The State of Application Security: Hackers On Steroids
Signaler
Partager
•130 j'aime•64,448 vues
The State of Application Security: Hackers On Steroids
•130 j'aime•64,448 vues
Signaler
Partager
Télécharger pour lire hors ligne
Organizations of all sizes face a universal security threat from today’s organized hacking industry. Why? Hackers have decreased costs and expanded their reach with tools and technologies that allow for automated attacks against Web applications. This presentation will detail key insights from the Imperva Application Defense Center annual Web Application Attack Report. View this presentation for an in-depth view of the threat landscape for the year. We will: - Discuss hacking trends and shifts - Provide breach analysis by geography, industry, and attack type - Detail next steps for improved security controls and risk management processes
Recommandé
Contenu connexe
Tendances
Tendances(20)
Similaire à The State of Application Security: Hackers On Steroids
Similaire à The State of Application Security: Hackers On Steroids(20)
Plus de Imperva
Plus de Imperva(20)
Dernier
Dernier(20)
![[DSC Europe 23] Spela Poklukar & Tea Brasanac - Retrieval Augmented Generation](https://cdn.slidesharecdn.com/ss_thumbnails/spelapoklukarteabrasanacprez-231129000106-d6582d1b-thumbnail.jpg?width=768&fit=bounds)
![[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks](https://cdn.slidesharecdn.com/ss_thumbnails/aleksandartomcic-adversarialattacks-231128234241-ab5a6f11-thumbnail.jpg?width=768&fit=bounds)
![[DSC Europe 23] Milos Grubjesic Empowering Business with Pepsico s Advanced M...](https://cdn.slidesharecdn.com/ss_thumbnails/dsceurope23milosgrubjesicempoweringbusinesswithpepsicosadvancedmlplatform3-231128225740-80a4b074-thumbnail.jpg?width=768&fit=bounds)
The State of Application Security: Hackers On Steroids
- 1. © 2015 Imperva, Inc. All rights reserved. The State of Application Security: Hackers On Steroids Itsik Mantin, Director of Security Research, Imperva
- 2. © 2015 Imperva, Inc. All rights reserved. “Study the past if you would define the future” (Confucius)
- 3. © 2015 Imperva, Inc. All rights reserved. Speaker • Director of Security Research at Imperva • 15 years experience in the security industry • An inventor of 15 patents in these fields • Holds an M.Sc. in Applied Math and Computer Science • Presenter in Blackhat Asia, OWASP IL, EuroCrypt and other conferences Itsik Mantin 3
- 4. © 2015 Imperva, Inc. All rights reserved. Making the Report 4
- 7. Attack Incidents Attack Type Min Ratio #Alert/5min SQLi 20 HTTP 10 XSS 5 DT 5 Spam 1 RCE 1 FU 1 Incident Collection of alerts Same attack type Same target Essentially same time Not necessarily same IP Incident Alert RatioIncident Alert Ratio 7
- 8. © 2015 Imperva, Inc. All rights reserved. Attack Trends 1 8
- 9. © 2015 Imperva, Inc. All rights reserved. Chance of Getting Attacked 9
- 10. © 2015 Imperva, Inc. All rights reserved. Chance of Getting Attacked Everyone’s at risk 3/4 apps attacked for every attack type 10
- 11. © 2015 Imperva, Inc. All rights reserved. Chance of Getting Attacked “Perfect” RCE Coverage All applications were attacked 11
- 12. © 2015 Imperva, Inc. All rights reserved. Number of Attack Incidents 12
- 13. © 2015 Imperva, Inc. All rights reserved. Number of Attack Incidents 75th Percentile Median 25th percentile 13
- 14. © 2015 Imperva, Inc. All rights reserved. Number of Attack Incidents RCE and Spam are the most popular RCE: Median of 273 14
- 15. © 2015 Imperva, Inc. All rights reserved. Number of Attack Incidents Inequality Measure Ratio between 3rd and 2nd quartiles 15
- 16. © 2015 Imperva, Inc. All rights reserved. Number of Attack Incidents Inequality Measure Ratio between 3rd and 2nd quartiles RCE Blind Scans All applications suffer equally 16
- 17. © 2015 Imperva, Inc. All rights reserved. Number of Attack Incidents Spam is discriminatory Spoiler – some industries suffer more 17
- 18. © 2015 Imperva, Inc. All rights reserved. SQL Injection and Cross-Site Scripting 18
- 19. © 2015 Imperva, Inc. All rights reserved. SQL Injection and Cross-Site Scripting Most Applications see SQLi and XSS every other week Median of 12-13 for 6-month period 3-5 days for topQ applications 19
- 20. © 2015 Imperva, Inc. All rights reserved. Year-over-Year Up-Trends #Incidents 20
- 21. © 2015 Imperva, Inc. All rights reserved. Year-over-Year Up-Trends SQLi Persistent Growth 100% increase in 2014 200% increase in 2015 #Incidents XSS Persistent Growth 100% increase in 2014 150% increase in 2015 21
