As a part of its ongoing Hacker Intelligence Initiative, the Imperva Application Defense Center (ADC) monitored and categorized individual attacks across the internet over a period of six months, December 2010 through May 2011. This research encompasses attacks witnessed via onion router (TOR) traffic as well as attacks targeting 30 different enterprise and government Web applications.
Is your organization prepared to face a large-scale attack from hacktivists or cybercriminals? This webinar provides a step-by-step plan to protect web applications using proven strategies from application security consultants that have been on the front lines of attack. This presentation from Imperva and WhiteHat Security outlines the steps your organization can take to implement a comprehensive strategy for repelling web attacks. This presentation will (1) describe the modern attack methods and tools used by hacktivists and cybercriminals (2) explain the processes and technologies you can use to safeguard your website (3) help you prioritize security efforts and identify security tips and tricks you might have overlooked.
Statistics show that organizations face an ever increasing threat from compromised insiders. These trusted end users routinely have their endpoint security tested by malware and viruses.
Industry analysts are now questioning the current and future capability of anti-virus and anti-malware solutions to mitigate these insider threats. There have been numerous high profile events over the past two years to demonstrate the problems of prioritizing security at the end-point.
With mega-breaches like Anthem, OPM, IRS, Ashley Madison, UCLA Health and TalkTalk all within the past 12 months, chances are your data has been targeted. What does this mean for 2016?
Review this presentation and learn:
• Why cyber attacks continue to increase in sophistication, magnitude and velocity
• What trends will have the largest and smallest impact on cyber security in 2016
• Why cloud-based apps and the Internet of Things have transformed cyber security
• How you can protect your organization from attacks from the inside
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsIBM Security
IT security teams have a tough job. While organizations depend upon Internet access to conduct business, security teams are responsible for safeguarding these communications and transactions from those who wish to profit by stealing intellectual property, customer private data or even just encrypting your data and demanding a ransom for its safe recovery. There are a number of tools available to monitor log events, network flows, and packet captures, but most of these are performing after-the-fact analysis. That can make it easy for the bad guys to hide out on your network.
IBM QRadar Network Insights (QNI) uses innovative network threat analytics to identify malicious content – including those hidden in data transmissions, SSL certificate violations, protocol obfuscation, file tags, and suspicious network flows – and then pieces together those indicators of attack to provide security teams with real-time alerts. These alerts help organizations detect attacks that are in progress, as well as determine what damage may have already been inflicted.
View this on-demand webinar to learn how QRadar Network Insights can:
Remove network blind spots and reduce complexities in log data to reveal previously hidden threats and malicious behaviors;
Record application activities, capture file metadata and artifacts, and identify assets, applications and users participating in network communications;
Reduce the impact of threats associated with malware, phishing emails, data exfiltration, and the lateral network movements of advanced attacks.
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016IBM Security
View ondemand webinar: https://securityintelligence.com/events/qradar-investment-2016/
Helping you stay ahead of cybercriminals means our work at IBM Security is never done. With data coming from every direction to collect, you need real time and historical analytics to discover anomalistic conditions that often provide the early warning signs of an attacker’s presence. Join us to hear about new features in IBM Security QRadar that can provide you with better visibility into what’s happening on your network and new integrations that will help you multiply your investment and help speed your remediation efforts.
Is your organization prepared to face a large-scale attack from hacktivists or cybercriminals? This webinar provides a step-by-step plan to protect web applications using proven strategies from application security consultants that have been on the front lines of attack. This presentation from Imperva and WhiteHat Security outlines the steps your organization can take to implement a comprehensive strategy for repelling web attacks. This presentation will (1) describe the modern attack methods and tools used by hacktivists and cybercriminals (2) explain the processes and technologies you can use to safeguard your website (3) help you prioritize security efforts and identify security tips and tricks you might have overlooked.
Statistics show that organizations face an ever increasing threat from compromised insiders. These trusted end users routinely have their endpoint security tested by malware and viruses.
Industry analysts are now questioning the current and future capability of anti-virus and anti-malware solutions to mitigate these insider threats. There have been numerous high profile events over the past two years to demonstrate the problems of prioritizing security at the end-point.
With mega-breaches like Anthem, OPM, IRS, Ashley Madison, UCLA Health and TalkTalk all within the past 12 months, chances are your data has been targeted. What does this mean for 2016?
Review this presentation and learn:
• Why cyber attacks continue to increase in sophistication, magnitude and velocity
• What trends will have the largest and smallest impact on cyber security in 2016
• Why cloud-based apps and the Internet of Things have transformed cyber security
• How you can protect your organization from attacks from the inside
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsIBM Security
IT security teams have a tough job. While organizations depend upon Internet access to conduct business, security teams are responsible for safeguarding these communications and transactions from those who wish to profit by stealing intellectual property, customer private data or even just encrypting your data and demanding a ransom for its safe recovery. There are a number of tools available to monitor log events, network flows, and packet captures, but most of these are performing after-the-fact analysis. That can make it easy for the bad guys to hide out on your network.
IBM QRadar Network Insights (QNI) uses innovative network threat analytics to identify malicious content – including those hidden in data transmissions, SSL certificate violations, protocol obfuscation, file tags, and suspicious network flows – and then pieces together those indicators of attack to provide security teams with real-time alerts. These alerts help organizations detect attacks that are in progress, as well as determine what damage may have already been inflicted.
View this on-demand webinar to learn how QRadar Network Insights can:
Remove network blind spots and reduce complexities in log data to reveal previously hidden threats and malicious behaviors;
Record application activities, capture file metadata and artifacts, and identify assets, applications and users participating in network communications;
Reduce the impact of threats associated with malware, phishing emails, data exfiltration, and the lateral network movements of advanced attacks.
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016IBM Security
View ondemand webinar: https://securityintelligence.com/events/qradar-investment-2016/
Helping you stay ahead of cybercriminals means our work at IBM Security is never done. With data coming from every direction to collect, you need real time and historical analytics to discover anomalistic conditions that often provide the early warning signs of an attacker’s presence. Join us to hear about new features in IBM Security QRadar that can provide you with better visibility into what’s happening on your network and new integrations that will help you multiply your investment and help speed your remediation efforts.
Top 5 Things to Look for in an IPS SolutionIBM Security
Today’s next-generation intrusion prevention systems (NGIPS) offer a great deal more capability than the traditional IDS/IPS. And for many organizations, these improvements have come about since the last time they refreshed their IPS appliances.
With advanced threats on the rise, it is critical that organizations deploy the latest network security solutions that can stop zero-day attacks, mutated threats and evasion techniques. And do so without taking a network performance hit. Additionally, improved visibility and control is important – something that can be further enhanced with broad integration and data sharing with your existing security solutions.
Join this webinar to learn what to look for when considering IPS solutions, so you can make the right decision for your organization’s network security.
What’s the State of Your Endpoint Security?IBM Security
View On-Demand Webinar: https://securityintelligence.com/events/whats-state-endpoint-security/
According to the 2016 State of Endpoint Security Survey just released by the SANS™ Institute:
44% of respondents report that one or more of their endpoints have been breached in the past 24 months
Desktops, laptops and servers are the most compromised endpoints
Login and access credentials are the most commonly exfiltrated information
55% of respondents spend 3 or more hours per compromised endpoint
Over 70% of respondents find it difficult or impossible to determine when an incident has been fully remediated
These statistics encompass a wide set of industries, from financial services to education. So while each network is uniquely built to support your particular business, none is immune from being breached. To protect your data most effectively, you need a way to find the threats that are most relevant to your organization and prioritize them so you can remediate the most critical and lethal ones first.
