Authored By: Lance B. Cain and Alexander DeMine
Overview
Remote Browser Isolation (RBI) is a security technology which has been gaining popularity for large businesses securing their enterprise networks in recent years. This blog post describes methods that SpecterOps consultants have researched to successfully circumvent this technology during offensive assessments. Following a brief introduction to the technology, we share our firsthand experiences when encountering RBI solutions and techniques the SpecterOps team have employed for establishing command and control (C2) to systems that proxy traffic through RBI products broken down into three segments: Payload Ingress, C2 Egress, and RBI Bypass. This post then concludes with us sharing our perspective regarding the recommendation of RBIs as a defensive product for the modern enterprise.
What is RBI and Why Use It?
Browser isolation is a security concept in which a user’s web traffic is isolated in a virtual machine, hosted web browser, or some other manner to prevent malicious activities from reaching the end user; thereby lowering the general risk of web browsing. There are three types of browser isolation in use today: client-side browser isolation, on-premises browser isolation, and RBI. As these names imply, client-side virtualizes the browsing on the local host, on-premises runs within the organization, and RBI virtualizes the web sessions in the cloud. Each type of browser isolation has different pros and cons, but we will focus on RBI today.
The general concept of RBI is relatively simple. When users open their web browser to surf the web, they are not merely doing so from their local machine; rather, they are connecting to a cloud-hosted virtualized browser in which all web content is rendered and executed and then sent back to the end-user in a sanitized manner (Figure 1). Different vendors stream the content to the user differently, but it is sufficient to say they all do the same thing: sanitize and render client web traffic.
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: