The document summarizes key findings from analyzing real-world web application attack data over an 18-month period. Some key findings include that attacks occur in bursty patterns, with the worst incidents involving thousands of requests. SQL injection and RFI attacks were among the most common and intensive. While most attacks were short, DT attacks tended to last longer. The data also showed attacks were not evenly distributed and were harder to predict than assumed. Organizations need defenses scaled for typical yet intense incidents.
2. Agenda
Introduction to our Hacker Intelligence Initiative (HII)
and Web Application Attack Report (WAAR)
Taking a new approach
Analyzing real-life attack traffic
+ Key findings
+ Take-aways
Summary of recommendations
2
3. Amichai Shulman – CTO Imperva
Speaker at Industry Events
+ RSA, Sybase Techwave, Info Security UK, Black Hat
Lecturer on Info Security
+ Technion - Israel Institute of Technology
Former security consultant to banks & financial
services firms
Leads the Application Defense Center (ADC)
+ Discovered over 20 commercial application
vulnerabilities
– Credited by Oracle, MS-SQL, IBM and others
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
5. HII - Hacker Intelligence Initiative
Hacker Intelligence Initiative is focused on
understanding how attackers are operating in
practice
+ A different approach from vulnerability research
Data set composition
+ ~50 real world applications
+ Anonymous Proxies
More than 18 months of data
Powerful analysis system
+ Combines analytic tools with drill down capabilities
5
6. HII - Motivation
Focus on actual threats
+ Focus on what hackers want, helping good guys prioritize
+ Technical insight into hacker activity
+ Business trends of hacker activity
+ Future directions of hacker activity
Eliminate uncertainties
+ Active attack sources
+ Explicit attack vectors
+ Spam content
Devise new defenses based on real data
+ Reduce guess work
7. HII Reports
Monthly reports based on data collection
and analysis
Drill down into specific incidents or
attack types
2011 / 2012 reports
+ Remote File Inclusion
+ Search Engine Poisoning
+ The Convergence of Google and Bots
+ Anatomy of a SQLi Attack
+ Hacker Forums Statistics
+ Automated Hacking
+ Password Worst Practices
+ Dissecting Hacktivist Attacks
+ CAPCHA Analysis
8. WAAR – Web Application Attack Report
Semi annual
Based on aggregated analysis of
6 / 12 months of data Download Roports:
Motivation WAAR Edition #1
WAAR Edition #2
+ Pick-up trends WAAR Edition #3
+ High level take outs
+ Create comparative measurements
over time
10. Retrospective
Assumptions
+ Attack requests are more or less evenly spread over time
+ Applications are more or less similar
Method
+ Count and analyze individual requests
+ Look at average over time / application
Consequence
+ “An application experiences an attack every other minute”
11. Contemplation
Observations
+ Attack traffic has a burst nature
+ Applications in our data set show some outliers
Reflections
+ Do organizations really need to handle an alert every two
minutes?
+ Do organizations handle a steady stream of attacks of an evenly
distributed nature?
12. Resolution
Abandon individual requests and
look at incidents
+ 30 requests (or more) within 5 mins
+ Intensity and durability
Further aggregate incidents into
“battle days”
+ A day that includes at least one
incident
13. Resolution (cont.)
Then there is the man who drowned crossing a stream
with an average depth of six inches - W.I.E. Gates
+ Distribution of web attacks is asymmetric and includes rare, yet
extremely meaningful, outliers
+ Security professionals who would prepare for the “average
case” will be overwhelmed by the intensity of incidents when
these actually happen
+ We shifted away from average into other measures like median
and quartiles
+ Use Box & Whisker charts to display data
– Express dispersion and skewness
16. Goals
Frequency
+ How many incidents / battle days per
time frame
Persistency
+ Duration of incidents
Magnitude
+ Volume of traffic during involved in an
incident / battle day
Predictability
+ Can one predict the timing of next
incident based on analyzing the timing of
past incidents?