With the seamless integration of tools such as IBM BigFix and QRadar, you get accelerated risk prioritization and incident response to keep your corporate and customer data secure. Attend this webinar to learn about the state of endpoint security and understand how IBM BigFix and IBM QRadar can help you remediate threats faster.
Cybersecurity In The Cognitive Era: Priming Your Digital Immune SystemIBM Security
What could cybersecurity look like in the cognitive era? Organizations are facing a number of well-known security challenges and these challenges are leading to gaps in intelligence, speed, and accuracy when it comes to threats and incidents. The gaps can’t be addressed by simply scaling up legacy processes and infrastructure - new approaches are needed, and cognitive security solutions may help address these gaps. IBM conducted a survey of over 700 security professionals leaders and practitioners from 35 countries, representing 18 industries to get a sense for what challenges they are facing, how they are being addressed, and how they view cognitive security solutions as a potential powerful new tool.
Join us as Diana Kelley, Executive Security Advisor in IBM Security, and David Jarvis, Functional Research Lead for CIO and Cybersecurity in the IBM Institute for Business Value, discuss findings from the 2016 Cybersecurity Study "Cybersecurity in The Cognitive Era: Priming your Digital immune system"
This webinar will cover an overview of the study findings, including:
Security challenges, shortcomings and what security leaders are doing about them
Views on cognitive security solutions - how they might help, readiness to implement and what might be holding them back
What those that are ready to implement cognitive enabled security today are thinking and doing
The State Of Information and Cyber Security in 2016Shannon G., MBA
Shannon Glass, Practice Director from AfidenceIT talks about the State of Information and Cyber Security in 2016. She covers the importance of creating a culture of security awareness within an organization, threats to look out for on the landscape, and why you should care about protecting your data assets.
Attack Autopsy: A Study of the Dynamic Attack ChainIBM Security
View on-demand webinar: https://securityintelligence.com/events/study-of-the-dynamic-attack-chain/
The sophistication of today’s cybersecurity threats is astounding. Attackers have an advanced toolkit and the help of their peers, and the patience of a saint but the motivations of ruthless criminal. What drives them? The thrill of the chase, for some, but mostly it’s your organization’s data. Credit card numbers, healthcare records, and more. If they can find a way in and learn their way around, they’ll take it.
View this on-demand webinar to hear Diana Kelley, security expert and IBM Executive Security Advisor, talk about details of a dynamic attack and share how the investigation unfolds. Diana will also give you an “under the hood” look at the IBM Threat Protection System and you’ll learn how to improve the security health of your organization.
Compete To Win: Don’t Just Be Compliant – Be Secure!IBM Security
view on-demand webinar: https://event.on24.com/wcc/r/1241904/E7C5BDA81308626F69D20F843B229534
An alarming number of organizations today are doing the bare minimum to meet compliance regulations. They are completely unaware of the “data security race” taking place against malicious insiders and criminal hackers creating risk, flying past them in a to win over sensitive data. These organizations are spending their time doing just enough to check the compliance ‘checkbox’ and pass their audits. While being compliance-ready is absolutely important and represents a great first step along the road to data security, it won't win you the gold.
View this on-demand webcast to learn more about how to shift your thinking and compete to win by using your compliance efforts to springboard you into a successful data security program - one that can safeguard data from internal and external threats, allowing you to be the champion and protector of your customers, your brand, and the sensitive data the fuels your business.
This presentation, Ransomware Rising, details the results of a survey of security professionals taken at RSA 2017, the world’s largest security conference, exploring their experiences with ransomware.
Conducted Feb. 13-17, at RSA 2017, the in-person survey is based on responses from 170 attendees including IT professionals, managers and executives from the U.S. (77 percent), EMEA (13 percent) and other regions (11 percent).
To learn more about preventing ransomware visit, http://bit.ly/2nwKICL
Level Up Your Security with Threat IntelligenceIBM Security
View on-demand webinar: https://securityintelligence.com/events/level-security-threat-intelligence/
As companies struggle to protect valuable data, threat intelligence can provide a much-needed “power up” to help enhance the detection and prevention capabilities of many security solutions like SIEMs, intrusion prevention, and malware and endpoint protection. By adding external context to internal indicators through seamless integration of data and insights, a better view of the network can help decipher the attackers’ playbook.
View this on-demand webinar to learn:
- How to use threat intelligence to improve security decision making
- Why open standards are a must to support security integration
- Best practices for integrating threat intelligence into your security practice
Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...IBM Security
View On-Demand Webinar: https://event.on24.com/eventRegistration/EventLobbyServlet?target=reg20.jsp&referrer=&eventid=1139921&sessionid=1&key=993ECF370F9F3C594E6E3F44A0FA6BA2®Tag=13522&sourcepage=register
2015 was peppered with mega-breaches of highly sensitive data like personal health information and private bedroom behaviors. and companies of all sizes need to pay attention to security basics to stop the infiltration of attackers and protect their data.
Cybercriminals’ targets are now bigger and their rewards greater as they fine-tune efforts to obtain and leverage higher value data than years’ past.
New attack techniques like mobile overlay malware are gaining, while “classic” attacks like DDoS and POS malware continue to be effective due to lackluster practice in security fundamentals.
Malware leaps across target countries are indicative of increasing sophistication and organization in cybercrime rings.
In the 2016 edition of the IBM X-Force Threat Intelligence Report, IBM security research experts examine the macro trends that affected the industry, what to expect in 2016, and recommendations on how you can protect your digital assets.
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itIBM Security
Quick steps to avoid the blind spots of shadow it- Cloud security enforcer webinar- available on demand here: https://securityintelligence.com/events/quick-steps-avoid-blind-spots-shadow/
Today’s Enterprise faces a number of “blind spot” challenges involving shadow IT and mobile users. With today’s fast paced technology, those blind spots are becoming more visible and easy to avoid. With IBM Cloud Security Enforcer, you can avoid View this webinar to learn:
- How can I discover and eliminate Shadow IT, even on mobile devices?
- How can I leverage existing technology to reduce costs for the company?
- How can I mitigate risk from non-compliance with regulations and security?
- Why do I have to spend additional money and time to integrate vendor products?
Companies are struggling to deal with the unstoppable growth of cyber-attacks as hackers get faster, sneakier and more creative. The bad news is - no company is immune, no matter how big or small you are. Without a proper understanding of zero-day threats, companies have no way of exposing the gaps of overhyped security solutions.
Zero-day exploit leaves NO opportunity for detection. This presentation will highlight critical insights combating zero-day threats.
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...IBM Security
View on-demand: http://event.on24.com/wcc/r/1203107/AF33616D86CFB47663095958218D99E0
Being one step ahead of rapidly evolving, well-organized online cybercrime can seem like a losing battle. However, the key to success is combining sophisticated fraud detection with intelligent access management. Tightly uniting these capabilities in an open platform provides the flexibility to choose the appropriate authentication scheme for the various scenarios leveraging built-in biometrics, seamless authentication and mobile technologies. This smooths the access experience for legitimate users on web and mobile into a quick, frictionless authentication process while preventing fraudulent activity in real-time.
