Web-Gap hero

The Relevance of RBI

Ryan Miller

CISO

Remote browser isolation (RBI) has slowly moved from the shadows of information security products as something with potential, to a member of product stacks for Zero Trust and Secure Access Service Edge (SASE) in some of the largest companies in the space since its first enterprise adoption in the late 2000’s.

RThe early days of RBI were plagued by poor user experience because of technologies that were not resource-efficient. RBI has come a long way in just a few years with the capability to support thousands of concurrent people. RBI moves the execution of web page code from the browser installed on the local machine to a server in a data center that is physically located outside of your local network. Malicious code, like what is found in malvertising, does not make it to the local machine because it stays in the server, then the malicious code is destroyed when you log out of your browser isolation session.

Attackers have a few options when they use malvertising.

  • Scareware - Displays a message to the web page visitor that they need to take action to update software or install a program to fix something on their machine by clicking on the ad where a drive-by-download occurs, or the visitor is encouraged to click a download link and install the software. Scareware is typically driven by affiliate marketing fraud.
  • Exploit kits - Requires no visitor interaction because it fingerprints the browser, enumerates browser extensions, enumerates installed applications on the operating systems, and fingerprints the operation system to determine if the visitor meets the criteria the attacker is looking for, then forwards the visitor to a page where a drive-by-download occurs that contains an exploit for the browser or other installed software. Exploit kits are typically employed to steal data.
  • Technical support scam - Typically involves a flashy pop-up that covers the entire screen (also known as browser lock) that a visitor does not know how to close and displays a phone number the visitor is instructed to call for help. These pop-ups can happen with or without visitor interaction. Technical support scams and scareware have overlapping methods for initiating visitor action. Technical support scams are used to fraudulently take money directly from web page visitors.

After reading the malvertising strategies, you might have asked yourself how RBI keeps malicious code that is downloaded through a file from infecting the local machine. The answer is that RBI employs many of the same mitigating techniques that you find on an endpoint. Web filtering blocks known bad pages, file download blocking prevents its namesake, DNS filtering prevents people from visiting known bad domains, and virus scanning for downloaded files. RBI prevents browser lock because the only action that can open a new tab or window is the person logged into the browser isolation session.

Exploit kits give attackers the capability to choose which web page visitors they want to engage based on a system profile. RBI makes you a less attractive target because attackers are unable to enumerate installed applications and browser extensions, the operating system isn’t a typical target, and the browser fingerprint is unique. Browser fingerprinting includes characteristics like screen resolution or the number of pixels used to display the web page, browser publisher, browser version, and machine characteristics like how pixels are rendered based on graphics hardware and the driver, processor cores, system memory, and installed fonts.

Any information security program worth its salt is going to have Transport Layer Security (TLS) inspection at the edge, and possibly at the endpoint depending on the endpoint protection vendor. TLS inspection increases CPU load significantly on edge devices like unified threat management and secure web gateways because decryption, threat scanning, then encryption to send the data to the client takes time and resources. TLS inspection also increases administrative overhead because not all web servers play nice with edge devices getting between it and the client to scan payloads. Broken connections result in broken web pages, and broken web pages require exceptions. Scanning exceptions mean that payloads are not scanned, and extra work for administrators to create regular expressions, sources that will use the exception, testing, and several other things that might need adjustment or configuration.

RBI reduces the volume of data that edge devices scan because only code that styles and maintains the interactive portions of the web page are sent to the client, not the entire web page. The average size of a web page is just over two megabytes. RBI reduces the data transmitted to under one megabyte in most cases. Administrative overhead from creating scanning exceptions is reduced because you’re scanning content from the RBI vendor, a single source, and the RBI vendor infrastructure *should* be compatible with the customer’s TLS inspection.

RBI is not a silver bullet. You should have serialized controls in the case that a control fails, you have secondary controls for prevention or containment. Endpoint Detection and Response with continuous monitoring and employee education are still needed. Keeping web page, browser, and web app threats off of the endpoint reduces the probability that a threat will materialize through the browser.

If you would like a fact finding conversation click here to schedule a video or phone call with us.