Cloud Security

Browser-based HEAT attacks putting CISOs on the hot seat

As employee usage of SaaS applications and other cloud-based services rapidly explode, the web browser has become an increasingly popular point of entry for attackers looking to secretly breach an endpoint before ultimately moving laterally into the network.

Highly Evasive Adaptive Threats, or HEAT attacks, exploit browsers — leveraging their tools and features to circumvent traditional security measures (e.g. static analysis, web gateways, sandboxes and filtering) and then compromise credentials or deliver ransomware and other malicious programs. At an InfoSec World conference session in Orlando on Monday, Niko Papez, senior manager of cybersecurity at Menlo Security, warned attendees about the growing danger surrounding these campaigns.

HEAT tactics are typically comprised of certain signature attack tactics, including: HTML smuggling, dynamic drive-by downloads and phishing messages conducted via non-traditional channels such as collaboration or social media platforms.

“If you think about everything that’s happening today with these hybrid environments, this increase in remote workforce today, it really comes down to a world where everything is in the browser,” said Papez in an interview with SC Media. Our applications are found there, our data is moving there, SaaS adoption is increasing. And in addition to that, the amount of trust we have to place in our data today, where it’s located and the people that have access to it — all of this has increased. So it’s become a very opportunistic playing field for these adversaries.”

Learn more from Papez about HEAT attacks in the embedded video below.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.