Bulwark’s Bob Aman Shares Insights on Session Hijacking, Security Failures, Resilience Models, and Zero Trust Security
In this exclusive Q&A interview, Bob Aman, founder of Bulwark Security shares insights on why “session hijacking” has become a significant topic in cybersecurity, especially amongst Seattle decision-makers. Bob explores its implications for companies of all sizes in the realm of digital security.
Cee Ng: Let's discuss a topic that founders and investors are curious about – is "session hijacking" a prevalent trend in our industry?
Bob Aman: Session hijacking should definitely be on people’s radar, but unfortunately, it often isn’t. Or at least the necessary mitigations aren’t on their radar, and not doing anything about. It’s such a hard problem to solve. Like, what do we do? There are some straightforward mitigations available, but many companies aren’t implementing them.. and it raises the question, why haven’t they been deployed? A lot of the responses… It's really hard to do after the fact.
If you think about it upfront, it’s much easier to do it. If you are doing it, in year 3 or year 4, you have already done so much to put in place, dealt with so many edge cases to consider, you have already established user behaviors and expectations, and potentially you are changing on what your behavior of your system looks like and it's like “I don't like it”. This can be problematic, as the user expects a certain behavior that they are used to, and it’s always easier to make the investment early, not later. If you build hijacking session protection on Day 1, it’s going to go so much smoother for you than on year 3.
Cee: What’s a business case for stakeholders to understand the significance of initial investment in prioritizing security measures against session hijacking attacks?
Bob: The interesting thing about it is the way that sessions get hijacked, it tends to originate from malware. An employee gets malware on their computer, and it siphons off all the cookies of their browser. The whole lifecycle of that involves the original infection of the malware, which then steals all the information on the computer, and then sold on the black market. The person who installs the malware on the machines, their method of monetization is to acquire information and sell it to some other party — the black market is where they search and target certain companies/employees and check the marketplace of that company to take that data that someone else stole and use it.
But in order for that to work, the session has to be alive long enough between the time of the buyer and the seller to make that transaction. So if someone steals that information and puts it on the marketplace, a month later, if the sessions die, in between the 1 month timeframe, the buyer doesn’t get anything. Session lifetimes are a big deal here. The buyer is going to be accessing the session from a different computer, than the legitimate owner from the session, so there are elements of the computer — I'm receiving requests from this session rather than these other computers.
Cee: For our readers, what does that mean for their organization and business operations, particularly in today's reality of remote companies and work-from-home (WFH) culture?
Bob: There is no company policy that is adequate that will completely prevent this. Company policy is never adequate, alternatively, you can deploy better detection methods to have on your machine.
Cee: How can team leadership effectively prepare and align their teams to enhance security measures against session hijacking attacks?
Bob: During a red team exercise, we highlighted the importance of adopting a strategy that prioritizes resilience over reliability. A reliability approach implies a stance of "we are never going to get hacked, never going to compromise," while a resilience strategy recognizes the inevitability of failures of “you are going to have a failure, eventually.”
There is this whole perimeter in security that is to be trusted. If you are taking that approach and mindset, then you have to protect this perimeter and it’s crucial. If the security perimeter is breached, understanding the choice between taking the strategy of resilience over reliability is essential to prevent potential vulnerabilities to session hijacking attacks — or you are toast.
Cee: How do larger companies, especially during rapid growth, address the threat of session hijacking when it may not be on their radar?
Bob: Even in medium size companies, you are starting to see “zero-trust” is starting to show up, but its practice is inconsistent. This mindset doesn’t permeate the entire organization. While you might deploy a zero-trust access control system for internet-related activities, you might have the parts of the organization such as finance, accounting, and HR – that are really reliant on the exchange of back and forth emails, sending large files, and attachments. When it's your day job to actually click on attachments, there’s a risk you might click on the wrong attachments.
Especially in a zero-trust session, where the network doesn’t matter anymore, the identity becomes crucial. If the identity gets stolen and is compromised, all of a sudden your “zero-trust” system does not protect and is insufficient. It’s not about deploying just one system, you need to have multiple layers of controls to stack up. This way, even if someone can beat one layer, they’ll encounter obstacles in other layers of defense, and they are going to be stopped in one way or another.