The State of Application Security: Hackers On Steroids

© 2015 Imperva, Inc. All rights reserved.

The State of Application Security: Hackers On SteroidsItsik Mantin, Director of Security Research, Imperva

© 2015 Imperva, Inc. All rights reserved.

“Study the past if you would define the future” (Confucius)

© 2015 Imperva, Inc. All rights reserved.

Speaker

• Director of Security Research at Imperva

• 15 years experience in the security industry

• An inventor of 15 patents in these fields

• Holds an M.Sc. in Applied Math and Computer Science

• Presenter in Blackhat Asia, OWASP IL, EuroCrypt and other conferences

Itsik Mantin

3

© 2015 Imperva, Inc. All rights reserved.

Making the Report

4

Attack Detection Mechanisms

Application Profiling

5

Attack Types

6

Attack Incidents

Attack Type Min Ratio #Alert/5min

SQLi 20

HTTP 10

XSS 5

DT 5

Spam 1

RCE 1

FU 1

IncidentCollection of alertsSame attack typeSame targetEssentially same timeNot necessarily same IP

Incident Alert RatioIncident Alert Ratio

7

© 2015 Imperva, Inc. All rights reserved.

Attack Trends

1

8

© 2015 Imperva, Inc. All rights reserved.

Chance of Getting Attacked

9

© 2015 Imperva, Inc. All rights reserved.

Chance of Getting Attacked

Everyone’s at risk3/4 apps attacked for every attack type

10

© 2015 Imperva, Inc. All rights reserved.

Chance of Getting Attacked “Perfect” RCE CoverageAll applications were attacked

11

© 2015 Imperva, Inc. All rights reserved.

Number of Attack Incidents

12

© 2015 Imperva, Inc. All rights reserved.

Number of Attack Incidents

75th Percentile

Median25th percentile

13

© 2015 Imperva, Inc. All rights reserved.

Number of Attack Incidents

RCE and Spam are the most popularRCE: Median of 273

14

© 2015 Imperva, Inc. All rights reserved.

Number of Attack Incidents

Inequality MeasureRatio between 3rd and 2nd quartiles

15

© 2015 Imperva, Inc. All rights reserved.

Number of Attack Incidents

Inequality MeasureRatio between 3rd and 2nd quartiles

RCE Blind ScansAll applications suffer equally

16

© 2015 Imperva, Inc. All rights reserved.

Number of Attack Incidents

Spam is discriminatorySpoiler – some industries suffer more

17

© 2015 Imperva, Inc. All rights reserved.

SQL Injection and Cross-Site Scripting

18

© 2015 Imperva, Inc. All rights reserved.

SQL Injection and Cross-Site Scripting

Most Applications see SQLi and XSS every other week

Median of 12-13 for 6-month period3-5 days for topQ applications

19

© 2015 Imperva, Inc. All rights reserved.

Year-over-Year Up-Trends

# In

cide

nts

20

© 2015 Imperva, Inc. All rights reserved.

Year-over-Year Up-Trends

SQLi Persistent Growth 100% increase in 2014200% increase in 2015

# In

cide

nts

XSS Persistent Growth 100% increase in 2014150% increase in 2015

21

© 2015 Imperva, Inc. All rights reserved.

Year-over-Year Up-Trends

# In

cide

nts

22

© 2015 Imperva, Inc. All rights reserved.

Year-over-Year Up-Trends

23

© 2015 Imperva, Inc. All rights reserved.

Year-over-Year Up-Trends

24

© 2015 Imperva, Inc. All rights reserved.

Year-over-Year Down-Trends

# In

cide

nts

25

© 2015 Imperva, Inc. All rights reserved.

Year-over-Year Down-Trends

# In

cide

nts

RFI was on fire in 2014Super-popular attack vector in 2014Back to “normal” in 2015

26

© 2015 Imperva, Inc. All rights reserved.

Year-over-Year Down-Trends

# In

cide

nts

DT Decrease2014 trend changedSpoiler – in one industry DT is still the attack of choice

27

© 2015 Imperva, Inc. All rights reserved.

Magnitude of Attacks

28

© 2015 Imperva, Inc. All rights reserved.

Magnitude of Attacks

SQLi Attacks are most Intensive72-204 alerts for quartile 3 (of the incidents)300K alerts in most intensive attack

29

© 2015 Imperva, Inc. All rights reserved.

Reputation

2

30

Reputation

31

Reputation

32

Reputation

Serial Attackers – 70%Anonymous Browsing – 8%

33

© 2015 Imperva, Inc. All rights reserved.

Serial Attackers Vs. Anonymous Browsing

34

© 2015 Imperva, Inc. All rights reserved.

Serial Attackers Vs. Anonymous Browsing

35

© 2015 Imperva, Inc. All rights reserved.

