irregularities
When a user tries to log in to their account from an abnormal location, this could be an alarm for impossible travel. For example, it is unlikely that a Canadian user would be attempting to access their banking account from China five hours after accessing it from their home.
User location is crucial for sensitive applications, such as financial and medical apps. For example, even if the timeline is feasible, a USA-based user whose account indicates a login attempt from Russia is likely the victim of an attempted cyberattack.
A user who rapidly navigates an application or website is likely unauthorized or attempting something malicious. For example, consider a LinkedIn account with a low number of connections that visits a large number of other profiles. Such unusual behavior might indicate an attacker is using an automated tool to harvest information from the LinkedIn database.
Changes in Network Activity
Today’s IT environments span on-premises and cloud environments. Monitoring all digital interactions across such hybrid environments is critical to detect any changes in network activities that signal a potential cyberattack.
For instance, network detection and response (NDR) solutions work by creating a model of network activity in normal circumstances and comparing it with the ongoing network activity. An alert is raised to inform the IT administrator if any abnormal activity is detected.
Using anonymous networks, such as TOR and I2P, to access web accounts is considered suspicious. These networks can efficiently hide the connected user’s IP address and mask their web browser’s digital fingerprint, indicating potential reasons to maintain complete anonymity.
For example, malicious insiders may use the TOR network to conceal their IP address and to send sensitive work information outside the organization’s network. On the other hand, threat actors, especially APT and ransomware operators, use TOR and I2P anonymous networks to send attack instructions to their planted malware on remote target networks.
The ability to detect bots is critical in preventing attacks against your website, mobile app, and APIs. Threat actors use bots to execute automated attacks, such as brute-force and DDoS attacks. There are several ways to detect bot traffic among legitimate traffic. Some behaviors and characteristics of bots include:
Visiting an extremely high number of pages within a short period
A high bounce rate: A bot likely visits just one site page before exiting
Notably high or low session rates
Threat actors leverage emulators when attacking sensitive applications, such as online banking apps. An emulator is a software application that mimics Android and Apple devices. Although it runs slowly compared to real mobile devices, it can fool even the most protected systems.
Cybercriminals use emulators to reverse engineer the code of a target application and understand how it behaves in a production environment. Detecting emulators is vital in protecting sensitive applications, especially those that feature banking or cryptocurrency wallets.
Domain Connection Attempts
The ability to detect repetitive failed login attempts is critical for protecting IT systems. However, knowing an attacker is trying to log in to your system or application is not enough to prevent the attack. You can investigate audit logs to know if the attacker is using a computer within your domain or if an external device is executing the attack.
An organization may use custom threat predictors to detect threats before they knock on organization doors.
Examples of custom threat prediction are:
Using AI and machine learning technologies to monitor network traffic and identify abnormal activities in real time
Creating a baseline of regular network traffic and comparing it to the ongoing traffic. This allows an organization to detect anomalies fast and respond automatically or manually after receiving automated alerts from network monitoring solutions.
Database extractions refer to extracting data from different databases across your IT environment. You can perform data extractions to support decision-making processes, such as when developing your next marketing plan, by combining information such as sales history, customer retention and attainment, and vendor feedback, which can be collected from disparate databases.
However, database extractions can be a warning sign when they occur outside planned, scheduled times. For example, advanced threat actors may try to steal information from different databases outside working hours and gather it in one location to transmit it outside the target network later.
File Request Monitoring
File monitoring is a security process used to monitor different files within IT systems, such as database files, applications, and operating system files. When a change is detected, which could signal the existence of malware tampering with files, a warning is issued.
New API Detection
Whenever a new API is introduced to the system, it should be scanned for any security vulnerabilities and any problems that may cause performance issues.
API activity monitoring is vital, especially regarding APIs that perform critical functions such as authorization and authentication. The cost of API downtime can be high, with the average hourly cost of server downtime being between $301,000 and $400,000 USD.
Detecting Cybersecurity Risks in Practice
It is critical to leverage security solutions to detect as many different attack signals as possible. To be most effective, these solutions must include using AI and ML to sniff out suspicious behavior. Additionally, they must be able to prompt additional authentication or kill a session when risky behavior or high-risk signals appear. Moreover, advanced monitoring must occur across the entire user journey—not just at the point of login.