xyberShield’s Threat Modules Include Known Signatures, Rules, and Behavioral Intelligence
By combining our proprietary behavioral analysis technology with known threat signatures, blacklists, and rules, xyberShield provides protection against both known and unknown threats. Our Security Research and Operations Team continually updates the xyberShield threat library against the latest attack techniques and with proprietary intelligence captured from BACE. We ensure our product always includes the latest protection measures, so you don’t need to do anything to keep your protection up to date.
Our 12 threat protection modules, called xyberFrames, are adaptive modules designed to prevent specific attacks against web applications. Eight of these address known attack methods, and four address behavioral characteristics that identify attacks. Each module is simple to activate or deactivate – all it takes is a single click in your xyberShield console. You can also select PCI or OWASP protection, which then activates all the xyberFrames involved in addressing threats in these areas.
Once activated, xyberFrames provide immediate protection, without any need for tuning or configuration. xyberShield observes each user session on your website, learning and continually adapting each active xyberFrame to optimize protection for your site – automatically. xyberShield also incorporates information gleaned from attacks on other websites that we protect around the world. In addition, each xyberFrame can be manually configured to meet special security or operational requirements.
Protection Against Zero Day Attacks
xyberShield is highly effective against zero day attacks, which try to take advantage of newly discovered security vulnerabilities and attack techniques before an application can be modified to counter them. When hackers develop new attacks or variants on existing attacks, xyberShield recognizes the behavior underlying the attack, blocking attacks before they can be successful. As a SaaS solution, xyberShield shares everything it learns about new and variant attacks across our global network in real time, benefiting all our customers.
Known Attack Methods
In a SQL injection attack, the hacker includes portions of SQL statements in a web form entry field, trying to trigger a response from the database that will reveal field names and structure. A successful attack allows the hacker to change content in the database, access information such as passwords or credit card numbers, and/or execute damaging administrative operations. xyberShield’s SQL injection module provides protection for both static and dynamically generated pages, reliably detecting suspicious behavior and terminating malicious sessions immediately.
Cross-Site Scripting (XSS) and Request Forgery
Cross-site scripting and request forgery attacks exploit web application vulnerabilities by allowing attackers to bypass client-side security mechanisms normally imposed on web content by web browsers. By finding ways to inject malicious scripts into web pages, an attacker can gain access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. xyberShield can evaluate Java, JAVA script, HTML, Active X, VB script, and SQL.
Server Side Injection
Server Side Injection (SSI) is a server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server. SSI attacks insert scripts in HTML pages or execute arbitrary codes remotely. The attack will be successful only if the web server permits SSI execution without proper validation, which can lead to access and manipulation of the file system and process under the permission of the web server process owner.
HTTP Response Splitting
When a web application fails to properly sanitize input values, hackers can perform attacks including cross-user defacement, web cache poisoning, page hijacking, and browser cache poisoning. These attacks manipulate carriage return (CR) and line feed (LF) protocols so that the hacker can insert malicious content in the header section of the response. The server’s output stream is interpreted as two responses instead of one. xyberShield continually monitors and evaluates data from HTTP requests, employing our behavioral engine to block attacks.
When a client browser inadvertently caches sensitive form field values, a vulnerability results that can display those values to another user on the same client. An attacker can hijack this cache to maliciously retrieve sensitive data, which can be used to attack the application or steal personally identifiable information.
Remote File Inclusion
This technique is used to exploit dynamic file inclusion mechanisms in web applications. When web applications accept user inputs (URL, parameter value, etc.) and pass them into file inclusion commands, the web application can be fooled into including remote files with malicious code. This can lead to code execution on the web server or client side, DoS, and data theft or manipulation.
UNIX and Windows Command Injections
Command injection executes arbitrary commands on the target server. An application is vulnerable to command injection if it takes input without proper input validation or output encoding.
UNIX and Windows Relative Path Inquiries
Also known as dot-dot-slash, directory traversal, directory climbing, and backtracking, this technique involves manipulating variables that reference files with dot-dot-slash (../) sequences and variations to access files to which access is normally limited by system access control, such as application source code and configuration and critical system files.
These attacks include abuse of email send functions, password recovery, and unrestricted proxy requests, frequently by using netbots that reside, inactive, on a remote server or desktop until activated. xyberShield protects against functional abuse by monitoring user duration (time spent on a page), recurrence, and repetition. Suspicious behavior triggers deep inspection, and malicious sessions are terminated. This module is preconfigured to reflect the latest intelligence on functional abuse attacks, and additional customization at the individual page level is also available.
Bots are commonly used for navigational abuse attacks, navigating between two linked pages by sending a command and receiving an error return page. The hacker’s objective is to gather code to gain further access to the web application. When xyberShield detects malicious activity, sessions are terminated. Users can also define sequential and non-sequential page access rules.
A brute force attack is an automated process of trial and error to discover a username, password, credit card number, or cryptographic key. This is the most widely used method of cracking passwords. The hacker’s algorithm generates all possible permutations until the correct key is found. xyberShield detects suspicious, repetitive end-user actions, and terminates malicious sessions immediately.
Based on intelligence and analysis determining normal behavior for each application, xyberShield is able to predict whether individual user session behavior signals malicious intent. If so, the session can be blocked.