Serial Attackers Vs. Anonymous Browsing140,000 anonymous browsing1,800,000 detect-by-content12,500,000 serial attackers

1,700,000 anonymous browsing280,000 detect-by-content28,000 serial attackers

36

© 2015 Imperva, Inc. All rights reserved.

Industry Trends

3

37

© 2015 Imperva, Inc. All rights reserved.

Per-Industry Trends

Health

Food

Travel

Leisure

Shopping

Business

Financial

Computer

DT FU HTTP RFI SQLi XSSSpamRCE

38

© 2015 Imperva, Inc. All rights reserved.

Per-Industry Trends

Health

Food

Travel

Leisure

Shopping

Business

Financial

Computer

DT FU HTTP RFI SQLi XSSSpamRCE

Massive Spam/RCE Campaigns

39

© 2015 Imperva, Inc. All rights reserved.

Per-Industry Trends

Health

Food

Travel

Leisure

Shopping

Business

Financial

Computer

DT FU HTTP RFI SQLi XSSSpamRCE

RCE blind scans

Massive Spam/RCE Campaigns

40

© 2015 Imperva, Inc. All rights reserved.

Per-Industry Trends

Health

Food

Travel

Leisure

Shopping

Business

Financial

Computer

DT FU HTTP RFI SQLi XSSSpamRCE

RCE blind scans

Spam focused on travel applications

Massive Spam/RCE Campaigns

41

© 2015 Imperva, Inc. All rights reserved.

Attack Types

42

© 2015 Imperva, Inc. All rights reserved.

Attack Types

43

© 2015 Imperva, Inc. All rights reserved.

Attack Types

57% XSS incidents on Health

44

© 2015 Imperva, Inc. All rights reserved.

Attack Types

37% DT incidents on Food

45

© 2015 Imperva, Inc. All rights reserved.

Web Framework Trends

4

46

© 2015 Imperva, Inc. All rights reserved.

Content Management Systems

47

© 2015 Imperva, Inc. All rights reserved.

CMS Trends

All CMS

Non CMS Applications

48

© 2015 Imperva, Inc. All rights reserved.

CMS Trends

All CMS

Non CMS Applications

CMS At RiskCMS applications are attacked 3 Times more oftenTrend consistent for all attack types

49

© 2015 Imperva, Inc. All rights reserved.

WordPress Trends

Other CMS

Non CMS

WordPress

50

© 2015 Imperva, Inc. All rights reserved.

WordPress Trends

Other CMS

Non CMS

WordPress

WordPress at More Risk3.5 times more attacks than non-CMS Applications7 times more RFI and Spam Attacks

51

© 2015 Imperva, Inc. All rights reserved.

WordPress Trends

Other CMS

Non CMS

WordPress

WordPress at More Risk3.5 times more attacks than non-CMS Applications7 times more RFI and Spam Attacks

WordPress at More Risk3.5 times more attacks than non-CMS Applications7 times more RFI and Spam Attacks

52

© 2015 Imperva, Inc. All rights reserved.

Geographic Trends

53

© 2015 Imperva, Inc. All rights reserved.

Geographic Attack Trends

Country Absolute #Requests

Internet Users

US 17,671,816 278,553,524

China 8,227,498 672,585,110

UK 2,224,749 59,097,955

54

© 2015 Imperva, Inc. All rights reserved.

Geographic Attack – Year-over-Year

55

© 2015 Imperva, Inc. All rights reserved.

Case Studies

6

56

© 2015 Imperva, Inc. All rights reserved.

Shellshock Mega-Trend

57

© 2015 Imperva, Inc. All rights reserved.

Shellshock Mega-Trend 75,000 incidents189 applications

26,000 incidents137 applications

23,000 incidents174 applications

57,500 incidents193 applications

58

© 2015 Imperva, Inc. All rights reserved.

SQLi Cases Study

59

© 2015 Imperva, Inc. All rights reserved.

SQLi Cases Study 6,800 alerts per hour

60

© 2015 Imperva, Inc. All rights reserved.

Scraping Case Study

• TOR Massive Scraping attack

• 2 million requests

• 777 TOR Ips

• User-Agent faking

61

© 2015 Imperva, Inc. All rights reserved.

Scraping Case Study

62

© 2015 Imperva, Inc. All rights reserved.

Scraping Case Study

63

© 2015 Imperva, Inc. All rights reserved.

Conclusions

64

© 2015 Imperva, Inc. All rights reserved.

Recommendations

65

© 2015 Imperva, Inc. All rights reserved.

Q&A

7

66

© 2015 Imperva, Inc. All rights reserved.

Download 2015 Web Application Attack Report

67

http://www.imperva.com/DefenseCenter/WAAR