Join us in this IBM webinar where industry experts will discuss IBM’s approach on how to:
Detect fraudulent activity from stolen user credentials or a criminal device
Create risk-based access controls that reduce fraud while improving legitimate customers' activity
Speed deployment, improve business results and reduce cost of fraud protection with an integrated fraud protection gateway
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...IBM Security
When your cyber security is under attack, knowing who is behind your threats and what their motives are can help you ensure those threats don't become a reality. But cyber threat actors conduct their threats through a variety of means and for a variety of reasons. That's why it is critical to analyze a variety of data sources and proactively hunt those threats that are lying in wait. This webinar will illustrate how the IBM i2 QRadar Offense Investigator app enables analysts to push event data from QRadar directly into IBM i2 Analyst's Notebook, where users can apply a variety of visual analysis techniques across a disparate data sources, to build a more comprehensive understand of those threats and hunt them.
The application threat landscape can be described as a cyber war. In this report, we explore the technical details of this war. This Web Application Attack Report identifies how many attacks a typical application can expect to suffer annually. In addition, it exposes which countries perpetrated the most attacks and compares application risks by industry. Most importantly, this report reveals the underlying distribution of attacks, presenting an accurate picture of today’s application threat landscape.
Top 5 Things to Look for in an IPS SolutionIBM Security
Today’s next-generation intrusion prevention systems (NGIPS) offer a great deal more capability than the traditional IDS/IPS. And for many organizations, these improvements have come about since the last time they refreshed their IPS appliances.
With advanced threats on the rise, it is critical that organizations deploy the latest network security solutions that can stop zero-day attacks, mutated threats and evasion techniques. And do so without taking a network performance hit. Additionally, improved visibility and control is important – something that can be further enhanced with broad integration and data sharing with your existing security solutions.
Join this webinar to learn what to look for when considering IPS solutions, so you can make the right decision for your organization’s network security.
What’s the State of Your Endpoint Security?IBM Security
View On-Demand Webinar: https://securityintelligence.com/events/whats-state-endpoint-security/
According to the 2016 State of Endpoint Security Survey just released by the SANS™ Institute:
44% of respondents report that one or more of their endpoints have been breached in the past 24 months
Desktops, laptops and servers are the most compromised endpoints
Login and access credentials are the most commonly exfiltrated information
55% of respondents spend 3 or more hours per compromised endpoint
Over 70% of respondents find it difficult or impossible to determine when an incident has been fully remediated
These statistics encompass a wide set of industries, from financial services to education. So while each network is uniquely built to support your particular business, none is immune from being breached. To protect your data most effectively, you need a way to find the threats that are most relevant to your organization and prioritize them so you can remediate the most critical and lethal ones first.
With the seamless integration of tools such as IBM BigFix and QRadar, you get accelerated risk prioritization and incident response to keep your corporate and customer data secure. Attend this webinar to learn about the state of endpoint security and understand how IBM BigFix and IBM QRadar can help you remediate threats faster.
Cybersecurity In The Cognitive Era: Priming Your Digital Immune SystemIBM Security
What could cybersecurity look like in the cognitive era? Organizations are facing a number of well-known security challenges and these challenges are leading to gaps in intelligence, speed, and accuracy when it comes to threats and incidents. The gaps can’t be addressed by simply scaling up legacy processes and infrastructure - new approaches are needed, and cognitive security solutions may help address these gaps. IBM conducted a survey of over 700 security professionals leaders and practitioners from 35 countries, representing 18 industries to get a sense for what challenges they are facing, how they are being addressed, and how they view cognitive security solutions as a potential powerful new tool.
Join us as Diana Kelley, Executive Security Advisor in IBM Security, and David Jarvis, Functional Research Lead for CIO and Cybersecurity in the IBM Institute for Business Value, discuss findings from the 2016 Cybersecurity Study "Cybersecurity in The Cognitive Era: Priming your Digital immune system"
This webinar will cover an overview of the study findings, including:
Security challenges, shortcomings and what security leaders are doing about them
Views on cognitive security solutions - how they might help, readiness to implement and what might be holding them back
What those that are ready to implement cognitive enabled security today are thinking and doing
The State Of Information and Cyber Security in 2016Shannon G., MBA
Shannon Glass, Practice Director from AfidenceIT talks about the State of Information and Cyber Security in 2016. She covers the importance of creating a culture of security awareness within an organization, threats to look out for on the landscape, and why you should care about protecting your data assets.
Attack Autopsy: A Study of the Dynamic Attack ChainIBM Security
View on-demand webinar: https://securityintelligence.com/events/study-of-the-dynamic-attack-chain/
The sophistication of today’s cybersecurity threats is astounding. Attackers have an advanced toolkit and the help of their peers, and the patience of a saint but the motivations of ruthless criminal. What drives them? The thrill of the chase, for some, but mostly it’s your organization’s data. Credit card numbers, healthcare records, and more. If they can find a way in and learn their way around, they’ll take it.
View this on-demand webinar to hear Diana Kelley, security expert and IBM Executive Security Advisor, talk about details of a dynamic attack and share how the investigation unfolds. Diana will also give you an “under the hood” look at the IBM Threat Protection System and you’ll learn how to improve the security health of your organization.
Compete To Win: Don’t Just Be Compliant – Be Secure!IBM Security
view on-demand webinar: https://event.on24.com/wcc/r/1241904/E7C5BDA81308626F69D20F843B229534
An alarming number of organizations today are doing the bare minimum to meet compliance regulations. They are completely unaware of the “data security race” taking place against malicious insiders and criminal hackers creating risk, flying past them in a to win over sensitive data. These organizations are spending their time doing just enough to check the compliance ‘checkbox’ and pass their audits. While being compliance-ready is absolutely important and represents a great first step along the road to data security, it won't win you the gold.
View this on-demand webcast to learn more about how to shift your thinking and compete to win by using your compliance efforts to springboard you into a successful data security program - one that can safeguard data from internal and external threats, allowing you to be the champion and protector of your customers, your brand, and the sensitive data the fuels your business.
This presentation, Ransomware Rising, details the results of a survey of security professionals taken at RSA 2017, the world’s largest security conference, exploring their experiences with ransomware.
Conducted Feb. 13-17, at RSA 2017, the in-person survey is based on responses from 170 attendees including IT professionals, managers and executives from the U.S. (77 percent), EMEA (13 percent) and other regions (11 percent).
To learn more about preventing ransomware visit, http://bit.ly/2nwKICL
Level Up Your Security with Threat IntelligenceIBM Security
View on-demand webinar: https://securityintelligence.com/events/level-security-threat-intelligence/
As companies struggle to protect valuable data, threat intelligence can provide a much-needed “power up” to help enhance the detection and prevention capabilities of many security solutions like SIEMs, intrusion prevention, and malware and endpoint protection. By adding external context to internal indicators through seamless integration of data and insights, a better view of the network can help decipher the attackers’ playbook.
View this on-demand webinar to learn:
- How to use threat intelligence to improve security decision making
- Why open standards are a must to support security integration
- Best practices for integrating threat intelligence into your security practice
Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...IBM Security
View On-Demand Webinar: https://event.on24.com/eventRegistration/EventLobbyServlet?target=reg20.jsp&referrer=&eventid=1139921&sessionid=1&key=993ECF370F9F3C594E6E3F44A0FA6BA2®Tag=13522&sourcepage=register
2015 was peppered with mega-breaches of highly sensitive data like personal health information and private bedroom behaviors. and companies of all sizes need to pay attention to security basics to stop the infiltration of attackers and protect their data.
Cybercriminals’ targets are now bigger and their rewards greater as they fine-tune efforts to obtain and leverage higher value data than years’ past.
