Navigating the Rising Tide: Menlo Security Co-Founder Discusses the Imminent Threat of Browser-Based Attacks
Worldwide, digitalisation is revolutionising businesses and society, with 75% of current work conducted digitally via Internet browsers. However, this heavy reliance has transformed browsers into attractive targets for cybercriminals, posing a serious threat through browser-based malware attacks.
The recent Menlo Cyberthreat Defense Report corroborates this, highlighting escalating worries about browser attacks in the Asia Pacific region. Concerns include the harvesting of Personally Identifiable Information (PII), Account Takeover (ATO), and payment fraud, underscoring the urgency for robust cybersecurity measures.
To discuss the potential solutions to these growing concerns, Cybersecurity ASEAN sat down with Poornima DeBolle, Co-Founder of Menlo Security, for an exclusive interview where she shared more about the imminent threat of browser-based attacks and the different ways to mitigate them. (Note: DeBolle’s answers have been edited for clarity and/or brevity.)
CSA: How common are browser-based attacks? What types of browser-based attacks are most prevalent nowadays?
DeBolle: Browser-based attacks have a 90–95% probability of occurring, often originating from vulnerabilities within the browser, such as browser zero-day, watering hole attacks, or insecure downloads. Phishing has been the number one cause or starting point for various browser-based attacks.
As for the types of attacks, the most prevalent today is obfuscation. Rather than sending data that a user can scan, threat actors instead include the data so that nothing on the network can scan it. Since it can’t be scanned, when it is sent to the end user’s browser, the JavaScript executes and activates the payload, leading to subsequent attacks. Because on the network, the user will be unable to determine whether data is good or bad; the threat only reveals itself and initiates attack once it reaches the end user’s point. This is why we call them “highly invasive and adaptive threats.” We have observed a 280% increase in invasive and adaptive threats.
CSA: What are the risks posed by browser-based attacks to organisations?
DeBolle: So, if you have been following the evolution of threat actors, previously known for sending malware, they have now shifted to delivering ransomware to enterprises, utilising the techniques I mentioned earlier. So, the first risk is ransomware.
The second risk is credential phishing, which is even more dangerous. So, for instance, if I unknowingly click on a phishing link that leads to a malicious site where I inadvertently give away my credentials, I would be giving away the keys to the kingdom. This not only leads to ransomware, but also the risks of data exfiltration, data loss, and security breaches that enterprises must contend with. Those are the two biggest risks that browser-based attacks pose to organisations as of now.
CSA: Is maintaining strong cybersecurity fundamentals, like regular patching and practising good cyber hygiene, sufficient to protect companies from browser-based cyber attacks?
DeBolle: Yes, those are the steps organisations should take as they promote good cyber hygiene. But, in some cases, these attacks manage to bypass MFA (Multi-Factor Authentication). Several major Silicon Valley companies, such as Uber, Twilio, and Cloudflare, were compromised in such incidents. So, if we examine the cases where companies failed against bypass attacks and browser-based attacks, I believe organisations can take a page from Singapore. Singapore has done a good job of mandating what we refer to as “Internet separation.” It is a practice where active content from websites doesn’t execute on the endpoint, and it effectively protects organisations from the risks we have been discussing.
The second thing I want to add is the additional steps that organisations can do. For example, we at Menlo use Artificial Intelligence (AI) and Machine Learning (ML) to help us become better at detecting some of these credentials phishing attacks. The more we can apply these techniques and utilise those new tools to help us, we will be able to get ahead in cyber hygiene in addition to having better cybersecurity tools under our belt. I do believe enterprises should consider architectural changes—Internet separation is a good example of that. Also, tools such as AI and ML will help organisations to scale and keep up because the bad guys are using them as well.
CSA: In your opinion, what are the weak points in the current security framework that many businesses use today when dealing with evolving cyber threats and criminals?
DeBolle: Yes, we [Menlo] hold strong opinions about this, particularly browser security. So, if you remember or look back over the last few years, we’ve had big transformational technology shifts. Nowadays, everybody is using AWS or SaaS applications instead of deploying within individual data centres. Each of these advancements is intertwined with the evolution of security technologies. So, when all these advancements occurred, a multi-million-dollar market emerged, called CNAP (Cloud-Native Application Protection) and CSPM (Cloud Security Posture Management). The widespread adoption of SaaS applications gave rise to tools to assist in managing SaaS applications.
However, the browser has evolved in a big way since it was launched back in 1994. It has become more dynamic. When you click on a link, the browser will be personalised for you, [and you will be] receiving ads from a very complex network that knows your preferences. So, when looking at such a dynamic world, we do believe that browser security deserves a platform equal to network and endpoint security. In that context, we believe organisations should view browser security as a unique area of investment. The type of attacks I’m describing don’t permit organisations to secure their browser by merely inspecting HTTP and HTTPS protocols because what happens in the browser is complex and dynamic.
