Upload
imperva
View
21.670
Download
2
Embed Size (px)
Citation preview
© 2015 Imperva, Inc. All rights reserved.
The State of Application Security: Hackers On SteroidsItsik Mantin, Director of Security Research, Imperva
© 2015 Imperva, Inc. All rights reserved.
“Study the past if you would define the future” (Confucius)
© 2015 Imperva, Inc. All rights reserved.
Speaker
• Director of Security Research at Imperva
• 15 years experience in the security industry
• An inventor of 15 patents in these fields
• Holds an M.Sc. in Applied Math and Computer Science
• Presenter in Blackhat Asia, OWASP IL, EuroCrypt and other conferences
Itsik Mantin
3
© 2015 Imperva, Inc. All rights reserved.
Making the Report
4
Attack Detection Mechanisms
Application Profiling
5
Attack Types
6
Attack Incidents
Attack Type Min Ratio #Alert/5min
SQLi 20
HTTP 10
XSS 5
DT 5
Spam 1
RCE 1
FU 1
IncidentCollection of alertsSame attack typeSame targetEssentially same timeNot necessarily same IP
Incident Alert RatioIncident Alert Ratio
7
© 2015 Imperva, Inc. All rights reserved.
Attack Trends
1
8
© 2015 Imperva, Inc. All rights reserved.
Chance of Getting Attacked
9
© 2015 Imperva, Inc. All rights reserved.
Chance of Getting Attacked
Everyone’s at risk3/4 apps attacked for every attack type
10
© 2015 Imperva, Inc. All rights reserved.
Chance of Getting Attacked “Perfect” RCE CoverageAll applications were attacked
11
© 2015 Imperva, Inc. All rights reserved.
Number of Attack Incidents
12
© 2015 Imperva, Inc. All rights reserved.
Number of Attack Incidents
75th Percentile
Median25th percentile
13
© 2015 Imperva, Inc. All rights reserved.
Number of Attack Incidents
RCE and Spam are the most popularRCE: Median of 273
14
© 2015 Imperva, Inc. All rights reserved.
Number of Attack Incidents
Inequality MeasureRatio between 3rd and 2nd quartiles
15
© 2015 Imperva, Inc. All rights reserved.
Number of Attack Incidents
Inequality MeasureRatio between 3rd and 2nd quartiles
RCE Blind ScansAll applications suffer equally
16
© 2015 Imperva, Inc. All rights reserved.
Number of Attack Incidents
Spam is discriminatorySpoiler – some industries suffer more
17
© 2015 Imperva, Inc. All rights reserved.
SQL Injection and Cross-Site Scripting
18
© 2015 Imperva, Inc. All rights reserved.
SQL Injection and Cross-Site Scripting
Most Applications see SQLi and XSS every other week
Median of 12-13 for 6-month period3-5 days for topQ applications
19
© 2015 Imperva, Inc. All rights reserved.
Year-over-Year Up-Trends
# In
cide
nts
20
© 2015 Imperva, Inc. All rights reserved.
Year-over-Year Up-Trends
SQLi Persistent Growth 100% increase in 2014200% increase in 2015
# In
cide
nts
XSS Persistent Growth 100% increase in 2014150% increase in 2015
21
© 2015 Imperva, Inc. All rights reserved.
Year-over-Year Up-Trends
# In
cide
nts
22
© 2015 Imperva, Inc. All rights reserved.
Year-over-Year Up-Trends
23
© 2015 Imperva, Inc. All rights reserved.
Year-over-Year Up-Trends
24
© 2015 Imperva, Inc. All rights reserved.
Year-over-Year Down-Trends
# In
cide
nts
25
© 2015 Imperva, Inc. All rights reserved.
Year-over-Year Down-Trends
# In
cide
nts
RFI was on fire in 2014Super-popular attack vector in 2014Back to “normal” in 2015
26
© 2015 Imperva, Inc. All rights reserved.
Year-over-Year Down-Trends
# In
cide
nts
DT Decrease2014 trend changedSpoiler – in one industry DT is still the attack of choice
27
© 2015 Imperva, Inc. All rights reserved.
Magnitude of Attacks
28
© 2015 Imperva, Inc. All rights reserved.
Magnitude of Attacks
SQLi Attacks are most Intensive72-204 alerts for quartile 3 (of the incidents)300K alerts in most intensive attack
29
© 2015 Imperva, Inc. All rights reserved.
Reputation
2
30
Reputation
31
Reputation
32
Reputation
Serial Attackers – 70%Anonymous Browsing – 8%
33
© 2015 Imperva, Inc. All rights reserved.
Serial Attackers Vs. Anonymous Browsing
34
© 2015 Imperva, Inc. All rights reserved.