New attack techniques like mobile overlay malware are gaining, while “classic” attacks like DDoS and POS malware continue to be effective due to lackluster practice in security fundamentals.
Malware leaps across target countries are indicative of increasing sophistication and organization in cybercrime rings.
In the 2016 edition of the IBM X-Force Threat Intelligence Report, IBM security research experts examine the macro trends that affected the industry, what to expect in 2016, and recommendations on how you can protect your digital assets.
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itIBM Security
Quick steps to avoid the blind spots of shadow it- Cloud security enforcer webinar- available on demand here: https://securityintelligence.com/events/quick-steps-avoid-blind-spots-shadow/
Today’s Enterprise faces a number of “blind spot” challenges involving shadow IT and mobile users. With today’s fast paced technology, those blind spots are becoming more visible and easy to avoid. With IBM Cloud Security Enforcer, you can avoid View this webinar to learn:
- How can I discover and eliminate Shadow IT, even on mobile devices?
- How can I leverage existing technology to reduce costs for the company?
- How can I mitigate risk from non-compliance with regulations and security?
- Why do I have to spend additional money and time to integrate vendor products?
Companies are struggling to deal with the unstoppable growth of cyber-attacks as hackers get faster, sneakier and more creative. The bad news is - no company is immune, no matter how big or small you are. Without a proper understanding of zero-day threats, companies have no way of exposing the gaps of overhyped security solutions.
Zero-day exploit leaves NO opportunity for detection. This presentation will highlight critical insights combating zero-day threats.
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...IBM Security
View on-demand: http://event.on24.com/wcc/r/1203107/AF33616D86CFB47663095958218D99E0
Being one step ahead of rapidly evolving, well-organized online cybercrime can seem like a losing battle. However, the key to success is combining sophisticated fraud detection with intelligent access management. Tightly uniting these capabilities in an open platform provides the flexibility to choose the appropriate authentication scheme for the various scenarios leveraging built-in biometrics, seamless authentication and mobile technologies. This smooths the access experience for legitimate users on web and mobile into a quick, frictionless authentication process while preventing fraudulent activity in real-time.
Join us in this IBM webinar where industry experts will discuss IBM’s approach on how to:
Detect fraudulent activity from stolen user credentials or a criminal device
Create risk-based access controls that reduce fraud while improving legitimate customers' activity
Speed deployment, improve business results and reduce cost of fraud protection with an integrated fraud protection gateway
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...IBM Security
When your cyber security is under attack, knowing who is behind your threats and what their motives are can help you ensure those threats don't become a reality. But cyber threat actors conduct their threats through a variety of means and for a variety of reasons. That's why it is critical to analyze a variety of data sources and proactively hunt those threats that are lying in wait. This webinar will illustrate how the IBM i2 QRadar Offense Investigator app enables analysts to push event data from QRadar directly into IBM i2 Analyst's Notebook, where users can apply a variety of visual analysis techniques across a disparate data sources, to build a more comprehensive understand of those threats and hunt them.
The application threat landscape can be described as a cyber war. In this report, we explore the technical details of this war. This Web Application Attack Report identifies how many attacks a typical application can expect to suffer annually. In addition, it exposes which countries perpetrated the most attacks and compares application risks by industry. Most importantly, this report reveals the underlying distribution of attacks, presenting an accurate picture of today’s application threat landscape.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
Stop Account Takeover Attacks, Right in their TracksImperva
During every hour of every day, cyber criminals silently bypass traditional perimeter controls. They use millions of stolen user credentials to takeover Web application accounts, access sensitive applications, steal confidential data, and conduct fraudulent transactions. According to the latest Verizon DBIR report, over 50% of Web application attacks launched by organized crime in 2014 involved stolen credentials.
View this presentation to learn why real-time threat intelligence is the key to preventing Web account takeover attacks.
Database surveillance can protect data, simplify compliance audits and improve visibility into data usage and user behavior. Walk through these slides to learn:
• The benefits of database monitoring over native audit tools
• Factors to consider before investing in database audit and protection
• Three specific ways to leverage database monitoring for improved security
Exploding data growth doesn’t mean you have to sacrifice data security or compliance readiness. The more clarity you have into where your sensitive data is and who is accessing it, the easier it is to secure and meet compliance regulations.
Walk through this presentation to learn how to:
- Detect and block cyber security events in real-time
- Protect large and diverse data environments
- Simplify compliance enforcements and reporting
- Take control of escalating costs.
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSIJNSA Journal
Malware writers have employed various obfuscation and polymorphism techniques to thwart static analysis approaches and bypassing antivirus tools. Dynamic analysis techniques, however, have essentially overcome these deceits by observing the actual behaviour of the code execution. In this regard, various methods, techniques and tools have been proposed. However, because of the diverse concepts and strategies used in the implementation of these methods and tools, security researchers and malware analysts find it difficult to select the required optimum tool to investigate the behaviour of a malware and to contain the associated risk for their study. Focusing on two dynamic analysis techniques: Function Call monitoring and Information Flow Tracking, this paper presents a comparison framework for dynamic malware analysis tools. The framework will assist the researchers and analysts to recognize the tool’s implementation strategy, analysis approach, system-wide analysis support and its overall handling of binaries, helping them to select a suitable and effective one for their study and analysis.
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSIJNSA Journal
Malware writers have employed various obfuscation and polymorphism techniques to thwart static analysis
approaches and bypassing antivirus tools. Dynamic analysis techniques, however, have essentially
overcome these deceits by observing the actual behaviour of the code execution. In this regard, various
methods, techniques and tools have been proposed. However, because of the diverse concepts and
strategies used in the implementation of these methods and tools, security researchers and malware
analysts find it difficult to select the required optimum tool to investigate the behaviour of a malware and to
contain the associated risk for their study. Focusing on two dynamic analysis techniques: Function Call
monitoring and Information Flow Tracking, this paper presents a comparison framework for dynamic
malware analysis tools. The framework will assist the researchers and analysts to recognize the tool’s
implementation strategy, analysis approach, system-wide analysis support and its overall handling of
binaries, helping them to select a suitable and effective one for their study and analysis.
Secure by design and secure software developmentBill Ross
This secure lifecycle management process (SLCMP said slickum) defines the basic and most realistic way to develop secure software. While the briefing is a bit dated slide 34 is still a very relevant process. What is below the green line is the security dynamic process that happens supporting the basic development process seen above the green line. SLCMP is supported by building a complementary and excellent information risk framework system security plan or IRASSP. SLCMP is operationally deployed.
Case Study: Q2 2014 Global DDoS Attack Report | Akamai DocumentProlexic
The Brobot botnet that devastated banks with DDoS floods in 2013 may be back. And the techniques that built it – exploiting vulnerabilities in the software that powers websites and cloud companies – is all too alive. Get the full details about this cybercrime threat in the Akamai/Prolexic Q1 2014 DDoS attack report, available for a free download at http://bit.ly/1meTkfu
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
Presentation from 18 November 2014.
Software applications need to be delivered faster and across more platforms than ever. To build high quality software in short order, we’ve seen a dramatic shift from source code to component-based development, with open source and third party components providing the innovation and efficiency that developers need.
Unfortunately, our dependence on components is growing faster than our ability to secure them. These shared components are not top-of-mind when considering application risk. Worse yet, components are increasingly the preferred attack surface in today’s applications.
The combination of growing component usage, coupled with lack of security, requires us to urgently re-evaluate traditional application security approaches and identify practical next steps for closing this security gap.
So what’s the “neglected 90%,” why is it attractive to your adversaries and what can you do about it? Plenty. Here are 7 key points, for starters.
http://bit.ly/AHC_USAF
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
Matteo Meucci did a talk on software security in practice, describing the actual scenario and the roadmap for the enterprise to improve their maturity in the SDLC.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
The State of Application Security: What Hackers BreakImperva
Companies of all sizes face a universal security threat from today's organized hacking industry. Why? Hackers are decreasing costs and expanding their reach with tools and technologies that allow for automated attacks against Web applications. The hacker’s arsenal includes armies of zombies (i.e. global networks of compromised computers) that access large amounts of personal and corporate data that can be sold on the black market.
As part of Imperva's ongoing Hacker Intelligence Initiative, we monitored and categorized individual attacks across the Internet over a period of six months. This webinar will detail the results of this research, which encompasses attacks witnessed via onion router (TOR) traffic as well as attacks targeting 30 different enterprise and government Web applications. The research includes:
• Insight into how automation allows hackers to generate 7 attacks per second
• Overview of the top vulnerabilities exploited by hackers: directory traversal, cross-site scripting (XSS), SQL injection, and remote file inclusion (RFI)
• Detail into which countries generate the most malicious activity
• Recommendations, both technical and nontechnical, for security teams and executive
The State of Application Security: What Hackers BreakImperva
Companies of all sizes face a universal security threat from today's organized hacking industry. Why? Hackers are decreasing costs and expanding their reach with tools and technologies that allow for automated attacks against Web applications. The hacker’s arsenal includes armies of zombies (i.e. global networks of compromised computers) that access large amounts of personal and corporate data that can be sold on the black market.
As part of Imperva's ongoing Hacker Intelligence Initiative, we monitored and categorized individual attacks across the Internet over a period of six months. This webinar will detail the results of this research, which encompasses attacks witnessed via onion router (TOR) traffic as well as attacks targeting 30 different enterprise and government Web applications.
Application Security Guide for Beginners Checkmarx
This beginner’s guide to application security focuses on the main concepts and keywords used in the Application Security domain. From a secure software development lifecycle (SDLC) to the top threats facing applications and their impacts, this guide covers it all!
This guide is divided into the following categories:
-Code DevelopmentMethodologies
-Code
-Application SecuritySolutions
-Common threats and their impacts
How do hackers automate? What do they automate? And most importantly: How can security teams block automated attacks? The latest Hacker Intelligence Initiative from Imperva's Application Defense Center will help you answer these questions and many more.
Similar to Web Application Attack Report (Edition #1 - July 2011) (20)
One Poll survey of 250 IT professionals on the state of application programming interface (API) security, which highlights growing concern for cybersecurity risk related to API use.
A survey of 170 cyber security professionals taken at Infosecurity 2017 on attitudes related to the General Data Protection Regulation - GDPR - and the need for a data privacy officer.
Beyond takeover: stories from a hacked accountImperva
In this presentation, Imperva researchers explore the dynamics of credential theft. The team reversed a phishing hook to hack and track phishers using the same methods that phishers use on their victims. The presentation explores questions such as how long it takes from takeover to exploitation, what the attacker looks for in the hacked account, which decoys attract their attention, and what security practices they use to cover their tracks. Check out the slides and read the report to learn about real-world takeover stories and best practices for breach detection and remediation to protect your data. Read the full report: https://www.imperva.com/DefenseCenter/HackerIntelligenceReports
Research: From zero to phishing in 60 seconds Imperva
Here are the highlights of our research on do-it-yourself kits for phishing attacks, allowing attackers to quickly and elegantly mount a phishing campaign. These slides present examples of phishing kits, reviews their main capabilities, and shows a statistical and clustering analysis of our collection of phishing kits. The main goal of our research is to shed light on the dynamics of phishing and the distribution of phishing kits in the underground community
Making Sense of Web Attacks: From Alerts to NarrativesImperva
Co-Founder & CTO of Imperva, Amichai Shulman, discusses how recognizing the security narrative in your web-application is a big challenge. On the one hand security products are getting more sensitive and are detecting even minor anomalies in incoming web traffic, while on the other hand attacks are becoming more automated and traffic intensive. As a result, security operators find themselves sifting through hundreds of thousands of individual alert messages per day, striving to know what the “#@$%” is going on. These slides present our innovative system that groups individual alerts from a web application firewall into attack narratives. They also present real-world cases and show results.
How We Blocked a 650Gb DDoS Attack Over LunchImperva
Recently, our network was hit with one of the largest DDoS attacks the Internet has seen. We’ll describe the technology and peering architecture used to mitigate the attack. Find out how we enjoyed lunch while automatically mitigating an enormous attack with zero downtime.
A survey of 310 IT security professionals taken at the Infosecurity Europe trade show by Imperva. The survey found that when it comes to insider threats, over half (58 percent) of the IT security professionals were deeply concerned about careless users who unwittingly put their organization’s data at risk.
The slideshow lists the results of a survey on the current state of company preparedness for the European General Data Protection Regulation (GDPR). The survey of 170 security professionals was taken at RSA 2017, the world’s largest security conference.
7 Tips to Protect Your Data from Contractors and Privileged VendorsImperva
Contractors, privileged vendors and staff additions can pose cyber security risks to your enterprise. Learn how you can protect your data from third parties: http://bit.ly/2o5jUgr
Time to rethink your phishing strategy? Read about how the low cost of launching a phishing campaign and the high projected return on investment for cybercriminals could affect you: http://bit.ly/2nmdSVm
Learn about the growing cyberattack trends, the biggest obstacles in the security industry and threat intelligence buying motivations: http://bit.ly/1WVmlu3
Combat Payment Card Attacks with WAF and Threat IntelligenceImperva
Learn where you are most vulnerable to credit card fraud, how illegal "carding" and "cashing out" kill chains work and why Web Application Firewalls and threat intelligence are necessary to prevent attacks. Find out how you can be prepared: http://bit.ly/2nZO6rE
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyImperva
Although HTTP/2 promises faster speeds and better performance than its predecessor, its combination of new mechanisms and implementations reintroduces some flaws present in earlier versions. Read more here: http://bit.ly/2nGcpcq
Users and apps pose the biggest risk to your enterprise data with hackers being financially motivated to gain unauthorized access to data. Find out how to prevent major data breaches from internal and external threats: http://bit.ly/2oFImpQ
Combat Today's Threats With A Single Platform For App and Data SecurityImperva
The number one source of data breaches are web app attacks. It doesn't matter where your data resides because cyber criminals and compromised users will find a way to access it. Learn the steps you can take and why you have to protect data where it lives: http://bit.ly/2p3jkgK
The new 2016 Gartner Magic Quadrant for Web Application Firewalls (WAF) is based on detailed responses to questionnaires from experienced Web App Firewall customers. Watch this webinar and hear the experiences of major customers who participated in the Gartner MQ for WAF research and how they implemented web app firewall to protect their applications and critical data.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
Web Application Attack Report (Edition #1 - July 2011)
1. White Paper
Imperva’s
Web Application
Attack Report
Edition #1 - July 2011
2. Imperva’s Web Application Attack Report
Table of Contents
1 Abstract 3
2 Executive Summary 4
Key Findings 4
3 Background 6
4 Analysis Methodology 8
5 Analysis Results 9
5.1 General Observations 9
5.2 More of the Unfab Four 15
6 Recommendations 23
6.1 Technical Recommendations 23
6.2 Nontechnical Recommendations: CEO Checklist 24
7 Authors and Acknowledgements 25
This document contains proprietary and confidential material of Imperva. Any unauthorized reproduction, use or disclosure of
this material, or any part thereof, is strictly prohibited. This document is solely for the use by Imperva employees and authorized
Imperva customers.
