What is Client-Side Threat Intelligence?

September 22, 2020 - Ensighten

Threat intelligence is a wide discipline and within IT security, it spans everything from understanding the latest viruses to applying machine learning algorithms designed to detect malicious human behavior. With security being so vast, it is impossible to focus on everything, so most organizations will opt to target their threat intelligence on a specific area or even attack vector. 

Threat intelligence is important to any security provider and their customers as it ensures that they are protected not only against known threats but ones that are new and emerging. Attack methods change constantly and at a rapid pace, and security products can quickly become ineffective and easily circumvented. Threat intelligence allows organizations to evolve and adapt, and ensure that as the attackers change their approaches, so do the security services designed to protect them. 

 

Client-side threat intelligence 

Client-side threat intelligence is a discipline which focuses on attacks which specifically target the client as they are interacting with a service such as a website or mobile application. Client-side threat intelligence is different to endpoint threat intelligence which looks at the end-user environment such as the PC, and instead tries to understand how attackers utilize malware to exploit client-side weaknesses. 

To simplify the main differences in threat intelligence: 

  • Origin-based threat intelligence 
    This threat intelligence discipline focuses on the origin, including servers, databases, networks, APIs etc. Intelligence collected here allows for the understanding of how attacks such as credential stuffing and SQL injection happen and is designed to stay ahead of attack methods which target a service origin
  • Client/endpoint threat intelligence 
    This threat intelligence discipline focuses on the endpoint such as the PC, laptop or mobile device. Intelligence collected here allows the understanding of how attacks such as viruses, trojans, malicious emails and botnet malware happen and is designed to stay ahead of attack methods which target the end-user device
  • Client-side threat intelligence 
    This threat intelligence discipline bridges the above two disciplines and focuses on attacks which while they don’t target the endpoint directly, ultimately affect it. Intelligence collected here allows for the understanding of how code-injection skimming attacks, ad-injection and malicious browser extension malware happen and is designed to stay ahead of what is an emerging but aggressive attack vector

 

Client-side threat intelligence, like most threat intelligence disciplines combines elements of traffic analysis, automated processing and human operation to create an outcome designed to understand both new and emerging threats. One of the key differences with client-side threat intelligence, is that many of the signals used for determining malicious activity have to come from mediums such as the web browser or mobile app and as such, require sophisticated IP in order to capture them.

 

The benefits of client-side threat intelligence 

Like most other threat-intelligence initiatives, one of the biggest benefits to customers is that it aims to discover new and emerging threats. Because attacks change and evolve quickly, keeping up with them and being able to adapt to protect against them is paramount to a well-rounded security strategy. 

With client-side threat intelligence, these benefits go deeper and are not limited to just origin-based data analysis. Instead, in client-side threat intelligence, signals from the client, such as the browser or web-application can be used in conjunction with origin data to get a full picture of an attack attempt. 

Client-side threat intelligence looks at threats from the perspective of the user, a vector or attack surface that is not always visible to an organization’s normal InfoSec data collection. As threats move from attacking the origin to focus more on the client, client-side threat intelligence is essential to understanding these attacks and evolving technology solutions to protect against them. 

 

Gathering client-side cyberthreat data 

As referenced above, one of the key differences between client-side threat intelligence and other disciplines is where the data needed for analysis is obtained from. Unlike origin-based intelligence which can leverage the existence of server logs or request traffic, client-side attack activity happens at the browser, outside of the visibility and control of a service provider. 

For example, when an organization becomes the victim of a web-skimming attack, more times than often, the attacker hasn’t actually breached the organizations origin or infrastructure, but instead has breached one of the third-party service providers utilized within the website code. As all of this code comes together in the browser, both first-party and third-party, any code with hidden malware that is delivered may not have actually passed through the organizations infrastructure and thus cannot be captured. 

In order to see such instances, code designed to observe and capture operations such as data transfer to remote locations is needed, similar to the way code designed to capture analytic metrics and telemetry works. The output from this data capture can then be processed and combined with intelligence-based data such as identification of rogue server addresses to determine malicious behavior. 

Capturing these signals in incredibly difficult and any code added to a website for this purpose needs to be both secure and performant, but also be cognizant of personal user data and privacy. Because of these challenges, client-side threat intelligence is a difficult discipline but incredibly valuable when done correctly. 

 

Ensighten client-side threat intelligence 

Ensighten has a long history in client-side security and as such has spent significant time developing, optimizing and tuning its IP around client-side sensors. Ensighten utilizes an agentless, lightweight JavaScript library to both monitor but to also block where applicable, client-side activity such as network communication to third-party servers or content rendering such as iFrames and advertisements. 

Ensighten leverages these same sensors within its client-side threat intelligence platform to collect data which can then be curated and analyzed to detect malicious intent. By cross-referencing substantial amounts of request data, applying automated or machine-learning driven processes and referencing other security sources, Ensighten produces a threat intelligence output specifically focused on detecting existing and emerging client-side attacks. 

But collection and automatic analysis is not enough on its own as human intelligence has historically been proven to be inefficient. With this in mind, Ensighten are also focused on leveraging machine learning to discover patterns or attack methods which might not be obvious otherwise. ML is especially good at looking at large amounts of unstructured data and finding anomalies or things that don’t quite look right. 

Ensighten’s client-side threat intelligence helps organizations to understand how their website communicates and with which services, organizations or online entities. To learn more about our capabilities, get in contact or download our 15-minute guide to threat intelligence