As a part of its ongoing Hacker Intelligence Initiative, Imperva’s Application Defense Center (ADC) observed and categorized attacks across 30 applications as well as The Onion Router (TOR) traffic, monitoring more than 10 million individual attacks targeted at web applications over a period of six months. Our analysis shows:
- Due to automation, web applications, on average, are probed or attacked about 27 times per hour or about once every two minutes. At the apex of an attack, web applications can experience nearly 25,000 attacks per hour or 7 per second. The way hackers have leveraged automation is one of the most significant innovations in criminal history. You can’t automate car theft or purse snatching—but you can automate data theft. We predict that automation will be the driver that will help make cyber crime exceed physical crime in terms of financial impact. Ironically, most organizations, especially smaller ones, have not yet emphasized Web application security and need to take notice as automated methods will virtually guarantee that criminals will find them
- Four dominant attack types comprise the vast majority of attacks targeting web applications: Directory Traversal, Cross-Site Scripting, SQL injection, and Remote File Inclusion. These findings very much mirror the approach used by hacking groups such as Lulzsec and Anonymous whose attacks largely focus on data theft via application attack. Our findings and the recent spate of high profile data breaches highlights how the battlefield has shifted to applications and databases and away from network firewalls and anti-virus.
- The United States is the main source of application attacks. Applications are attacked by infected computers, or bots, with most located in the US. This highlights that advances in evasion are also significant. Our data shows that it is increasingly difficult to trace attacks to specific entities or organizations. This complicates any effort to retaliate, shut down cybercriminal gangs or identify potential acts of war.
To download the report, with no registration required, click here.