2
3. Imperva’s Web Application Attack Report
1 Abstract
As a part of its ongoing Hacker Intelligence Initiative, Imperva’s Application Defense Center (ADC) observed and categorized
attacks across 30 applications as well as onion router (TOR) traffic, monitoring more than 10 million individual attacks targeted at
web applications over a period of six months. The analysis shows:
› Due to automation, web applications, on average, are probed or attacked about 27 times per hour or about once every two
minutes. At the apex of an attack, web applications experience nearly 25,000 attacks per hour or 7 per second.
› Four dominant attack types comprise the vast majority of attacks targeting web applications: Directory Traversal, Cross-Site
Scripting, SQL injection, and Remote File Inclusion.
› The United States is the main source of application attacks. Applications are attacked by infected computers, or bots, with
most located in the US.
We provide a list of technical recommendations for security teams as well as nontechnical ones for corporate executives.
3
4. Imperva’s Web Application Attack Report
2 Executive Summary
Web applications are a primary target for hackers. The recent of spate of high profile breaches, including PBS, Sony, Epsilon and
more, were largely application attacks. Applications have become major targets for a simple reason: they transact and access large
amounts of personal and corporate data that hackers hope to monetize on black markets.
As of July 2011, it is estimated that there are 357,292,065 websites on the internet today.1 Estimates indicate that most applications
had an average 230 vulnerabilities during 2010.2 Assuming just the top 1% of websites drive commerce and require a high degree
of protection, this means they have a total 821,771,600 vulnerabilities in active circulation. But which will be exploited?
To answer this question, Imperva’s Application Defense Center (ADC), as a part of
its ongoing Hacker Intelligence Initiative, studied actual malicious web application Learning from Lulzsec
attack traffic over a period of six months, December 2010 through May 2011. The The Lulzsec attacks took place
ADC monitored and categorized more than 10 million individual attacks across largely during the month of June
the internet, including attacks witnessed via onion router (TOR) traffic as well and our report cut off was May.
as attacks targeting 30 different enterprise and government web applications. Consequently, we didn’t directly
witness any attacks from Lulzsec.
The ADC studied the frequency, type and geography of origin of each attack to
However, it is interesting to note the
help security professionals better prioritize vulnerability remediation and web incredible similarity between our
application security projects based on real hacker activity. observations and the attacks used
by the half-dozen (or so) hacker
Most notably, the ADC found that attack automation is prevailing. Modern botnets
team. As we explained in our blog,
scan and probe the Web seeking to exploit vulnerabilities and extract valuable data,
“Lulzsec was a team of hackers
conduct brute force password attacks3, disseminate spam, distribute malware, focused on breaking applications
and manipulate search engine results. These botnets operate with the same and databases.”4 To achieve this,
comprehensiveness and efficiency used by Google spiders to index websites. As they employed three of the four
the recent Lulzsec episode highlighted, hackers can be effective in small groups. attack methods we describe in this
report: SQL injection, RFI and Cross
Further, automation also means that attacks are equal opportunity offenders; they
Site Scripting.
do not discriminate between well-known and unknown sites or enterprise-level
and non-profit organizations.
Key Findings
The ADC study yielded the following key findings:
1. Automation is prevailing. According to the study,
How many attacks occur?
websites experience an average of 27 attacks per hour
or about once every two minutes. However, 27 attacks 24158 Peak attacks per hour
per hour is only an average. When sites come under
automated attack, the target can experience up to 27 Average number of attacks per hour
25,000 attacks per hour or 7 per second.
Attack traffic during the six month period was characterized by short peaks of high activity followed by longer periods of
lighter activity. During the peaks of activity, attack volume (number of attack vectors in the attack) was quite large, in the
thousands, and attack rate (number of requests per second) was rapid, both common indicators of automated activity.
Additionally, each of the primary attack methods observed was executed in high-volume bursts or waves, also confirming
the existence of automation. The ADC analyzed attacks against Alexa rankings and found that site popularity was not a factor
that helped determine targets. Detecting and stopping automated application attacks will be an essential security skill. In a
world of automated attacks, applications of all sizes are – or will be – targeted.
1
http://news.netcraft.com/archives/2011/07/08/july-2011-web-server-survey.html
2
https://www.whitehatsec.com/home/resource/stats.html
3
http://www.nytimes.com/2010/01/21/technology/21password.html
4
http://blog.imperva.com/2011/06/analyzing-the-lulzsec-attacks-.html 4
5. Imperva’s Web Application Attack Report
2. The Unfab Four: The ADC monitored all web traffic, marking 10 million events as suspicious. Four dominant attack types
comprised the vast majority of attacks targeting web applications: Directory Traversal, Cross-Site Scripting, SQL injection,
and Remote File Inclusion (RFI). Directory Traversal and Cross-Site Scripting were the most widely used attack types, making
up almost 75 percent of all attack traffic. SQL injection was also prominent, making up 23 percent of attack traffic, while RFI
attacks made up 4 percent. Other events were noticed as well but these four comprised the bulk and therefore deserve
intense focus.
Most automated attacks typically consist of two phases, scan and exploit, and most often hackers use these attacks in a
compound fashion. For example, a hacker may use Directory Traversal during a reconnaissance phase of the combined attack
to identify the directory structure of an attacked server before sending an additional effective exploit vector, such as an RFI.
Other web application attack types were observed during the six months, but these were the four most significant. In fact, the
only significant attack type not covered in this document are the coordinated search engine scans which the ADC covered in
a separate report.5
The four main attack types
The four main attack types
3. Most attacks come from within the United States. Over 61 percent of the attacks monitored originated from bots
located in the United States, although conclusions cannot be made regarding from which geography these bots are
controlled. Attacks from China made up almost 10 percent of all attack traffic, followed by attacks originating in Sweden
and France.
Additionally, the ADC found that 29 percent of the attack events originated from the 10 most active attack sources. While
filtering based on geography is far from reliable, sorting traffic based on reputation is viable.
Origin of attacks
Origin of attacks
5
http://www.imperva.com/docs/HI_Search_Engine_Poisoning_SEP.pdf 5
6. Imperva’s Web Application Attack Report
3 Background
In 1989, headlines across the world warned consumers about apples sprayed
with Alar, a pesticide suspected of being a carcinogen. The Alar problem was Advanced Persistent Threat (APT)
even featured on 60 Minutes. Dr. Bruce Ames, then the chairman of UC Berkeley’s and the Conundrum of Geography
biochemistry department, vigorously dismissed the Alar issue, writing “that Much has been written on what
a glass of the suspect Alar-contaminated apple juice posed only 1/10th the comprises APT and who is responsible.
possible carcinogenic hazard of the average peanut butter sandwich and 1/50th This has become very important
that of a mushroom…”9 Dr. Ames went on to itemize a list of dozens of everyday considering the US government’s
products, such as bananas and broccoli, that contained natural carcinogens while recent declaration that cyber attacks
are an act of war and will be met
pinpointing a few chemicals which posed the strongest danger. Consequently,
with kinetic retaliation.6 One of the
the public had a better idea of what to fear. most notable examples of APT was
Today’s software security industry is experiencing something similar. As of China’s suspected attack against Gmail
July 2011, it is estimated that there are 357,292,065 websites on the internet accounts belonging to US government
officials.7
today.10 WhiteHat, who has conducted the most comprehensive research on
vulnerabilities, estimates that most applications had an average 230 vulnerabilities Although IP address is the most
during 2010.11 Assuming just the top 1% of websites drive commerce and common tool for determining
someone’s location, it is unreliable.
