SANS: Browser isolation against 0-days and missing updates

[German]A large proportion of successful cyber attacks are possible via 0-day vulnerabilities or unpatched browsers. The rise of home office solutions in the wake of the coronavirus pandemic exacerbates this problem. In some environments, updating the browser used is also a problem, which also has a negative impact on security. In such cases, the SANS Institute recommends browser isolation to render browser vulnerabilities ineffective.


Problem: Browser may not be updated

There are always situations in which known vulnerabilities in browsers cannot be closed promptly by appropriate updates. The obvious scenario is that the security update leads to problems with the browser because of bugs. Then the installation of updates may have to be delayed until a corrected browser update is available. But there are other conceivable scenarios for suspended updates:

  • Especially in corporate environments, it is not always possible to provide browsers with security updates in a timely manner. There is, for example, the intranet application that is dependent on a certain browser version, because otherwise the display of this application no longer works.
  • If you think about the issue of Adobe Flash, which fell out of support at the end of 2020, users who rely on this technology have a problem. It would be conceivable to use an older version of the respective browser that still supports Flash.
  • A second scenario that can be imagined: The user drives with an environment or browser where there are no more browser updates. Then the question becomes superfluous: where do I get a security update.
  • In addition, the case should not be forgotten if a browser (together with the operating system environment) is simply forgotten when patching (this can have different reasons).

If one of these scenarios or another applies, users are working with a browser that has known vulnerabilities. In addition, the browser may have vulnerabilities that are not publicly known (0-day vulnerabilities). In this case, it is important to use an appropriate protective shield against vulnerability attacks.

The SANS Institute Recommends Browser Isolation

The SANS Institute is a trusted resource for cybersecurity training, certification, and research. The Internet Storm Center is a SANS Institute organization that monitors the amount of malicious/malicious activity on the Internet. 

SANS Institute about Browser isolation

The above tweet from Thorsten E. brought a recommendation from the SANS Institute to my attention, which deals with the topic of browser security. The short version: If patching the browser "is harassing", you should simply isolate the browser.  


The browser as a security risk

60% of security breaches in 2019 involved unpatched software vulnerabilities. With the coronavirus pandemic in 2020, the problem of unpatched applications has intensified as Work from Anywhere (WFA, or home office) has proliferated. Patch management is a tedious security task that gets in the way of securing enterprises.

Automated patch management products require an agent on the endpoint, making it difficult to determine if the latest patches are installed on each system. And not all patches are free of gaps. Worse. Even after patching, zero-day vulnerabilities remain.

This, of course, is an El Dorado for hackers, so the finding that the increase in cyber attacks on PC networks and routers since COVID-19 can be linked to unpatched browsers is not really surprising. Vulnerabilities in outdated browser versions of Chrome, Edge, Safari, Opera, Firefox and others remain the most common method of attack by threat actors.

This is worsened by home office users doing their work on an unmanaged machine. There, they use an unpatched browser, often running on an outdated home computer. That can't be patched and is also shared with others in the household.

Forrester reports that application vulnerabilities will continue to be the most common external attack approach to hack into an IT infrastructure and compromise systems.

Remote browser isolation for security

Security experts at the SANS Institute says, that while unpatched browsers pose a security risk, patched browsers can still contain zero-days. Browser isolation is an additional cyber security model that aims to physically isolate an Internet user's browser activity from their local networks and infrastructure. 

When a user's browser isolation technology is provided as a service hosted in the cloud, it is referred to as remote browser isolation (RBI). RBI is a model that allows organizations to provide a browser isolation solution to their users without managing the associated server infrastructure.

Remote Browser Isolation (RBI) is effective not only against zero-days, but against any web-based threat. RBI is based on the zero-trust approach and fetches, routes and renders all elements of a page away from the user's device, effectively protecting against ransomware, phishing, social engineering attacks and malvertising.

In a SANS report (PDF),the SANS Institute addresses the issue of remote browser isolation (RBI) in enterprise environments. According to this SANS report, RBI is critical to any organization's cyber security program because almost all work today is performed using the browser. Especially with EFC (home office) models and heavy reliance on the cloud, SANS also calls the browser the new endpoint.

he SANS report does not specifically address remote browser isolation solutions, but discusses the whole thing from a principled point of view. If you search the Internet for remote browser isolation, you will get a number of hits (e.g., ZScaler, Cloud Flare, ForcePoint etc.).

Local browser isolation

There are also client-side approaches to browser isolation based on client-side hypervisors. These do not depend on servers to isolate the browser activities of their users and the associated risks. There, browser activity is virtually isolated on the local host machine. Client-side solutions break the model of security through physical isolation, but they allow users to avoid the server overhead costs associated with remote browser isolation solutions. Here are solutions I can think of ad hoc to this.

  • In Windows 10, the Windows Defender Application Guard (WDAG) feature is available to isolate Microsoft Edge version 77 or later from the operating system via Hyper-V. The functionality is described in this document, and the system requirements can be read here.
  • Furthermore, the Windows 10 Sandbox, which is supported in the current Windows 10 builds starting with the Pro version, could be used to run a browser along with its isolation. However, this approach might not be practical enough compared to WDAG.
  • There is also BitBox (a virtual machine for Linux and Windows with a Chrome browser) developed by Rohde & Schwarz Cybersecurity GmbH.  
  • Operation of the browser in a sandbox, which also runs in the home versions of Windows, although for older systems in the private environment I would like to mention Sandboxie Plus, which was released as open source by Sophos some time ago.  

David Xanatos, who is developing Sandboxie Plus, had pointed me to the new release v0.5.5 / 5.46.4 the other day, which I mentioned yesterday in the blog post Sandboxie v0.5.5 / 5.46.4 released. So there are approaches to make browsing – even in the private environment – more secure. 

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *