Organizations of all sizes face a universal security threat from todayโs organized hacking industry. Why? Hackers have decreased costs and expanded their reach with tools and technologies that allow for automated attacks against Web applications.
This presentation will detail key insights from the Imperva Application Defense Center annual Web Application Attack Report. View this presentation for an in-depth view of the threat landscape for the year. We will:
- Discuss hacking trends and shifts
- Provide breach analysis by geography, industry, and attack type
- Detail next steps for improved security controls and risk management processes
Top profile Call Girls In Indore [ 7014168258 ] Call Me For Genuine Models We...
ย
The State of Application Security: Hackers On Steroids
1. ยฉ 2015 Imperva, Inc. All rights reserved.
The State of Application Security:
Hackers On Steroids
Itsik Mantin, Director of Security Research, Imperva
2. ยฉ 2015 Imperva, Inc. All rights reserved.
โStudy the past if you would define the
futureโ (Confucius)
3. ยฉ 2015 Imperva, Inc. All rights reserved.
Speaker
โข Director of Security Research at Imperva
โข 15 years experience in the security industry
โข An inventor of 15 patents in these fields
โข Holds an M.Sc. in Applied Math and Computer Science
โข Presenter in Blackhat Asia, OWASP IL, EuroCrypt and other
conferences
Itsik Mantin
3
7. Attack Incidents
Attack Type Min Ratio
#Alert/5min
SQLi 20
HTTP 10
XSS 5
DT 5
Spam 1
RCE 1
FU 1
Incident
Collection of alerts
Same attack type
Same target
Essentially same time
Not necessarily same IP
Incident Alert RatioIncident Alert Ratio
7
9. ยฉ 2015 Imperva, Inc. All rights reserved.
Chance of Getting Attacked
9
10. ยฉ 2015 Imperva, Inc. All rights reserved.
Chance of Getting Attacked
Everyoneโs at risk
3/4 apps attacked for
every attack type
10
11. ยฉ 2015 Imperva, Inc. All rights reserved.
Chance of Getting Attacked โPerfectโ RCE Coverage
All applications were attacked
11
12. ยฉ 2015 Imperva, Inc. All rights reserved.
Number of Attack Incidents
12
13. ยฉ 2015 Imperva, Inc. All rights reserved.
Number of Attack Incidents
75th
Percentile
Median
25th
percentile
13
14. ยฉ 2015 Imperva, Inc. All rights reserved.
Number of Attack Incidents
RCE and Spam are the most
popular
RCE: Median of 273
14
15. ยฉ 2015 Imperva, Inc. All rights reserved.
Number of Attack Incidents
Inequality Measure
Ratio between 3rd
and 2nd
quartiles
15
16. ยฉ 2015 Imperva, Inc. All rights reserved.
Number of Attack Incidents
Inequality Measure
Ratio between 3rd
and 2nd
quartiles
RCE Blind Scans
All applications suffer equally
16
17. ยฉ 2015 Imperva, Inc. All rights reserved.
Number of Attack Incidents
Spam is discriminatory
Spoiler โ some industries suffer
more
17
18. ยฉ 2015 Imperva, Inc. All rights reserved.
SQL Injection and Cross-Site Scripting
18
19. ยฉ 2015 Imperva, Inc. All rights reserved.
SQL Injection and Cross-Site Scripting
Most Applications see SQLi and
XSS every other week
Median of 12-13 for 6-month period
3-5 days for topQ applications
19
20. ยฉ 2015 Imperva, Inc. All rights reserved.
Year-over-Year Up-Trends
#Incidents
20
21. ยฉ 2015 Imperva, Inc. All rights reserved.
Year-over-Year Up-Trends
SQLi Persistent Growth
100% increase in 2014
200% increase in 2015
#Incidents
XSS Persistent Growth
100% increase in 2014
150% increase in 2015
21
22. ยฉ 2015 Imperva, Inc. All rights reserved.
Year-over-Year Up-Trends
#Incidents
22
23. ยฉ 2015 Imperva, Inc. All rights reserved.
Year-over-Year Up-Trends
23
24. ยฉ 2015 Imperva, Inc. All rights reserved.