require a high degree of protection, this means they have a total 821,771,600
Individual attacker addresses are most
vulnerabilities in active circulation. But which will be exploited? probably masked today using various
Carcinogens and vulnerabilities are a real concern and need to be well proxy services. However, as most
understood. However, like the confused consumer buying apples in 1989, of the attack traffic is attributed to
compromised machines, we were able
anyone worried about security vulnerabilities is easily overwhelmed. In the
to identify that 30% of attacks came
spirit of Dr. Ames, Imperva’s Application Defense Center sought to quantify and from ten identifiable IP addresses.
answer a key question: “What vulnerabilities matter most to attackers?” Instead of This is significant for governments
seeing the world through the application’s eyes, we decided to look at the world hoping to stop cyber crime. Notably,
through the attacker’s eyes. To do so, we deployed several “weather balloons” on the UK government announced an
the internet, where we could observe polluted traffic. In addition, we monitored initiative to stop cyber crime using a
global network of vendors and law
about 30 different web applications during the past 6 months (December 2010-
enforcement. Our research indicates
May 2011). The applications experienced about 10 million individual attacks
that reputation-based services should
during this period. be a key aspect of the initiative. Real-
Web applications are a major target for hackers. This year’s Verizon Data Breach world examples help provide further
report showed that of all successful breaches, 50% were a result of hacking.12 color. Brian Krebs, in describing the
attack against RSA breaches, wrote:8
The recent spate of high profile breaches, including PBS, Sony, Epsilon and more,
were application attacks. Applications have become major targets for a simple …according to interviews with several
reason: they transact and access the data hackers hope to monetize on black security experts who keep a close
eye on these domains, the Web sites
markets. In the past, hacking was about taking a site offline to publicly embarrass
in question weren’t merely one-time
or blackmail the operator. Today, the attack method is much more about “hide
attack staging grounds: They had
and seek”, i.e., take data without detection and sell it. Mature online exchanges earned a reputation as launch pads for
exist that resemble eBay in structure, only their focus is selling personal and the same kind of attacks over at least
corporate data. For example, a few months ago, on a hacker forum, one hacker a 12 month period prior to the RSA
offered to sell full administrative rights to several government, military and breach disclosure.
educational websites for $49913:
6
http://online.wsj.com/article/SB10001424052702304563104576355623135782718.html
7
http://abcnews.go.com/Politics/us-probe-alleged-chinese-hack-senior-officials-gmail/story?id=13744049
8
http://krebsonsecurity.com/2011/05/rsa-among-dozens-of-firms-breached-by-zero-day-attacks/
9
http://www.fortfreedom.org/n16.htm
10
http://news.netcraft.com/archives/2011/07/08/july-2011-web-server-survey.html
11
https://www.whitehatsec.com/home/resource/stats.html
12
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf 6
13
http://blog.imperva.com/2011/01/major-websites-govmiledu-are-hacked-and-up-for-sale.html
7. Imperva’s Web Application Attack Report
So, for the price of an iPad, you could have purchased the ability to control a US Army web site. Earlier this year, a hacker tried to
sell access to dating site eHarmony for $2,000:
Cumulatively, McAfee estimate sizes this market at $1 trillion.14
Another factor making applications attractive is the fact that many organizations haven’t deployed proper defenses. Hackers
prefer the path of least resistance. Although media reports focus attention on large, well-known organizations, the path of least
resistance has made smaller, poorly resourced enterprises prime targets. For example, when the small town of Pittsford, New York,
was hacked and lost $139,000, the town supervisor said, “We have good firewalls and anti-virus software, and we weren’t at all lax
in our security systems. We thought we were pretty secure.”15 This statement helps summarize part of the problem. Today, most
organizations spend security dollars on network firewalls and anti-virus leaving applications ripe for attack. Enterprises spend
nearly $27 billion on security16 with less than $500 million on protecting applications.17
Data, and the applications that transact data, mean that cyber security can’t be separated from business operations. Enterprises
aren’t just setting up firewalls to keep the bad guys out. For this reason, how CEOs must view cyber security has changed
dramatically. In the past, security was the technician’s realm – setting up firewalls and deploying anti-virus. Today, the challenge is
to know where data resides, who touches it, where it moves and how to protect it. This requires business process experts, not just
technicians, to keep the bad guys repelled while keeping the good guys productive. More and more, CEOs are feeling duty bound
to protect data. In a June 2011 article on security, the consultancy McKinsey wrote:
At leading organizations, cybersecurity should be a constant item on the agendas of CEOs and boards. To stay ahead
of the threats, executives must engage in an ongoing dialogue to ensure their strategy continually evolves and makes
the appropriate trade-offs between business opportunity and risks.18
For this reason, in our conclusion, we itemize a list of actions CEOs should take help bolster cyber security.
14
Unsecured Economies Report, http://resources.mcafee.com/content/NAUnsecuredEconomiesReport (registration required).
15
http://krebsonsecurity.com/2011/06/fbi-investigating-cyber-theft-of-139000-from-pittsford-ny/
16
IDC, Worldwide and U.S. Security Services 2011–2015 Forecast and Analysis, May 2011
17
Gartner, Market Share Analysis: Security Software, 20 May 2011.
18
https://www.mckinseyquarterly.com/Meeting_the_cybersecurity_challenge_2821 7
8. Imperva’s Web Application Attack Report
For breached organizations, the cost of a breach is difficult to determine, though we haven’t found anyone who would label
breaches “cheap” or “fun.”19 We can, anecdotally, categorize the cost of a data breach stemming from:
› Loss in shareholder value: For example, Heartland Payment Systems experienced a large data breach in 2009. For nearly two
years, financial analysts watched as large legal payments for damages were settled before the market could feel comfortable
about Heartland’s ability to stabilize revenues.
› Legal costs: Companies can be sued for data breaches. In May 2011, the FTC concluded legal settlements with Ceridian
Corporation and Lookout Services, Inc., which were “part of the FTC’s ongoing efforts to ensure that companies secure the
sensitive consumer information they maintain.”20
› Loss in brand: After the Sony breach, USA Today reported that, “Sony had a mediocre buzz score of 24.3 on YouGov’s
daily consumer perception tracking BrandIndex until the breach dropped its score to a lackluster 7.6 among adults 18
and older.”21
› Notification costs: In many parts of the world, organizations are required to notify everyone if their data records have been
compromised. In the US, for instance, data breach notification requirements could well become federal law.22
› Service outages: In many cases, hacking an application means the online service must be removed until the issue is fixed.
Costs vary greatly on vertical, ranging from thousands of dollars per hour to millions.23 And this doesn’t include the fact that
after a breach, normal development activity freezes. Instead, there is a mad rush dedicated to strengthening defenses which
delays new product development.
4 Analysis Methodology
This security summary report is based on the analysis of Internet traffic to 30 different web applications during the past 6 months
(December 2010-May 2011) as well as TOR traffic. From the raw traffic we extracted some 10 million events of interest which we
analyzed for attack traffic. The observed applications belong to organizations and companies from various industry segments:
e-commerce, online services, web search, banking, communication, entertainment, marketing and technology.
