Defending against web-based attacks

The most widely used vector of attack against your endpoints is and in the near future will continue to be the World Wide Web.  Attacks might come from a compromised advertisement provider (malvertising), from a compromised website (as in the case of, from a website created specifically for that purpose (on a fast-flux domain algo or manually) – in any case you will need solid defense.

It is especially challenging to defend against these attacks as they are in essence generated and initiated by your own users – an actor located on the web cannot act unless in response to an action of an internal user (or in other words, there has to be a GET or POST request originating on the inside of your network for the attack to be successful).

There are 2 objectives to pursue in order to achieve solid defense:

  1. Protecting from malicious traffic before it reaches the endpoint
  2. Protecting the Endpoint

Objective N1 is achieved by the proper choice of a web filtering (proxy) solution, its proper configuration and maintenance.

There must be a dashboard (or several rotating ones) displaying the web filter statistics in the IT / IT Security team room, showing traffic spikes, traffic anomalies, number of blocked sites per host/total, egress/ingress traffic, etc.

The following chapter will be focused on choosing and setting up a web filter properly, as well as configuring and maintaining it. Your web filter appliance is a crucial point in the security posture of the organization and it might become an invaluable tool if used optimally.

The chapter following the web filter will focus on Objective N2 – protecting the endpoint from web-based attacks, specifically choosing and configuring a browser, hardening it and preventing common exploitation techniques.

These 2 chapters should become the foundation of your defense mechanisms, building upon them will be essential. For example, you could improve the web filter chapter in your own organization by adding additional layers of defense – integrating the web filter with an advanced threat intelligence solution such as FireEye or TrendMicro – especially if the solutions of these companies are placed in front and block / prevent any malicious traffic before it reaches your proxy and your end users.

When configuring your web proxy remember that a large amount of incidents come from insiders sending documents to their own mailboxes and web-based file hosting services such as Mega, Google Drive, Dropbox,, etc. That is why the option to block POST requests unless pre-approved per user / website is so important (will be explained later). Setting up and configuring a DLP (data leakage prevention) solution is outside the scope of this book – but is surely an important point to consider.