Highlights from the report include:
• Retailers suffer twice as many SQL injection attacks as other industries: Analysis revealed that SQL injection attacks on retail applications consisted of more HTTP requests and lasted longer than SQL injection attack on other applications. This finding can be attributed to the design and size of the applications. For example, it is plausible to assume that retail applications contain a relatively large number of pages in the form of online catalogs, and that this factor may have contributed to the length and the intensity of SQL injection attacks.
• Most web apps monitored receive four or more attacks per month: A typical application experienced 12 “battle” days; that is, days in which at least one attack incident occurred. By comparison, the worst case scenario saw 176 battle days in the six months observed—meaning the application suffered attacks almost every day within this time period, with one attacked on average as many as 26 times per minute. Another interesting finding is that while the typical attack incident lasted around five minutes, the worst-case incident was about 100 times longer, lasting more than 15 hours.
• The US is the number one source of web attacks: The majority of requests and attackers originated in the United States, Western European countries, China and Brazil.
The report also shows that some applications are constantly under attack and that the U.S. has maintained its position as the number one source of web attacks.
“While most of the 70 web applications monitored were attacked a significant amount, some received an astounding number of attacks – with one application receiving up to an average of 26 per minute,” said Amichai Shulman, CTO, Imperva. “While these findings undeniably demonstrate that web application attacks are far from consistently distributed, the takeaway is that organizations should base security measures on the worst case scenario, not on the average case.”
The WAAR, created as part of Imperva’s ongoing Hacker Intelligence Initiative, offers insight into actual malicious attack traffic of 70 web applications over a six-month period to reveal the underlying distribution of attacks, and give an accurate picture of today’s application threat landscape. To achieve this, Imperva matched events to known attack signatures, compared attack sources to black lists of malicious hosts, and reviewed specific attributes of malicious traffic. The WAAR outlines the frequency, type, and geography of origin of each attack to help security professionals prioritize vulnerability remediation.
“We believe that, with the current threat landscape, organizations can no longer afford to take an every-man-for-himself approach to security,” said Shulman. “This report demonstrates that the automation and scale of attacks leave a large footprint that can be better addressed by looking at data gathered from a large set of potential victims. Thus it is important to rely on one’s peers to acquire intelligence on malicious sources and apply this intelligence in real time.”