- 22. © 2015 Imperva, Inc. All rights reserved. Year-over-Year Up-Trends #Incidents 22
- 23. © 2015 Imperva, Inc. All rights reserved. Year-over-Year Up-Trends 23
- 24. © 2015 Imperva, Inc. All rights reserved. Year-over-Year Up-Trends 24
- 25. © 2015 Imperva, Inc. All rights reserved. Year-over-Year Down-Trends #Incidents 25
- 26. © 2015 Imperva, Inc. All rights reserved. Year-over-Year Down-Trends #Incidents RFI was on fire in 2014 Super-popular attack vector in 2014 Back to “normal” in 2015 26
- 27. © 2015 Imperva, Inc. All rights reserved. Year-over-Year Down-Trends #Incidents DT Decrease 2014 trend changed Spoiler – in one industry DT is still the attack of choice 27
- 28. © 2015 Imperva, Inc. All rights reserved. Magnitude of Attacks 28
- 29. © 2015 Imperva, Inc. All rights reserved. Magnitude of Attacks SQLi Attacks are most Intensive 72-204 alerts for quartile 3 (of the incidents) 300K alerts in most intensive attack 29
- 30. © 2015 Imperva, Inc. All rights reserved. Reputation 2 30
- 31. Reputation 31
- 32. Reputation 32
- 33. Reputation Serial Attackers – 70% Anonymous Browsing – 8% 33
- 34. © 2015 Imperva, Inc. All rights reserved. Serial Attackers Vs. Anonymous Browsing 34
- 35. © 2015 Imperva, Inc. All rights reserved. Serial Attackers Vs. Anonymous Browsing 35
- 36. © 2015 Imperva, Inc. All rights reserved. Serial Attackers Vs. Anonymous Browsing 140,000 anonymous browsing 1,800,000 detect-by-content 12,500,000 serial attackers 1,700,000 anonymous browsing 280,000 detect-by-content 28,000 serial attackers 36
- 37. © 2015 Imperva, Inc. All rights reserved. Industry Trends 3 37
- 38. © 2015 Imperva, Inc. All rights reserved. Per-Industry Trends Health Food Travel Leisure Shopping Business Financial Computer DT FU HTTP RFI SQLi XSSSpamRCE 38
- 39. © 2015 Imperva, Inc. All rights reserved. Per-Industry Trends Health Food Travel Leisure Shopping Business Financial Computer DT FU HTTP RFI SQLi XSSSpamRCE Massive Spam/RCE Campaigns 39
- 40. © 2015 Imperva, Inc. All rights reserved. Per-Industry Trends Health Food Travel Leisure Shopping Business Financial Computer DT FU HTTP RFI SQLi XSSSpamRCE RCE blind scans Massive Spam/RCE Campaigns 40
- 41. © 2015 Imperva, Inc. All rights reserved. Per-Industry Trends Health Food Travel Leisure Shopping Business Financial Computer DT FU HTTP RFI SQLi XSSSpamRCE RCE blind scans Spam focused on travel applications Massive Spam/RCE Campaigns 41
- 42. © 2015 Imperva, Inc. All rights reserved. Attack Types 42
- 43. © 2015 Imperva, Inc. All rights reserved. Attack Types 43
- 44. © 2015 Imperva, Inc. All rights reserved. Attack Types 57% XSS incidents on Health 44
- 45. © 2015 Imperva, Inc. All rights reserved. Attack Types 37% DT incidents on Food 45
- 46. © 2015 Imperva, Inc. All rights reserved. Web Framework Trends 4 46
- 47. © 2015 Imperva, Inc. All rights reserved. Content Management Systems 47
- 48. © 2015 Imperva, Inc. All rights reserved. CMS Trends All CMS Non CMS Applications 48
- 49. © 2015 Imperva, Inc. All rights reserved. CMS Trends All CMS Non CMS Applications CMS At Risk CMS applications are attacked 3 Times more often Trend consistent for all attack types 49
- 50. © 2015 Imperva, Inc. All rights reserved. WordPress Trends Other CMS Non CMS WordPress 50
- 51. © 2015 Imperva, Inc. All rights reserved. WordPress Trends Other CMS Non CMS WordPress WordPress at More Risk 3.5 times more attacks than non-CMS Applications 7 times more RFI and Spam Attacks 51
- 52. © 2015 Imperva, Inc. All rights reserved. WordPress Trends Other CMS Non CMS WordPress WordPress at More Risk 3.5 times more attacks than non-CMS Applications 7 times more RFI and Spam Attacks WordPress at More Risk 3.5 times more attacks than non-CMS Applications 7 times more RFI and Spam Attacks 52
- 53. © 2015 Imperva, Inc. All rights reserved. Geographic Trends 53
- 54. © 2015 Imperva, Inc. All rights reserved. Geographic Attack Trends Country Absolute #Requests Internet Users US 17,671,816 278,553,524 China 8,227,498 672,585,110 UK 2,224,749 59,097,955 54
- 55. © 2015 Imperva, Inc. All rights reserved. Geographic Attack – Year-over-Year 55
- 56. © 2015 Imperva, Inc. All rights reserved. Case Studies 6 56
- 57. © 2015 Imperva, Inc. All rights reserved. Shellshock Mega-Trend 57
