The document summarizes key findings from analyzing real-world web application attack data over an 18-month period. Some key findings include that attacks occur in bursty patterns, with the worst incidents involving thousands of requests. SQL injection and RFI attacks were among the most common and intensive. While most attacks were short, DT attacks tended to last longer. The data also showed attacks were not evenly distributed and were harder to predict than assumed. Organizations need defenses scaled for typical yet intense incidents.

1. Applications Under Siege:
Defending Against Attack Outbreaks
Amichai Shulman, CTO, Imperva

2. Agenda
 Introduction to our Hacker Intelligence Initiative (HII)
and Web Application Attack Report (WAAR)
 Taking a new approach
 Analyzing real-life attack traffic
+ Key findings
+ Take-aways
 Summary of recommendations
2

3. Amichai Shulman – CTO Imperva
 Speaker at Industry Events
+ RSA, Sybase Techwave, Info Security UK, Black Hat
 Lecturer on Info Security
+ Technion - Israel Institute of Technology
 Former security consultant to banks & financial
services firms
 Leads the Application Defense Center (ADC)
+ Discovered over 20 commercial application
vulnerabilities
– Credited by Oracle, MS-SQL, IBM and others
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”

4. Introduction to HII and WAAR
CONFIDENTIAL

5. HII - Hacker Intelligence Initiative
 Hacker Intelligence Initiative is focused on
understanding how attackers are operating in
practice
+ A different approach from vulnerability research
 Data set composition
+ ~50 real world applications
+ Anonymous Proxies
 More than 18 months of data
 Powerful analysis system
+ Combines analytic tools with drill down capabilities
5

6. HII - Motivation
 Focus on actual threats
+ Focus on what hackers want, helping good guys prioritize
+ Technical insight into hacker activity
+ Business trends of hacker activity
+ Future directions of hacker activity
 Eliminate uncertainties
+ Active attack sources
+ Explicit attack vectors
+ Spam content
 Devise new defenses based on real data
+ Reduce guess work

7. HII Reports
 Monthly reports based on data collection
and analysis
 Drill down into specific incidents or
attack types
 2011 / 2012 reports
+ Remote File Inclusion
+ Search Engine Poisoning
+ The Convergence of Google and Bots
+ Anatomy of a SQLi Attack
+ Hacker Forums Statistics
+ Automated Hacking
+ Password Worst Practices
+ Dissecting Hacktivist Attacks
+ CAPCHA Analysis

8. WAAR – Web Application Attack Report
 Semi annual
 Based on aggregated analysis of
6 / 12 months of data Download Roports:
 Motivation WAAR Edition #1
WAAR Edition #2
+ Pick-up trends WAAR Edition #3
+ High level take outs
+ Create comparative measurements
over time

9. Taking a New Approach
CONFIDENTIAL

10. Retrospective
 Assumptions
+ Attack requests are more or less evenly spread over time
+ Applications are more or less similar
 Method
+ Count and analyze individual requests
+ Look at average over time / application
 Consequence
+ “An application experiences an attack every other minute”

11. Contemplation
 Observations
+ Attack traffic has a burst nature
+ Applications in our data set show some outliers
 Reflections
+ Do organizations really need to handle an alert every two
minutes?
+ Do organizations handle a steady stream of attacks of an evenly
distributed nature?

12. Resolution
 Abandon individual requests and
look at incidents
+ 30 requests (or more) within 5 mins
+ Intensity and durability
 Further aggregate incidents into
“battle days”
+ A day that includes at least one
incident

13. Resolution (cont.)
 Then there is the man who drowned crossing a stream
with an average depth of six inches - W.I.E. Gates
+ Distribution of web attacks is asymmetric and includes rare, yet
extremely meaningful, outliers
+ Security professionals who would prepare for the “average
case” will be overwhelmed by the intensity of incidents when
these actually happen
+ We shifted away from average into other measures like median
and quartiles
+ Use Box & Whisker charts to display data
– Express dispersion and skewness

14. Box and Whisker
Median
75%
95%
5%
25%

15. Data Analysis
CONFIDENTIAL

16. Goals
 Frequency
+ How many incidents / battle days per
time frame
 Persistency
+ Duration of incidents
 Magnitude
+ Volume of traffic during involved in an
incident / battle day
 Predictability
+ Can one predict the timing of next
incident based on analyzing the timing of
past incidents?

17. Overview
Typical Worst-case
(median) (max)
Battle days (over a 6 months
59 141
period)
Incidents (over a 6 months
137 1383
period)
Incident magnitude (requests
195 8790
per incident)
Incident duration (minutes) 7.70 79

18. Overview – Frequency
 An incident is expected every 3rd day
 Some applications are attacked almost every day
 A battle day usually includes more than a single attack
 Expected frequency affects the resources an
organization needs to allocate on a constant basis for
handling attacks

19. Overview – Frequency
Take-away #1:
Find out your expected attack frequency

20. Overview - Magnitude
 Typical case is ~200 requests
 Average is 1 every 2 minutes
 Worst case is more than 400 times that number
 Affects the size of equipment an organization needs for
handling attacks
 Affects the capabilities required for handling incidents
+ Aggregation and summary
+ Quickly take action based on summary