Year-over-Year Up-Trends
24
25. ยฉ 2015 Imperva, Inc. All rights reserved.
Year-over-Year Down-Trends
#Incidents
25
26. ยฉ 2015 Imperva, Inc. All rights reserved.
Year-over-Year Down-Trends
#Incidents
RFI was on fire in 2014
Super-popular attack vector in 2014
Back to โnormalโ in 2015
26
27. ยฉ 2015 Imperva, Inc. All rights reserved.
Year-over-Year Down-Trends
#Incidents
DT Decrease
2014 trend changed
Spoiler โ in one industry DT is still
the attack of choice
27
28. ยฉ 2015 Imperva, Inc. All rights reserved.
Magnitude of Attacks
28
29. ยฉ 2015 Imperva, Inc. All rights reserved.
Magnitude of Attacks
SQLi Attacks are most Intensive
72-204 alerts for quartile 3 (of the incidents)
300K alerts in most intensive attack
29
34. ยฉ 2015 Imperva, Inc. All rights reserved.
Serial Attackers Vs. Anonymous Browsing
34
35. ยฉ 2015 Imperva, Inc. All rights reserved.
Serial Attackers Vs. Anonymous Browsing
35
36. ยฉ 2015 Imperva, Inc. All rights reserved.
Serial Attackers Vs. Anonymous Browsing
140,000 anonymous browsing
1,800,000 detect-by-content
12,500,000 serial attackers
1,700,000 anonymous browsing
280,000 detect-by-content
28,000 serial attackers
36
38. ยฉ 2015 Imperva, Inc. All rights reserved.
Per-Industry Trends
Health
Food
Travel
Leisure
Shopping
Business
Financial
Computer
DT FU HTTP RFI SQLi XSSSpamRCE
38
39. ยฉ 2015 Imperva, Inc. All rights reserved.
Per-Industry Trends
Health
Food
Travel
Leisure
Shopping
Business
Financial
Computer
DT FU HTTP RFI SQLi XSSSpamRCE
Massive Spam/RCE
Campaigns
39
40. ยฉ 2015 Imperva, Inc. All rights reserved.
Per-Industry Trends
Health
Food
Travel
Leisure
Shopping
Business
Financial
Computer
DT FU HTTP RFI SQLi XSSSpamRCE
RCE blind scans
Massive Spam/RCE
Campaigns
40
41. ยฉ 2015 Imperva, Inc. All rights reserved.
Per-Industry Trends
Health
Food
Travel
Leisure
Shopping
Business
Financial
Computer
DT FU HTTP RFI SQLi XSSSpamRCE
RCE blind scans
Spam focused on travel
applications
Massive Spam/RCE
Campaigns
41
44. ยฉ 2015 Imperva, Inc. All rights reserved.
Attack Types
57% XSS incidents
on Health
44
45. ยฉ 2015 Imperva, Inc. All rights reserved.
Attack Types
37% DT incidents on
Food
45
46. ยฉ 2015 Imperva, Inc. All rights reserved.
Web Framework Trends
4
46
47. ยฉ 2015 Imperva, Inc. All rights reserved.
Content Management Systems
47
48. ยฉ 2015 Imperva, Inc. All rights reserved.
CMS Trends
All CMS
Non CMS
Applications
48
49. ยฉ 2015 Imperva, Inc. All rights reserved.
CMS Trends
All CMS
Non CMS
Applications
CMS At Risk
CMS applications are attacked 3 Times more often
Trend consistent for all attack types
49
50. ยฉ 2015 Imperva, Inc. All rights reserved.
WordPress Trends
Other CMS
Non CMS
WordPress
50
51. ยฉ 2015 Imperva, Inc. All rights reserved.
WordPress Trends
Other CMS
Non CMS
WordPress
WordPress at More Risk
3.5 times more attacks than non-CMS Applications
7 times more RFI and Spam Attacks
51
52. ยฉ 2015 Imperva, Inc. All rights reserved.
