Results of a Web Application Attack Report (WAAR) reveal that web applications, on average, experience twenty seven attacks per hour, or roughly one attack every two minutes. The WAAR offers insight into actual malicious web application attack traffic over a period of six months, December 2010 through May 2011.
More than 10 million individual attacks across the internet were monitored and categorized, including attacks witnessed via onion router (TOR) traffic as well as attacks targeting 30 different enterprise and government web applications. The WAAR outlines the frequency, type and geography of origin of each attack to help security professionals better prioritize vulnerability remediation.
Most security research focuses on vulnerabilities, and while this insight is extremely valuable, it doesn’t always help businesses prioritize their security efforts. Take a look at the OWASP Top 10, for example, RFI and Directory Traversal were not identified as top vulnerabilities, yet the research shows that these are two of the most common attacks used by hackers to steal data.
It’s impossible to have effective risk management without understanding which vulnerabilities are most likely to be exploited.
- Automated attacks are prevailing. According to the WAAR, attack traffic during the six month period was characterized by spikes of high volume attack activity followed longer periods of lighter activity, key indicators of automation. On average companies experienced twenty-seven attacks per hour, or an attack every two minutes. However, when websites came under automated attack they received up to 25,000 attacks in one hour, or 7 attacks every second.
- The Unfab Four. The four most prevalent Web application attacks include directory traversal (37 percent), cross site scripting (36 percent), SQL injection (23 percent) and remote file include (four percent). These attacks were often used in combination to scan for vulnerabilities and subsequently exploit found vulnerabilities.
- Most attacks come from within the United States. Over 61 percent of the attacks originated from bots in the United States, though it was unclear from where they were controlled. Attacks from China made up almost 10 percent of attack traffic, followed by attacks originating in Sweden and France. Geography, however, is less than reliable, but filtering attacks by reputation is more so. The WAAR data shows that 29 percent of the attacks originated from the same 10 most active attack sources.
The level of automation in cyber attacks continues to shock me. The sheer volume of attacks that can be carried out in such a short period of time is almost unimaginable to most businesses. The way hackers have leveraged automation is one of the most significant innovations in criminal history.
You can’t automate car theft, or purse stealing. But you can automate data theft. Automation will be the driver that makes cyber crime exceed physical crime in terms of financial impact.
Advances in evasion are also significant. Data shows that it is increasingly difficult to trace attacks to specific entities or organizations. This complicates any effort to retaliate, shut down cybercriminal gangs or identify potential acts of war.
- Assume your organization is a target and have already been compromised. Consider yourself an even more attractive target if you hold sensitive information with value for hackers, governments, employees or competitors.
- Make data security a strategic priority.
- Give security a seat at the table, some firms have security reporting to the CEO or the board of directors others have put cyber security in into every technology decision and reversed conventional wisdom by having IT report into security, instead of vice versa.
- Work with law enforcement to help pinpoint hackers, even overseas, to ensure that the weeds don’t grow back. What may seem like a minor cyber attack could be part of a larger criminal effort that only law enforcement can recognize.
- Embrace data security regulations. For example A Ponemon survey on the topic from 2011 showed that companies complying with PCI were twice as likely to avoid breaches as noncompliant firms.
- Put the right technology in place, the CEO should ask – have we identified all sensitive data and have put in place technology with the audit and protection capabilities required to safeguard that data?
Automated attack detection requires collecting data, combining it and then analyzing it automatically in order to extract relevant information and apply security countermeasures. Gathering the required data requires monitoring protocol anomalies even if they are not malicious or if the web application is not vulnerable.
Combining this data with intelligence gathered on known malicious sources will help enlarge the knowledge base for identifying attacks and selecting appropriate attack mitigation tools. Here are my top 5 tips for the security team:
- Deploy security solutions that deter automated attacks.
- Detect known vulnerabilities attacks – the security organization needs to be aware of known vulnerabilities and have an up-to-date list to know what can and will be exploited by attackers.
- Acquire intelligence on malicious sources and apply it in real time
- Participate in a security community and share data on attacks.
- Detect automated attacks early – quickly identifying thousands of individual attacks as one attack allows you to prioritize your resources more efficiently and can help in the detection of previously unknown attack vectors (e.g., “zero days”) included in the attack.