Defend against file download attacks


As part of Solutions Review’s Premium Content Series, a collection of columns written by industry experts in maturing software categories, Alfred Chung of Akamai Technologies introduces you to the threat of download attacks and how edge networking can protect your business.

Premium SR ContentIn case you missed it, there’s a malicious threat vector that’s on the rise: file uploads to web applications. With web interactions becoming increasingly central to virtually every business, file uploads via web forms and APIs are ubiquitous. Candidates uploading resumes to career sites, insurance claims, loan applications, mobile check deposits, bulk orders to suppliers – the list of possible file uploads is endless. And each file carries the potential risk of delivering a payload of malware that can explode into your critical systems. How big is the problem with file download attacks? According to one source, around 20% of malware exploits are dropped from a web application or API. While some exploits are caused by innocent parties unknowingly transmitting malware from an infected device, others are the work of malicious actors taking advantage of this flaw in the online armor.

Many companies are becoming aware of the threat. According to a report, 87% of organizations that use web applications for file downloads are very concerned about secure file transfers, and 82% say their concern has increased over the past year. Failure to address the threat posed by file download exploits could leave businesses open to all manner of cyberattacks, including ransomware or the theft of critical consumer data. How can organizations mitigate the risk posed by malicious file downloads? There are a few possible approaches. Spoiler alert: The third option offers significant advantages in terms of both simplicity and efficiency. But let’s review all three.

Three options against download attacks

Option 1: ICAP virus scan

This approach typically involves a Web Application Firewall (WAF) communicating with a separate built-in antivirus scanner using an Internet Content Adaptation Protocol (ICAP) interface to scan incoming files before they are transmitted. reach the destination server.

This is an old fashioned approach with a number of drawbacks. It requires multiple pieces of technology from different vendors that need to be installed, configured, integrated, and managed. To be effective, it must be configured to serve all your applications, which means a lot of infrastructure to deploy and maintain, including updating virus definitions. More importantly, since this solution resides on your own network, any downloaded malware still lands on your infrastructure, which is a potential security hole.

Option 2: cloud-based analysis

This approach is slightly less labor intensive than Option 1, with a lower initial capital cost. However, it takes some work to get the uploaded file to the cloud-based scanner. This probably involves writing a script that uploads files to an API for analysis, with additional scripts to dictate how suspicious files are handled. More work for your application development and IT teams.

Ongoing maintenance of scanning functionality would be provided by the cloud provider as a service. However, downloaded files would still land on the application server before being transferred to the cloud, creating a potential point of vulnerability as in option 1.

Option 3: Edge Protection

The third option is to use an edge-based solution to block malware closer to its origin and further from your web application. This represents a modern approach to protection, inspecting downloaded files and detecting and blocking malware at the edge before it enters your infrastructure.

The scanning functionality is hosted on the perimeter network, so you don’t have to install anything and no application code changes are required. This makes deployment and maintenance easier than the ICAP or cloud-based approaches described. More importantly, it isolates threats from targeted applications, providing greater security.

Choosing the Right Peripheral Network

The edge-based option offers obvious advantages in mitigating the risk of downloading malicious files. But not all edge networks are optimized for this critical task. When formulating your edge security strategy, consider the following key factors:

  • The risk of adding latency. Ensure that the perimeter network has many points of presence in the regions where your end users are located so that file scanning occurs as close to the user as possible.
  • Extensive file support. Make sure the edge scanning solution supports a wide range of file types, capable of scanning .zip files, PDFs, and other file formats. It should also have the ability to validate file types to detect spoofed files and return a custom response to suspicious files.
  • Reports and analytics. The solution should provide the necessary information to help you effectively monitor activity and take action. It should provide important context about the customer who downloaded the malware and the type of malware being sent to help guide the security team’s response.
  • SIEM integration. An edge-based analytics solution that integrates with your Security Information and Event Manager (SIEM) can deliver critical information to your “single screen” security tool, improving your ability to detect proactively identify potential vulnerabilities and threat patterns.

As web applications quickly take a prominent role in the way business is conducted, from B2C and B2B companies to non-profit organizations and public institutions, the volume of file downloads will undoubtedly continue to increase. And so will the threat of malware overlaying some of those files. Using a modern approach to blocking these threats at the network edge can provide additional assurance that your online assets are protected, while continuing to facilitate business relationships with your customers.

Alfred Chung
Latest posts by Alfred Chung (see everything)

About Author

Comments are closed.