21. Overview - Magnitude
Take-away #2:
Base line for scaling should be typical
numbers. Aim for 3rd quartile.

22. Granular Comparison - Frequency
350
300
250
amount of incidents
200
150
100
50
0
SQLi RFI LFI DT XSS HTTP

23. Granular Comparison - Frequency
 SQL injection is the most prevailing attack type
+ As opposed to previous edition that showed XSS and DT
 RFI attacks much more common than indicated by just
looking at number of requests
 Outliers indicate that some applications are heavily
targeted by a specific type of attack
– SQLi
– HTTP (malformed requests of various types)
– DT

24. Granular Comparison - Frequency
Take-away #3:
Attackers would try attacks that have better
potential benefit regardless of vulnerability
assessment.

25. Granular Comparison – Frequency – Battle Days
80
70
60
# of battle days in 6 months
50
40
30
20
10
0
SQLi RFI LFI DT XSS HTTP

26. Granular Comparison - Magnitude
1600
1400
1200
Requests per incident
1000
800
600
400
200
0
SQLi RFI LFI DT XSS HTTP

27. Granular Comparison - Intensity
 LFI is typically the most intensive attack
 RFI attacks tend to be more intensive than DT and SQLi
 Incidents are usually at the lowest 100s of requests per
incident with extreme cases at the lower thousands

28. Granular Comparison - Intensity
Take-away #4:
Make sure your solution tackles SQL injection
and RFI at large scales.

29. Granular Comparison - Persistence
40
35
30
minutes per incident
25
20
15
10
5
0
SQLi RFI LFI DT XSS HTTP

30. Granular Comparison - Persistence
 Majority of attacks are short
+ No more than 15 mins
+ Usually below 10 mins
 DT attacks tend to last longer, while XSS attacks tend to
be shorter
 Figures suggest that attack type does not affect the
intensity (requests per second) of attacks
+ LFI seems to have a higher tendency to intense incidents
(higher magnitude with lower persistence)
 Supports our assumption with respect to the bursty
nature of attack traffic

31. Granular Comparison - Persistence
Take-away #4:
No time to analyze individual requests and
attack vector during an ongoing attack.

32. Worst Case Analysis
SQLi RFI LFI DT XSS
Magnitude (requests) 359390 35276 3941 8197 16222
Intensity (requests per
543.2 742.2 418.4 378 455.4
minute)
Intensity (requests per
359465 41495 8343 11549 21113
battle day)

33. # Attack per week
0
5
10
15
20
25
30
35
40
45
05/06/2011
19/06/2011
03/07/2011
17/07/2011
31/07/2011
14/08/2011
28/08/2011
11/09/2011
25/09/2011
09/10/2011
23/10/2011
06/11/2011
20/11/2011
04/12/2011
18/12/2011
01/01/2012
15/01/2012
29/01/2012
12/02/2012
26/02/2012
11/03/2012
25/03/2012
Trending – A Single Application View
08/04/2012
22/04/2012
06/05/2012
20/05/2012
03/06/2012
DT
LFI
RFI
XSS
SQLi

34. Trending – A Single Application View
 Bursty nature of attacks clearly shows in this graph
 Extreme attack load of attacks during January
 Second half (even without the January burst) shows
more attacks than first half (576 vs. 322)
 This trend is also true for general malformed HTTP
requests
+ Empiric evidence to the correlation between malformed HTTP
traffic and attacks

35. Predictability - Goals
 Try to predict the timing of next attack / battle day
based on history of attacks / battle days
 We’ve showed that if an application faces an incident
during a specific day, it is likely to experience more
incidents that same day
+ Probably due to being part of a list distributed to attack bots
+ Maybe due to a change that made it pop on the to-do list of
attack bots
 Being able to predict would affect the ability to
effectively allocated resources

36. Predictability - Method
 Looked for Linear predication between battle days
 Use Auto Correlation Function (ACF)
 We employed Wessa, a freely available online service
that performs auto-correlation

37. Predictability - Results
 No apparent correlation over a simple time gat

38. Predictability - Results
 Unreported, periodic, vulnerability scan

39. Summary – Previous Advice Still Holds True
Deploy security solutions that deter automated attacks.
Detect known vulnerability attacks.
Acquire intelligence on malicious sources and apply it in real time.
Participate in a security community and share data on attacks.

40. Summary – The Bursty Nature of Attacks
Deploy for the right scale – Don’t be fooled by “average” good weather
Automated response procedures - When under attack volume is too high
Aggregate and summarize data in real time – Too many individual attacks
to look at individually
Be prepared – Bursts are unpredictable. Test your team’s readiness

41. Imperva: Our Story in 60 Seconds
Attack Usage
Protection Audit
Virtual Rights
Patching Management
Reputation Access
Controls Control

42. Webinar Materials
42
CONFIDENTIAL

43. Webinar Materials
Join Imperva LinkedIn Group,
Imperva Data Security Direct, for…
Answers to
Post-Webinar
Attendee
Discussions
Questions
Webinar
Join Group
Recording Link

44. www.imperva.com
- CONFIDENTIAL -