WordPress Trends
Other CMS
Non CMS
WordPress
WordPress at More Risk
3.5 times more attacks than non-CMS Applications
7 times more RFI and Spam Attacks
WordPress at More Risk
3.5 times more attacks than non-CMS Applications
7 times more RFI and Spam Attacks
52
54. ยฉ 2015 Imperva, Inc. All rights reserved.
Geographic Attack Trends
Country Absolute
#Requests
Internet Users
US 17,671,816 278,553,524
China 8,227,498 672,585,110
UK 2,224,749 59,097,955
54
55. ยฉ 2015 Imperva, Inc. All rights reserved.
Geographic Attack โ Year-over-Year
55
60. ยฉ 2015 Imperva, Inc. All rights reserved.
SQLi Cases Study 6,800 alerts
per hour
60
61. ยฉ 2015 Imperva, Inc. All rights reserved.
Scraping Case Study
โข TOR Massive Scraping attack
โข 2 million requests
โข 777 TOR Ips
โข User-Agent faking
61
62. ยฉ 2015 Imperva, Inc. All rights reserved.
Scraping Case Study
62
63. ยฉ 2015 Imperva, Inc. All rights reserved.
Scraping Case Study
63
67. ยฉ 2015 Imperva, Inc. All rights reserved.
Download 2015 Web Application Attack Report
67
http://www.imperva.com/DefenseCenter/WAAR
Editor's Notes
Motivation
Target audience
Tradition
198 WAF customers
103,455,308 security events
The team - ADC led by CTO
Next slide - The alerts were gathered with โฆ
Positive Negative vs. Positive security model
Crowd sourcing
Distinction โ content vs. reputation
Next slide โ this distinction
Focus on attack types
Reputation-based detection vs. Content-based detection
Incident โ collection of requests which seem to belong to the same attack
The IP dilemma
# of attacks within the report period
Most prominent - Everyoneโs at risk
For every attack type (RCE), at least 3/4 applications (100%) were attacked
If you expose your application to the Internet โ you will get attacked
If you expose your application to the Internet โ you will get attacked
Next slide - How many attacksโฆ..
Explain the diagram
Explain the quartiles notion
Explain the diagram
Explain the quartiles notion
RCE โ 273-591 for the Q3 (Shellshock)
Spam: 24-276 attacks on Q3
Notice the difference between RCE and Spam
Equality Measure
Spam is outstanding
RCE is lowest
Next slide โ zoomin to other attack types
Equality Measure
Spam is outstanding
RCE is lowest
Next slide โ zoomin to other attack types
Equality Measure
Spam is outstanding
RCE is lowest
Next slide โ zoomin to other attack types
Explain the diagram โ attacks during 6 months
Next slide โ year over year
Explain the diagram โ attacks during 6 months
Next slide โ year over year
Diagram โ we use the median
Exponential growth
Why:
Reduce cost of computational power
Availability of knowledge and tools
Next slide โ down trends
Diagram โ we use the median
Exponential growth
Why:
Reduce cost of computational power
Availability of knowledge and tools
Next slide โ down trends
Diagram โ we use the median
Exponential growth
Why:
Reduce cost of computational power
Availability of knowledge and tools
Next slide โ down trends
Diagram โ we use the median
Exponential growth
Why:
Reduce cost of computational power
Availability of knowledge and tools
Next slide โ down trends
Diagram โ we use the median
Exponential growth
Why:
Reduce cost of computational power
Availability of knowledge and tools
Next slide โ down trends
Next slide โ from number of attacks to the intern of attacks - magnitude
Next slide โ from number of attacks to the intern of attacks - magnitude
Next slide โ from number of attacks to the intern of attacks - magnitude
Attacks mounted by scanners
Typical SQLi attack includes more than 70 requests, usually arriving in bursts over a short period
The most intensive SQLi attack spanned 300,000 malicious requests
Attacks mounted by scanners
Typical SQLi attack includes more than 70 requests, usually arriving in bursts over a short period
The most intensive SQLi attack spanned 300,000 malicious requests
What is reputation based mitigation? Crowed sourcing
Reputation based mechanism saves the web-application server and the waf computing resources as the data is blocked in very early stages.
Is reputation based mitigation effective?
