Organizations of all sizes face a universal security threat from today’s organized hacking industry. Why? Hackers have decreased costs and expanded their reach with tools and technologies that allow for automated attacks against Web applications.
This presentation will detail key insights from the Imperva Application Defense Center annual Web Application Attack Report. View this presentation for an in-depth view of the threat landscape for the year. We will:
- Discuss hacking trends and shifts
- Provide breach analysis by geography, industry, and attack type
- Detail next steps for improved security controls and risk management processes
7. Attack Incidents
Attack Type Min Ratio
#Alert/5min
SQLi 20
HTTP 10
XSS 5
DT 5
Spam 1
RCE 1
FU 1
Incident
Collection of alerts
Same attack type
Same target
Essentially same time
Not necessarily same IP
Incident Alert RatioIncident Alert Ratio
7
198 WAF customers
103,455,308 security events
The team - ADC led by CTO
Next slide - The alerts were gathered with …
Positive Negative vs. Positive security model
Crowd sourcing
Distinction – content vs. reputation
Next slide – this distinction
Focus on attack types
Reputation-based detection vs. Content-based detection
Incident – collection of requests which seem to belong to the same attack
The IP dilemma
# of attacks within the report period
Most prominent - Everyone’s at risk
For every attack type (RCE), at least 3/4 applications (100%) were attacked
If you expose your application to the Internet – you will get attacked
If you expose your application to the Internet – you will get attacked
Next slide - How many attacks…..
Explain the diagram
Explain the quartiles notion
Explain the diagram
Explain the quartiles notion
RCE – 273-591 for the Q3 (Shellshock)
Spam: 24-276 attacks on Q3
Notice the difference between RCE and Spam
Equality Measure
Spam is outstanding
RCE is lowest
Next slide – zoomin to other attack types
Equality Measure
Spam is outstanding
RCE is lowest
Next slide – zoomin to other attack types
Equality Measure
Spam is outstanding
RCE is lowest
Next slide – zoomin to other attack types
Explain the diagram – attacks during 6 months
Next slide – year over year
Explain the diagram – attacks during 6 months
Next slide – year over year
Diagram – we use the median
Exponential growth
Why:
Reduce cost of computational power
Availability of knowledge and tools
Next slide – down trends
Diagram – we use the median
Exponential growth
Why:
Reduce cost of computational power
Availability of knowledge and tools
Next slide – down trends
Diagram – we use the median
Exponential growth
Why:
Reduce cost of computational power
Availability of knowledge and tools
Next slide – down trends
Diagram – we use the median
Exponential growth
Why:
Reduce cost of computational power
Availability of knowledge and tools
Next slide – down trends
Diagram – we use the median
Exponential growth
Why:
Reduce cost of computational power
Availability of knowledge and tools
Next slide – down trends
Next slide – from number of attacks to the intern of attacks - magnitude
Next slide – from number of attacks to the intern of attacks - magnitude
Next slide – from number of attacks to the intern of attacks - magnitude
Attacks mounted by scanners
Typical SQLi attack includes more than 70 requests, usually arriving in bursts over a short period
The most intensive SQLi attack spanned 300,000 malicious requests
Attacks mounted by scanners
Typical SQLi attack includes more than 70 requests, usually arriving in bursts over a short period
The most intensive SQLi attack spanned 300,000 malicious requests
What is reputation based mitigation? Crowed sourcing
Reputation based mechanism saves the web-application server and the waf computing resources as the data is blocked in very early stages.
Is reputation based mitigation effective?
4 out of 5 alerts are detected by reputation
Serial attackers and anonymous browsing
What is reputation based mitigation? Crowed sourcing
Reputation based mechanism saves the web-application server and the waf computing resources as the data is blocked in very early stages.
Is reputation based mitigation effective?
4 out of 5 alerts are detected by reputation
Serial attackers and anonymous browsing
What is reputation based mitigation? Crowed sourcing
Reputation based mechanism saves the web-application server and the waf computing resources as the data is blocked in very early stages.
Is reputation based mitigation effective?
4 out of 5 alerts are detected by reputation
Serial attackers and anonymous browsing
Zoom into the data
X/Y-axis. Limit 2M
Different points in time different mitigations are more effective
Zoom into the data
X/Y-axis. Limit 2M
Different points in time different mitigations are more effective
Insights on the different industries => show the percent of incidents for each attack type
The dominance of RCE and Spam => zoom in
Exclude Spam and RCE
XSS are rare
XSS are popular on the health industry, maybe to steal personal information
DT are popular on restaurants applications. Not clear why
Exclude Spam and RCE
XSS are rare
XSS are popular on the health industry, maybe to steal personal information
DT are popular on restaurants applications. Not clear why
Exclude Spam and RCE
XSS are rare
XSS are popular on the health industry, maybe to steal personal information
DT are popular on restaurants applications. Not clear why
3 groups
WordPress is popular
Normalized the absolute # requests by the internet users published by the world bank
The bigger the bubble the traffic is more malicious
Netherlands and USA in the top five second 2 year in a row
Cyprus, Costa Rica, Switzerland were dominant last year and are not dominant anymore.
One of the most significant security event
Zoom into the Shellshock incidents
Week-by-week analysis
Remind you – 2015 period while Shellshock was published during September 2014
2 waves: the first is during September 2014, right after the publication – not in the report
The second is during weeks 14-19 – April 2015
Seven month after the publication, attackers hit again
One of the most significant security event
Zoom into the Shellshock incidents
Week-by-week analysis
Remind you – 2015 period while Shellshock was published during September 2014
2 waves: the first is during September 2014, right after the publication – not in the report
The second is during weeks 14-19 – April 2015
Seven month after the publication, attackers hit again
Focus on one application that was highly attacked.
The attack lasted 4 days with high SQLi activity. 6,800 Alerts per hour, The attacks had similar patterns
Blocked by content and by reputation, negative security model, signatures, policies
2 waves – the first one faded away on the third day and a new wave on the 4th day
We believe that the first wave faded away due to our blocking mechanisms and the second wave was used with a new pool of Ips to try to avoid blocking
Focus on one application that was highly attacked.
The attack lasted 4 days with high SQLi activity. 6,800 Alerts per hour, The attacks had similar patterns
Blocked by content and by reputation, negative security model, signatures, policies
2 waves – the first one faded away on the third day and a new wave on the 4th day
We believe that the first wave faded away due to our blocking mechanisms and the second wave was used with a new pool of Ips to try to avoid blocking
We looked at one application in a specific week with high activity from TOR
2 million requests from TOR
99% were targeted for 3 URLs: search and 2 shopping pages (different input parameters values for product ID)
~2,000 sessions IDs
Usage of session ID from multiple Ips at the same time
3 main user-agents that were used in different permutations
We looked at one application in a specific week with high activity from TOR
2 million requests from TOR
99% were targeted for 3 URLs: search and 2 shopping pages (different input parameters values for product ID)
~2,000 sessions IDs
Usage of session ID from multiple Ips at the same time
3 main user-agents that were used in different permutations
We looked at one application in a specific week with high activity from TOR
2 million requests from TOR
99% were targeted for 3 URLs: search and 2 shopping pages (different input parameters values for product ID)
~2,000 sessions IDs
Usage of session ID from multiple Ips at the same time
3 main user-agents that were used in different permutations
3 out of 4 applications are attacked
Crowd sourcing is effective – 4 out of 5
Shellshock mega-trend influenced cyberspace
Y2Y increase
Mega trend vulnerabilities spread like wildfire: keep updated with new vulnerabilities mitigations
Be part of a community defense: it prevents attacks and saves CPU