- 58. © 2015 Imperva, Inc. All rights reserved. Shellshock Mega-Trend 75,000 incidents 189 applications 26,000 incidents 137 applications 23,000 incidents 174 applications 57,500 incidents 193 applications 58
- 59. © 2015 Imperva, Inc. All rights reserved. SQLi Cases Study 59
- 60. © 2015 Imperva, Inc. All rights reserved. SQLi Cases Study 6,800 alerts per hour 60
- 61. © 2015 Imperva, Inc. All rights reserved. Scraping Case Study • TOR Massive Scraping attack • 2 million requests • 777 TOR Ips • User-Agent faking 61
- 62. © 2015 Imperva, Inc. All rights reserved. Scraping Case Study 62
- 63. © 2015 Imperva, Inc. All rights reserved. Scraping Case Study 63
- 64. © 2015 Imperva, Inc. All rights reserved. Conclusions 64
- 65. © 2015 Imperva, Inc. All rights reserved. Recommendations 65
- 66. © 2015 Imperva, Inc. All rights reserved. Q&A 7 66
- 67. © 2015 Imperva, Inc. All rights reserved. Download 2015 Web Application Attack Report 67 http://www.imperva.com/DefenseCenter/WAAR
Notes de l'éditeur
- Motivation Target audience Tradition
- 198 WAF customers 103,455,308 security events The team - ADC led by CTO Next slide - The alerts were gathered with …
- Positive Negative vs. Positive security model Crowd sourcing Distinction – content vs. reputation Next slide – this distinction
- Focus on attack types Reputation-based detection vs. Content-based detection
- Incident – collection of requests which seem to belong to the same attack The IP dilemma
- # of attacks within the report period
- Most prominent - Everyone’s at risk For every attack type (RCE), at least 3/4 applications (100%) were attacked If you expose your application to the Internet – you will get attacked
- If you expose your application to the Internet – you will get attacked Next slide - How many attacks…..
- Explain the diagram Explain the quartiles notion
- Explain the diagram Explain the quartiles notion
- RCE – 273-591 for the Q3 (Shellshock) Spam: 24-276 attacks on Q3 Notice the difference between RCE and Spam
- Equality Measure Spam is outstanding RCE is lowest Next slide – zoomin to other attack types
- Equality Measure Spam is outstanding RCE is lowest Next slide – zoomin to other attack types
- Equality Measure Spam is outstanding RCE is lowest Next slide – zoomin to other attack types
- Explain the diagram – attacks during 6 months Next slide – year over year
- Explain the diagram – attacks during 6 months Next slide – year over year
- Diagram – we use the median Exponential growth Why: Reduce cost of computational power Availability of knowledge and tools Next slide – down trends
- Diagram – we use the median Exponential growth Why: Reduce cost of computational power Availability of knowledge and tools Next slide – down trends
- Diagram – we use the median Exponential growth Why: Reduce cost of computational power Availability of knowledge and tools Next slide – down trends
- Diagram – we use the median Exponential growth Why: Reduce cost of computational power Availability of knowledge and tools Next slide – down trends
- Diagram – we use the median Exponential growth Why: Reduce cost of computational power Availability of knowledge and tools Next slide – down trends
- Next slide – from number of attacks to the intern of attacks - magnitude
- Next slide – from number of attacks to the intern of attacks - magnitude
- Next slide – from number of attacks to the intern of attacks - magnitude
- Attacks mounted by scanners Typical SQLi attack includes more than 70 requests, usually arriving in bursts over a short period The most intensive SQLi attack spanned 300,000 malicious requests
- Attacks mounted by scanners Typical SQLi attack includes more than 70 requests, usually arriving in bursts over a short period The most intensive SQLi attack spanned 300,000 malicious requests
- What is reputation based mitigation? Crowed sourcing Reputation based mechanism saves the web-application server and the waf computing resources as the data is blocked in very early stages. Is reputation based mitigation effective? 4 out of 5 alerts are detected by reputation Serial attackers and anonymous browsing
- What is reputation based mitigation? Crowed sourcing Reputation based mechanism saves the web-application server and the waf computing resources as the data is blocked in very early stages. Is reputation based mitigation effective? 4 out of 5 alerts are detected by reputation Serial attackers and anonymous browsing
