Positive Technologies intelligence identifies the most common attacks against web applications including what hackers hope their attack will achieve
Government agencies’ web applications have been identified as the hackers’ top target, followed by IT companies and financial organizations, with educational institutions in fourth. The most widespread attacks in Q1 2017 were SQL injection and cross-site scripting, each accounting for about a third of the total number of detected attacks.
The intelligence was collected by Positive Technologies, from pilot projects in which PT Application Firewall was implemented during the first three months of 2017, to determine the prevalent attacks being targeted at web applications. The attacks were then manually verified to rule out false positives. The data was then analyzed to calculate an average ‘24 hour’ period.
The average number of registered information security incidents in government agencies is 2,160 per day, compared with 1,516 incidents in IT companies, 528 incidents in financial organizations, and 32 attacks on educational institutions. Attack levels are consistent across all days of the week, including weekends, although activity increases during the afternoon and evening.
Ekaterina Kilyusheva, an analyst at Positive Technologies, explains the motivations behind attacks: “Personal data is the most valuable information resource that government agencies have, so attacks are directed either at users of applications or at databases where such information is stored. Unsurprisingly, attacks against financial organizations are financially motivated, with the aim of gaining access to sensitive data or control of the server to eventually steal money. In educational institutions, malicious users are often students themselves who either seek to access data, such as exam papers, or change current information, such as exam results or scholarship lists. This is evidenced by the results of previous Positive Technologies’ studies.”
The most prevalent attacks in Q1 2017 were SQL injection and cross-site scripting, each accounting for about a third of the total number of detected attacks. Ekaterina adds: “While SQL injection is used to gain access to sensitive information or execute operating system commands and penetrate a system, cross-site scripting is directed at users of applications. One thought as to why attackers may opt to strike at night, or over the weekend, is that the target's security staff are less likely to notice and be able to react.”
To detect and deflect web application attacks, an application-level firewall is recommended, capable of identifying and preventing even multi-staged targeted attacks. The firewall should support a number of protection techniques: such as blocking a request to, or a response from, a web application; masking a response to prevent leaks; blocking a user session or disconnecting, blocking the IP address of an attacker using built-in tools, transmitting an IP address to an external firewall or provider.
Protection tools must interact with external systems that collect and analyze events (SIEM), and send alerts to network-level DDoS protection tools. Additionally, when implementing a security system, it is necessary to take into account the intervals when malicious activity peaks, and pay special attention to network anomalies detected during this time.
Positive Technologies has published its findings in a report available from this link: https://www.ptsecurity.com/upload/corporate/ww-en/analytics/WebApp-Attacks-2017-eng.pdf