Browser based attacks are one of the most common vectors used by adversaries to gain control of an internal system on a target network. In this “”beachhead assault”” stage of a cyber attack campaign, attackers attempt to exploit known and unknown (zero-day) vulnerabilities in browser applications. The main goal in secure browsing is to prevent malware from successfully breaching the browser and establishing persistence on the underlying endpoint.


Browsers represent an attractive attack surface for several reasons. Firstly, they are an important influx waypoint as information and documents transit into an internal corporate network. This means they are typically more accessible to external threat actors than other software applications inside the network. Secondly, browsers allow installation of useful extension apps. Threat actors can develop malicious extensions with otherwise useful functionality and wait for unsuspecting users to install them.


Also, in the case of Google Chrome, which makes up more than 65% of all browser market share, core source code is available as Chromium; an open source software code repository that adversaries can analyze for weaknesses before they deploy their malware payloads. When considering that MicroSoft Edge is also based on Chromium, an additional 8+% of market share can be included, meaning the Chromium attack surface comprises about 75% of internet browsing. However, even closed source browser applications can be reverse compiled and targeted by advanced persistent threat actors.


Browser based attacks happen across a variety of vectors such as:

  • Phishing & Click Bating – Users are tricked into opening a URL to a malicious website or other media content in the browser, which in turn attempts to exploit the browser. Advanced phishing, known as “”spear phishing” attacks employ context relevant content that may appear to originate from a known source such as a co-worker.
  • Trojan Browser Extensions & Plugins – Users are coerced into downloading a malicious browser extension which may claim to provide some attractive benefit to the user. An improved workflow is an attractive force swaying users to install rogue plugins.
  • Embedded Malvertising in a Legitimate Website – Malicious advertising agencies embed their software into unsuspecting websites in exchange for advertisement revenue. The embedded ad’s JavaScript code can attack the browser covertly on each page load.

The Benefit of a Cloud Based Workflow

As the adoption of cloud-based applications and services increases, tasks that have been traditionally handled by native applications such as desktop office applications can be done primarily through a browser using web-applications. Handling incoming and collaborative documents, spreadsheets, presentations and other file types in this way enhances the importance of securing the browser, therefore ensuring that malicious code embedded in a document never reaches the endpoint itself.

Existing Browser Isolation Strategies

Isolating the browser is important to protect the local environment from browser based attacks. There are currently two main concepts for browser isolation.

  • The first is to access the internet through a Virtual Machine (VM) or Micro VM to create a secured and isolated environment for browsing.
  • The second is the “screening” approach, in which the browser application runs on a remote server and the user-interface image is forwarded to the client system. The screening method can be enabled using technology such as X11 over SSH.

Both approaches are great in theory but in real life have operational and performance overheads that translate into usability issues such as lack of reliability, or just a bad user experience.


Usability and scalability shortcomings of existing browser isolation solutions can be a significant deterrent to implementation. Applications accessed via remote (thin) and local (thick) VMs often induce significant lag, which can cause user dis-satisfaction and annoyance [1]. This increased mental demand has been shown to translate into reduced workplace performance.


A thick VM running on a Type 2 Hypervisor, consumes a large amount of system resources (CPU and RAM) since effectively, the system’s hardware resources are being split and allocated to 2 full fledged operating systems. This presents a cost and operational deterrent to implementation since every workstation that might be asked to run a VM will need to have double the amount of CPU and RAM.


Also, VMs do not have widespread hardware driver support and virtualized hardware settings may not function [2]. In reality, very few motherboards are tested for support in a VM software environment. The complexity of configuring a VM to function seamlessly as a regular node on a LAN, or even accessing a USB port can introduce complexity, making the IT department’s job a nightmare. Mobile developers do not enjoy the task of developing within a VM either. In fact, even positive reviews of local VMs employ negative language [3] implying a search for the best of the worst.

Minerva’s Next-Gen Browser Isolation Module

At Minerva Labs, we deliver elegant prevention-first solutions that are seamless to the end user while providing ease of deployment and scalability from a security team’s perspective. After deep research of this domain, we have developed a novel and innovative concept to achieve secure browsing without sacrificing usability or scalability. Our Browser Isolation module, part of our Ransomware Protection Platform, also provides protection against more attack scenarios than existing solutions such as deploying browser-over-VM or browser-screening.


Minerva’s Browser Isolation Module (BIM) provides low level isolation of the browser process, preventing it from spawning any rogue child processes. Even if an adversary successfully exploits an unpatched vulnerability in the browser, the malware is still unable to execute any code on its behalf since Minerva’s browser isolation blocks the browser from launching any additional processes. In the case of a file-less malware attack, payload execution is blocked by Minerva’s Memory Injection Prevention Module (MIPM). An adversary using the browser to download malicious files onto the target endpoint is blocked by Minerva’s Malicious Document Prevention (MDP) or anti-evasion module of our Anti-Ransomware Platform.


[1] Virtual Machines for Remote Computing: Measuring the User Experience (2015), School of Computer Science Carnegie Mellon University

[2] Is Running A Virtual Machine (VM) Worth The Effort?

[3] What Sucks Worse than Oracle’s VirtualBox?