CSA: So how can organisations bridge these gaps effectively without disrupting their day-to-day operations?
DeBolle: We believe enterprises need to manage their own browser. So, if we look at Chrome or Edge, there are thousands of settings. Most enterprises don’t really manage those settings; most of the time, it’s only, “How often should I update this browser?”
Organisations should manage their browser actively—say, here’s my configurations or an industry benchmark that helps the cybersecurity team to decide on configurations that can effectively protect organisations’ browsers.
The second thing is about protecting both the browser and the user. That’s why I suggested techniques such as Internet separation and tools that help detect credential phishing. Relying on tools such as AI and ML enables users to be as dynamic as browsers.
The third pillar, or practise, that we [Menlo] often suggest to our clients is to secure access. Security is about securing access and data. So, when we talk to clients about browser security, these are the three questions that we ask: (1) Are you managing the browser? (2) Are you protecting both the browser and the user? (3) Are you securing the access and data? This way, they will be able to devise a comprehensive browser security strategy.
CSA: According to Menlo’s study, the rise of Generative AI has led to increased security risk. Can you explain the correlation between the two?
DeBolle: I would look at this from several different dimensions. Usually, these phishing email attacks are launched potentially from places and by individuals who do not have a good command of the targeted language speakers. But now, they can just write a very bad phishing email and give it to ChatGPT for corrections. As a result, they will have a well-written email. So, I think the quality of phishing campaigns will significantly improve. So, it’ll be very difficult to distinguish between phishing emails and non-phishing emails.
Then, think about the translation capability it has. Today, phishing campaigns will be able to use the translation capability to easily produce phishing emails in different languages, enabling threat actors to launch multilingual phishing campaigns that are significantly larger and more productive.
The second one is more about code generation. I think it won’t be a significant assistance to a threat actor lacking coding skills and familiarity with prompts because ChatGPT won’t generate the right code unless they provide accurate prompts. Now, a threat actor who knows how to code and is familiar with prompts will be able to generate the codes they require at a much faster pace. We [Menlo] also utilise AI for code generation to increase efficiency and observed approximately 10 – 50% in efficiency. So, imagine threat actors are adopting the same approach, this means they will be able to launch more attacks and frequently.
The third one is script kiddies—a group of amateurs who carry out rudimentary and not unsophisticated attacks using pre-made programs or scripts.
Now, these attacks have the potential to become more sophisticated through the application of AI, we can already see it is happening worldwide.
CSA: So, with the rise of AI-based threats, how should companies today “fight fire with fire” and integrate AI technology into existing security infrastructure to improve their overall security posture?
DeBolle: AI is a new technology, and it has so many relevant applications, particularly in the realm of cybersecurity. I’ll share a couple of successful applications of AI and ML in cybersecurity.
For example, a Security Operation Centre (SOC) receives thousands of alerts daily or weekly, depending on the organisation’s size. However, we are still relying on the human mind to process, navigate, and respond to those alerts—this is the one area where AI can be extremely valuable and useful. By leveraging AI, we can substantially expedite the alert processing and response procedures. Menlo has also adopted this approach for the same reason.
Another example I would like to share, which is unique to Menlo, is a very cool use case for AI. In instances of credential phishing, when a user clicks on a link, discerning whether it is a Microsoft website or not can be difficult. To help the user address this, we [Menlo] execute your browser on our cloud platform, employing a computer vision algorithm capable of recognising four to five thousand different logos. This algorithm then notifies the user if they are viewing a Microsoft logo being used on a non-Microsoft website. So, this will help us to inform the user they’re being targeted for credential phishing.
We also have been using this powerful method to identify threats like the MFA bypass we discussed earlier. This method is highly beneficial for the user, enabling us to promptly alert them and make them aware that they’re not on a legitimate website.
In my opinion, AI is a very exciting technology in terms of its capacity to increase efficiency and accuracy in identifying and mitigating cyber threats.
DeBolle’s Recommendations
In summary, DeBolle emphasises the importance for organisations to consistently uphold robust cybersecurity practices, including regular patching and password updates. However, beyond maintaining good cybersecurity hygiene, she advocates for a thorough examination of network architecture—whether it involves Internet separation or internal network segregation—as resilient architecture facilitates effective threat containment and damage mitigation.
Lastly, Boelle underscores the critical need for cybersecurity providers and organisations alike to educate users about the risks and hazards of cyber attacks, as users often represent the weakest link in cybersecurity.