Serial Attackers Vs. Anonymous Browsing
35
© 2015 Imperva, Inc. All rights reserved.
Serial Attackers Vs. Anonymous Browsing140,000 anonymous browsing1,800,000 detect-by-content12,500,000 serial attackers
1,700,000 anonymous browsing280,000 detect-by-content28,000 serial attackers
36
© 2015 Imperva, Inc. All rights reserved.
Industry Trends
3
37
© 2015 Imperva, Inc. All rights reserved.
Per-Industry Trends
Health
Food
Travel
Leisure
Shopping
Business
Financial
Computer
DT FU HTTP RFI SQLi XSSSpamRCE
38
© 2015 Imperva, Inc. All rights reserved.
Per-Industry Trends
Health
Food
Travel
Leisure
Shopping
Business
Financial
Computer
DT FU HTTP RFI SQLi XSSSpamRCE
Massive Spam/RCE Campaigns
39
© 2015 Imperva, Inc. All rights reserved.
Per-Industry Trends
Health
Food
Travel
Leisure
Shopping
Business
Financial
Computer
DT FU HTTP RFI SQLi XSSSpamRCE
RCE blind scans
Massive Spam/RCE Campaigns
40
© 2015 Imperva, Inc. All rights reserved.
Per-Industry Trends
Health
Food
Travel
Leisure
Shopping
Business
Financial
Computer
DT FU HTTP RFI SQLi XSSSpamRCE
RCE blind scans
Spam focused on travel applications
Massive Spam/RCE Campaigns
41
© 2015 Imperva, Inc. All rights reserved.
Attack Types
42
© 2015 Imperva, Inc. All rights reserved.
Attack Types
43
© 2015 Imperva, Inc. All rights reserved.
Attack Types
57% XSS incidents on Health
44
© 2015 Imperva, Inc. All rights reserved.
Attack Types
37% DT incidents on Food
45
© 2015 Imperva, Inc. All rights reserved.
Web Framework Trends
4
46
© 2015 Imperva, Inc. All rights reserved.
Content Management Systems
47
© 2015 Imperva, Inc. All rights reserved.
CMS Trends
All CMS
Non CMS Applications
48
© 2015 Imperva, Inc. All rights reserved.
CMS Trends
All CMS
Non CMS Applications
CMS At RiskCMS applications are attacked 3 Times more oftenTrend consistent for all attack types
49
© 2015 Imperva, Inc. All rights reserved.
WordPress Trends
Other CMS
Non CMS
WordPress
50
© 2015 Imperva, Inc. All rights reserved.
WordPress Trends
Other CMS
Non CMS
WordPress
WordPress at More Risk3.5 times more attacks than non-CMS Applications7 times more RFI and Spam Attacks
51
© 2015 Imperva, Inc. All rights reserved.
WordPress Trends
Other CMS
Non CMS
WordPress
WordPress at More Risk3.5 times more attacks than non-CMS Applications7 times more RFI and Spam Attacks
WordPress at More Risk3.5 times more attacks than non-CMS Applications7 times more RFI and Spam Attacks
52
© 2015 Imperva, Inc. All rights reserved.
Geographic Trends
53
© 2015 Imperva, Inc. All rights reserved.
Geographic Attack Trends
Country Absolute #Requests
Internet Users
US 17,671,816 278,553,524
China 8,227,498 672,585,110
UK 2,224,749 59,097,955
54
© 2015 Imperva, Inc. All rights reserved.
Geographic Attack – Year-over-Year
55
© 2015 Imperva, Inc. All rights reserved.
Case Studies
6
56
© 2015 Imperva, Inc. All rights reserved.
Shellshock Mega-Trend
57
© 2015 Imperva, Inc. All rights reserved.
Shellshock Mega-Trend 75,000 incidents189 applications
26,000 incidents137 applications
23,000 incidents174 applications
57,500 incidents193 applications
58
© 2015 Imperva, Inc. All rights reserved.
SQLi Cases Study
59
© 2015 Imperva, Inc. All rights reserved.
SQLi Cases Study 6,800 alerts per hour
60
© 2015 Imperva, Inc. All rights reserved.
Scraping Case Study
• TOR Massive Scraping attack
• 2 million requests
• 777 TOR Ips
• User-Agent faking
61
© 2015 Imperva, Inc. All rights reserved.
Scraping Case Study
62
© 2015 Imperva, Inc. All rights reserved.
Scraping Case Study
63
© 2015 Imperva, Inc. All rights reserved.
Conclusions
64
© 2015 Imperva, Inc. All rights reserved.
Recommendations
65
© 2015 Imperva, Inc. All rights reserved.
Q&A
7
66
© 2015 Imperva, Inc. All rights reserved.
Download 2015 Web Application Attack Report
67
http://www.imperva.com/DefenseCenter/WAAR