The State of Application Security: Hackers On Steroids

© 2015 Imperva, Inc. All rights reserved.

The State of Application Security: Hackers On SteroidsItsik Mantin, Director of Security Research, Imperva


“Study the past if you would define the future” (Confucius)


Speaker

• Director of Security Research at Imperva

• 15 years experience in the security industry

• An inventor of 15 patents in these fields

• Holds an M.Sc. in Applied Math and Computer Science

• Presenter in Blackhat Asia, OWASP IL, EuroCrypt and other conferences

Itsik Mantin

3


Making the Report

4

Attack Detection Mechanisms

Application Profiling

5

Attack Types

6

Attack Incidents

Attack Type Min Ratio #Alert/5min

SQLi 20

HTTP 10

XSS 5

DT 5

Spam 1

RCE 1

FU 1

IncidentCollection of alertsSame attack typeSame targetEssentially same timeNot necessarily same IP

Incident Alert RatioIncident Alert Ratio

7


Attack Trends

1

8


Chance of Getting Attacked

9


Chance of Getting Attacked

Everyone’s at risk3/4 apps attacked for every attack type

10


Chance of Getting Attacked “Perfect” RCE CoverageAll applications were attacked

11


Number of Attack Incidents

12



75th Percentile

Median25th percentile

13



RCE and Spam are the most popularRCE: Median of 273

14



Inequality MeasureRatio between 3rd and 2nd quartiles

15



Inequality MeasureRatio between 3rd and 2nd quartiles

RCE Blind ScansAll applications suffer equally

16



Spam is discriminatorySpoiler – some industries suffer more

17


SQL Injection and Cross-Site Scripting

18


SQL Injection and Cross-Site Scripting

Most Applications see SQLi and XSS every other week

Median of 12-13 for 6-month period3-5 days for topQ applications

19


Year-over-Year Up-Trends

# In

cide

nts

20



SQLi Persistent Growth 100% increase in 2014200% increase in 2015

# In

cide

nts

XSS Persistent Growth 100% increase in 2014150% increase in 2015

21



# In

cide

nts

22



23



24


Year-over-Year Down-Trends

# In

cide

nts

25



# In

cide

nts

RFI was on fire in 2014Super-popular attack vector in 2014Back to “normal” in 2015

26



# In

cide

nts

DT Decrease2014 trend changedSpoiler – in one industry DT is still the attack of choice

27


Magnitude of Attacks

28


Magnitude of Attacks

SQLi Attacks are most Intensive72-204 alerts for quartile 3 (of the incidents)300K alerts in most intensive attack

29


Reputation

2

30

Reputation

31

Reputation

32

Reputation

Serial Attackers – 70%Anonymous Browsing – 8%

33


Serial Attackers Vs. Anonymous Browsing

34


Serial Attackers Vs. Anonymous Browsing

35


Serial Attackers Vs. Anonymous Browsing140,000 anonymous browsing1,800,000 detect-by-content12,500,000 serial attackers

1,700,000 anonymous browsing280,000 detect-by-content28,000 serial attackers

36


Industry Trends

3

37


Per-Industry Trends

Health

Food

Travel

Leisure

Shopping

Business

Financial

Computer

DT FU HTTP RFI SQLi XSSSpamRCE

38


Per-Industry Trends

Health

Food

Travel

Leisure

Shopping

Business

Financial

Computer


Massive Spam/RCE Campaigns

39


Per-Industry Trends

Health

Food

Travel

Leisure

Shopping

Business

Financial

Computer


RCE blind scans


40


Per-Industry Trends

Health

Food

Travel

Leisure

Shopping

Business

Financial

Computer


RCE blind scans

Spam focused on travel applications


41


Attack Types

42


Attack Types

43


Attack Types

57% XSS incidents on Health

44


Attack Types

37% DT incidents on Food

45


Web Framework Trends

4

46


Content Management Systems

47


CMS Trends

All CMS

Non CMS Applications

48


CMS Trends

All CMS

Non CMS Applications

CMS At RiskCMS applications are attacked 3 Times more oftenTrend consistent for all attack types

49


WordPress Trends

Other CMS

Non CMS

WordPress

50


WordPress Trends

Other CMS

Non CMS

WordPress

WordPress at More Risk3.5 times more attacks than non-CMS Applications7 times more RFI and Spam Attacks

51


WordPress Trends

Other CMS

Non CMS

WordPress



52


Geographic Trends

53


Geographic Attack Trends

Country Absolute #Requests

Internet Users

US 17,671,816 278,553,524

China 8,227,498 672,585,110

UK 2,224,749 59,097,955

54


Geographic Attack – Year-over-Year

55


Case Studies

6

56


Shellshock Mega-Trend

57


Shellshock Mega-Trend 75,000 incidents189 applications

26,000 incidents137 applications



58


SQLi Cases Study

59


SQLi Cases Study 6,800 alerts per hour

60


Scraping Case Study

• TOR Massive Scraping attack

• 2 million requests

• 777 TOR Ips

• User-Agent faking

61


Scraping Case Study

62


Scraping Case Study

63


Conclusions

64


Recommendations

65


Q&A

7

66


Download 2015 Web Application Attack Report

67

http://www.imperva.com/DefenseCenter/WAAR

Data & Analytics

The State of Application Security: Hackers On Steroids