4 out of 5 alerts are detected by reputation
Serial attackers and anonymous browsing
What is reputation based mitigation? Crowed sourcing
Reputation based mechanism saves the web-application server and the waf computing resources as the data is blocked in very early stages.
Is reputation based mitigation effective?
4 out of 5 alerts are detected by reputation
Serial attackers and anonymous browsing
What is reputation based mitigation? Crowed sourcing
Reputation based mechanism saves the web-application server and the waf computing resources as the data is blocked in very early stages.
Is reputation based mitigation effective?
4 out of 5 alerts are detected by reputation
Serial attackers and anonymous browsing
Zoom into the data
X/Y-axis. Limit 2M
Different points in time different mitigations are more effective
Zoom into the data
X/Y-axis. Limit 2M
Different points in time different mitigations are more effective
Insights on the different industries => show the percent of incidents for each attack type
The dominance of RCE and Spam => zoom in
Exclude Spam and RCE
XSS are rare
XSS are popular on the health industry, maybe to steal personal information
DT are popular on restaurants applications. Not clear why
Exclude Spam and RCE
XSS are rare
XSS are popular on the health industry, maybe to steal personal information
DT are popular on restaurants applications. Not clear why
Exclude Spam and RCE
XSS are rare
XSS are popular on the health industry, maybe to steal personal information
DT are popular on restaurants applications. Not clear why
3 groups
WordPress is popular
Normalized the absolute # requests by the internet users published by the world bank
The bigger the bubble the traffic is more malicious
Netherlands and USA in the top five second 2 year in a row
Cyprus, Costa Rica, Switzerland were dominant last year and are not dominant anymore.
One of the most significant security event
Zoom into the Shellshock incidents
Week-by-week analysis
Remind you โ 2015 period while Shellshock was published during September 2014
2 waves: the first is during September 2014, right after the publication โ not in the report
The second is during weeks 14-19 โ April 2015
Seven month after the publication, attackers hit again
One of the most significant security event
Zoom into the Shellshock incidents
Week-by-week analysis
Remind you โ 2015 period while Shellshock was published during September 2014
2 waves: the first is during September 2014, right after the publication โ not in the report
The second is during weeks 14-19 โ April 2015
Seven month after the publication, attackers hit again
Focus on one application that was highly attacked.
The attack lasted 4 days with high SQLi activity. 6,800 Alerts per hour, The attacks had similar patterns
Blocked by content and by reputation, negative security model, signatures, policies
2 waves โ the first one faded away on the third day and a new wave on the 4th day
We believe that the first wave faded away due to our blocking mechanisms and the second wave was used with a new pool of Ips to try to avoid blocking
Focus on one application that was highly attacked.
The attack lasted 4 days with high SQLi activity. 6,800 Alerts per hour, The attacks had similar patterns
Blocked by content and by reputation, negative security model, signatures, policies
2 waves โ the first one faded away on the third day and a new wave on the 4th day
We believe that the first wave faded away due to our blocking mechanisms and the second wave was used with a new pool of Ips to try to avoid blocking
We looked at one application in a specific week with high activity from TOR
2 million requests from TOR
99% were targeted for 3 URLs: search and 2 shopping pages (different input parameters values for product ID)
~2,000 sessions IDs
Usage of session ID from multiple Ips at the same time
3 main user-agents that were used in different permutations
We looked at one application in a specific week with high activity from TOR
2 million requests from TOR
99% were targeted for 3 URLs: search and 2 shopping pages (different input parameters values for product ID)
~2,000 sessions IDs
Usage of session ID from multiple Ips at the same time
3 main user-agents that were used in different permutations
We looked at one application in a specific week with high activity from TOR
2 million requests from TOR
99% were targeted for 3 URLs: search and 2 shopping pages (different input parameters values for product ID)
~2,000 sessions IDs
Usage of session ID from multiple Ips at the same time
3 main user-agents that were used in different permutations
3 out of 4 applications are attacked
Crowd sourcing is effective โ 4 out of 5
Shellshock mega-trend influenced cyberspace
Y2Y increase
Mega trend vulnerabilities spread like wildfire: keep updated with new vulnerabilities mitigations
Be part of a community defense: it prevents attacks and saves CPU