17. Overview
Typical Worst-case
(median) (max)
Battle days (over a 6 months
59 141
period)
Incidents (over a 6 months
137 1383
period)
Incident magnitude (requests
195 8790
per incident)
Incident duration (minutes) 7.70 79
18. Overview – Frequency
An incident is expected every 3rd day
Some applications are attacked almost every day
A battle day usually includes more than a single attack
Expected frequency affects the resources an
organization needs to allocate on a constant basis for
handling attacks
20. Overview - Magnitude
Typical case is ~200 requests
Average is 1 every 2 minutes
Worst case is more than 400 times that number
Affects the size of equipment an organization needs for
handling attacks
Affects the capabilities required for handling incidents
+ Aggregation and summary
+ Quickly take action based on summary
21. Overview - Magnitude
Take-away #2:
Base line for scaling should be typical
numbers. Aim for 3rd quartile.
23. Granular Comparison - Frequency
SQL injection is the most prevailing attack type
+ As opposed to previous edition that showed XSS and DT
RFI attacks much more common than indicated by just
looking at number of requests
Outliers indicate that some applications are heavily
targeted by a specific type of attack
– SQLi
– HTTP (malformed requests of various types)
– DT
24. Granular Comparison - Frequency
Take-away #3:
Attackers would try attacks that have better
potential benefit regardless of vulnerability
assessment.
25. Granular Comparison – Frequency – Battle Days
80
70
60
# of battle days in 6 months
50
40
30
20
10
0
SQLi RFI LFI DT XSS HTTP
27. Granular Comparison - Intensity
LFI is typically the most intensive attack
RFI attacks tend to be more intensive than DT and SQLi
Incidents are usually at the lowest 100s of requests per
incident with extreme cases at the lower thousands
28. Granular Comparison - Intensity
Take-away #4:
Make sure your solution tackles SQL injection
and RFI at large scales.
30. Granular Comparison - Persistence
Majority of attacks are short
+ No more than 15 mins
+ Usually below 10 mins
DT attacks tend to last longer, while XSS attacks tend to
be shorter
Figures suggest that attack type does not affect the
intensity (requests per second) of attacks
+ LFI seems to have a higher tendency to intense incidents
(higher magnitude with lower persistence)
Supports our assumption with respect to the bursty
nature of attack traffic
31. Granular Comparison - Persistence
Take-away #4:
No time to analyze individual requests and
attack vector during an ongoing attack.
34. Trending – A Single Application View
Bursty nature of attacks clearly shows in this graph
Extreme attack load of attacks during January
Second half (even without the January burst) shows
more attacks than first half (576 vs. 322)
This trend is also true for general malformed HTTP
requests
+ Empiric evidence to the correlation between malformed HTTP
traffic and attacks
35. Predictability - Goals
Try to predict the timing of next attack / battle day
based on history of attacks / battle days
We’ve showed that if an application faces an incident
during a specific day, it is likely to experience more
incidents that same day
+ Probably due to being part of a list distributed to attack bots
+ Maybe due to a change that made it pop on the to-do list of
attack bots
Being able to predict would affect the ability to
effectively allocated resources
36. Predictability - Method
Looked for Linear predication between battle days
Use Auto Correlation Function (ACF)
We employed Wessa, a freely available online service
that performs auto-correlation
39. Summary – Previous Advice Still Holds True
Deploy security solutions that deter automated attacks.
Detect known vulnerability attacks.
Acquire intelligence on malicious sources and apply it in real time.
Participate in a security community and share data on attacks.
40. Summary – The Bursty Nature of Attacks
Deploy for the right scale – Don’t be fooled by “average” good weather
Automated response procedures - When under attack volume is too high
Aggregate and summarize data in real time – Too many individual attacks
to look at individually
Be prepared – Bursts are unpredictable. Test your team’s readiness
41. Imperva: Our Story in 60 Seconds
Attack Usage
Protection Audit
Virtual Rights
Patching Management
Reputation Access
Controls Control