Web Attacks Grow in Intensity and Duration
By Samuel Greengard
Over the years, Web attacks have emerged as a persistent and ongoing threat, particularly for larger organizations. Dealing with the problem requires growing chunks of enterprise time and resources.
Imperva's recently released "Web Application Attack Report" indicates that the current environment is nothing short of a cyber-war—though the methods, intensity and duration of attacks vary widely, depending on geography and industry.
According to this fourth annual survey, the median number of high-severity Web application attacks during a six-month period was 12, but the maximum number of attacks topped out at 176. The median attack incident duration was 5 minutes, but one attack lasted as long as 15 hours.
In one instance, Imperva witnessed a Website that was under assault for 176 out of 180 days—98 percent of the time, notes Tal Be'ery, Web research team leader. In another case, a single Website received 94,057 SQL injection attack requests over the course of a single day.
The key findings of the report include the following:
- Attack methods and targets vary greatly. "Different verticals suffer a different blend of attacks," Be'ery says. For example, retailers suffer twice as many SQL injection attacks as other industries, but they have fewer Remote File Inclusion (RFI) attacks. Imperva found that SQL injection attacks on retail applications consisted of more HTTP requests and lasted longer than SQL Light (SQLi) attacks on other applications.
- The intensity of attacks varies significantly. Most Web applications receive four or more attacks each month. Although the typical attack incident lasted around five minutes, the worst-case incident was about 100 times longer, lasting more than 15 hours.
- The techniques used by attackers vary significantly. Overall, 36 percent of Web attacks consisted of directory traversal (DT); 27 percent consisted of SQLi; 14 percent were made up of cross-site scripting (XSS); and an equal percentage consisted of RFI attacks; 7 percent were email extraction (EmExt) attacks; and only 1 percent consisted of Local File Inclusions (VLFIs).
- The majority of requests and attackers originate in the United States, followed by Western European countries, China, and Brazil. In fact, the U.S. is the top source of Web attacks.
For business logic attacks, email extraction is still widely dominated by African countries such as Senegal, Nigeria, Ghana and the Ivory Coast. Content spamming heavily tilts toward Eastern European countries, including Russia, Ukraine, Latvia and Poland. But a growing number of business logic attacks are originating from South America and Asia.
IT and security executives can take a number of steps to mitigate risks, Be'ery says. It's critical to deploy security solutions that thwart automated attacks and recognize known automated sources. Security tools must also differentiate between bots and human clients, and detect unusual activity—such as an extremely high rate of Web requests from a single user.
In addition, Imperva recommends that security teams focus on known vulnerabilities and attack methods, acquire intelligence on malicious sources and apply black lists for real-time protection. They should also base solutions on worst-case scenarios rather than averages because attack methods typically rely on bursts.