- What is reputation based mitigation? Crowed sourcing Reputation based mechanism saves the web-application server and the waf computing resources as the data is blocked in very early stages. Is reputation based mitigation effective? 4 out of 5 alerts are detected by reputation Serial attackers and anonymous browsing
- Zoom into the data X/Y-axis. Limit 2M Different points in time different mitigations are more effective
- Zoom into the data X/Y-axis. Limit 2M Different points in time different mitigations are more effective
- Insights on the different industries => show the percent of incidents for each attack type The dominance of RCE and Spam => zoom in
- Exclude Spam and RCE XSS are rare XSS are popular on the health industry, maybe to steal personal information DT are popular on restaurants applications. Not clear why
- Exclude Spam and RCE XSS are rare XSS are popular on the health industry, maybe to steal personal information DT are popular on restaurants applications. Not clear why
- Exclude Spam and RCE XSS are rare XSS are popular on the health industry, maybe to steal personal information DT are popular on restaurants applications. Not clear why
- 3 groups WordPress is popular
- Normalized the absolute # requests by the internet users published by the world bank The bigger the bubble the traffic is more malicious
- Netherlands and USA in the top five second 2 year in a row Cyprus, Costa Rica, Switzerland were dominant last year and are not dominant anymore.
- One of the most significant security event Zoom into the Shellshock incidents Week-by-week analysis Remind you – 2015 period while Shellshock was published during September 2014 2 waves: the first is during September 2014, right after the publication – not in the report The second is during weeks 14-19 – April 2015 Seven month after the publication, attackers hit again
- One of the most significant security event Zoom into the Shellshock incidents Week-by-week analysis Remind you – 2015 period while Shellshock was published during September 2014 2 waves: the first is during September 2014, right after the publication – not in the report The second is during weeks 14-19 – April 2015 Seven month after the publication, attackers hit again
- Focus on one application that was highly attacked. The attack lasted 4 days with high SQLi activity. 6,800 Alerts per hour, The attacks had similar patterns Blocked by content and by reputation, negative security model, signatures, policies 2 waves – the first one faded away on the third day and a new wave on the 4th day We believe that the first wave faded away due to our blocking mechanisms and the second wave was used with a new pool of Ips to try to avoid blocking
- Focus on one application that was highly attacked. The attack lasted 4 days with high SQLi activity. 6,800 Alerts per hour, The attacks had similar patterns Blocked by content and by reputation, negative security model, signatures, policies 2 waves – the first one faded away on the third day and a new wave on the 4th day We believe that the first wave faded away due to our blocking mechanisms and the second wave was used with a new pool of Ips to try to avoid blocking
- We looked at one application in a specific week with high activity from TOR 2 million requests from TOR 99% were targeted for 3 URLs: search and 2 shopping pages (different input parameters values for product ID) ~2,000 sessions IDs Usage of session ID from multiple Ips at the same time 3 main user-agents that were used in different permutations
- We looked at one application in a specific week with high activity from TOR 2 million requests from TOR 99% were targeted for 3 URLs: search and 2 shopping pages (different input parameters values for product ID) ~2,000 sessions IDs Usage of session ID from multiple Ips at the same time 3 main user-agents that were used in different permutations
- We looked at one application in a specific week with high activity from TOR 2 million requests from TOR 99% were targeted for 3 URLs: search and 2 shopping pages (different input parameters values for product ID) ~2,000 sessions IDs Usage of session ID from multiple Ips at the same time 3 main user-agents that were used in different permutations
- 3 out of 4 applications are attacked Crowd sourcing is effective – 4 out of 5 Shellshock mega-trend influenced cyberspace Y2Y increase
- Mega trend vulnerabilities spread like wildfire: keep updated with new vulnerabilities mitigations Be part of a community defense: it prevents attacks and saves CPU