Monitoring of the web applications deployed at these sites over a period of several months produced data that was processed
using automatic tools. In addition, Imperva’s security experts performed detailed analysis of important events and patterns.
The processing of the observed data was based on attributes such as vulnerability signatures that match HTTP properties in the
access traffic and filtering the traffic based on black lists of known malicious sources. We used Imperva’s knowledge-base to sift
through the monitored traffic and find attack-related events. We matched these events against known attacks and known security
vulnerabilities in web applications. The events were categorized based on parameters like the type of attack they were part of, the
identity of the attacker, the identity of the victim and the exploited security vulnerability.
In the next step of the analysis we used statistical tools and data mining methods to look for patterns in the identified web attacks,
like long term trends in specific attacks, combinations of attacks by the same attacker, and coordination between different attack
sources used by a single attacker.
Finally, we extracted insights about global security trends from the data analysis and came up with recommendations for thwarting
new and growing threats and improving web security.
19
A great read on the topic comes from Microsoft: Sex, Lies and Cybercrime Surveys by Dinei Florencio and Cormac Herley.
20
http://www.ftc.gov/opa/2011/05/ceridianlookout.shtm
21
http://www.usatoday.com/tech/gaming/2011-05-09-playstation-reputation-takes-pounding_n.htm?loc=interstitialskip
22
http://www.infosecurity-us.com/view/18750/senators-introduce-national-data-breach-notification-legislation/
23
http://www.zdnet.com/news/the-real-cost-of-application-outages/244421 8
9. Imperva’s Web Application Attack Report
5 Analysis Results
There are four major attack types that were observed with high frequency in the data: SQL Injection, Remote File Inclusion,
Directory Traversal and Cross Site Scripting. We begin our analysis by describing phenomena and trends that are common to all
attack types. After that we dedicate a section to describe phenomena associated with each specific attack type.
5.1 General Observations
5.1.1 - Part I: Attack Automation
Our findings show that automation is prevailing and hackers have become very adept at automating attacks. We can confirm
what the 2011 Verizon Data Breach report noted when they observed that hackers “have created economies of scale by refining
standardized, automated, and highly repeatable attacks directed at smaller, vulnerable, and largely homogenous targets.” However,
27 attacks per hour is only an average. When sites come under automated attack, the target can experience up to 25,000 attacks
per hour or 7 per second. Detecting and stopping automated attacks will be an essential security skill. We analyzed attacks against
Alexa rankings and found that size doesn’t matter. In a world of automated attacks, everyone is – or will be – a target.
Our analysis includes smaller companies whose revenues are less than $500 million per year and experience much lower traffic
than highly-rated Alexa sites. In one forum, a hacker boasted finding 5,012 websites that were vulnerable to SQL injection
(redaction ours):
It is well known that attackers are relying more and more on automated tools to design and implement concentrated and
coordinated attacks on web applications. Figure 11 highlights, for example, that a steady stream of attacks are punctuated by an
intense, focused burst.
9
10. Imperva’s Web Application Attack Report
The following attributes identify an attack in the monitored network traffic as automated:
› Attack volume: the attack is composed of a large number (thousands) of attack vectors.
› Attack rate: attack vectors are sent at a high rate (several requests per second) which is impossible to achieve manually.
› Attack consistency: attack vectors are similar to each other. For example, RFI attack vectors contain the same remote script
URL, or SQLi attack vectors contain similar SQL phrases.
› Attack coordination: Similar attack vectors targeting the same application are sent within a short time period from multiple
sources, indicating that the activity of these hosts is coordinated.
› Violation of HTTP protocol during the attack: Either by design or due to bugs in the automation scripts, some of the
attack vectors are invalid HTTP messages (e.g., the URL or a parameter containing an illegal character). This will never occur
when the client is a regular browser. The monthly rate of HTTP violation in the traffic is shown in Figure 1. A good correlation
between HTTP violations and Directory Traversal attacks during May can be observed in Figure 2.
Figure 1: HTTP violations per month
Figure 2: HTTP violations and Directory Traversal occurrences - May 2011
Based on these criteria, our observations clearly show that RFI, SQLi and DT attacks are indeed mostly implemented using
automatic attack tools.
10
11. Imperva’s Web Application Attack Report
Automated attacks usually consist of two phases: Scan and Exploit. The scan phase finds potential vulnerable candidates to attack,
and the following exploit phase takes advantage of the detected vulnerabilities.
Scanning may be done in several ways:
› Vertical scanning: After selecting a specific target application, the attack tool is traversing it to find all the URLs and
parameter it uses. It tries to attack every parameter with a malicious vector. This is often done with a cracked version of
legitimate commercial penetration testing tools.
› Horizontal scanning: The attack tool has a database of searchable indicators of known applications with vulnerabilities
(known as Google dorks). This database is built from various sources, including public forums in which security experts publish
weaknesses they found in popular applications. By querying regular search engines with these indicators and analyzing the
returned results the attack tool scans the internet looking for deployed vulnerable applications.
› Opportunistic scanning: Some tools skip the scanning phase entirely and attack the application with a set of known
vulnerabilities of popular web applications, regardless of their existence in the application itself.
An attack tool usually contains a pool of means to exploit found vulnerabilities for the attack’s purpose: retrieval or modification
of data, denying service from the application, etc. For example, in an RFI attack the tool uses a pool of URLs of scripts, while in an
SQLi attack the tool can use a set of predefined SQL snippets intended to retrieve the contents of sensitive database tables (like
tables of account names and passwords).
Figure 3: Dork scanner for SQL Inection attacks
5.1.2 - Part II: The Unfab Four
The relative volume of traffic associated with the investigated attack types is shown in Figure 4. Cross Site Scripting (XSS) and
Directory Traversal (DT) are the most prevalent attack types, while there were fewer attack events related to Remote File Inclusion
(RFI) and SQL Injection (SQLi).
Figure 4: Relative traffic-volume per attack type
11
12. Imperva’s Web Application Attack Report
The following table summarizes the statistical attributes of the attacks. We defined an activity peak as a period in which the
activity is larger than the average activity by at least one standard deviation. The attack traffic has short periods of activity peaks
punctuated with long periods of low activity, so we measured the average activity with the peaks and used the median of the
number of attacks as an estimate of the activity without the peaks (since it is less sensitive to outliers):
Maximum Median Average Standard Deviation
SQLi 2705 10 48 158
RFI 7072 4 17 165
DT 8233 25 63 241
XSS 6148 28 63 209
Table 1: Hourly attack activity statistics
Maximum Median Average Standard Deviation
SQLi 21734 553 982 2021
RFI 7092 79 190 583
DT 28773 1024 1493 2503
XSS 18259 862 1440 2011
Table 2: Daily attack activity statistics
5.1.3 - Part III: Geographic Dispersion
Even though the identity of the host that initiated an attack is not necessarily indicative of the identity of the attacker that controls
it, we have investigated the geographic distribution of the attack-initiating hosts as determined by their IP addresses.24 For all
attack types the attackers were spread around the world but most of the attacks (both in absolute numbers and counting the
distinct hosts initiating the attacks) were from the United States. A significant portion of SQL Injection attacks we observed coming
from a relatively small number of Chinese hosts (see Figure 3). The leading source countries were rather consistent across all attack
types. The average ratio of attacks to attacking hosts is about 10:1 for RFI, 25:1 for SQL injection and 40:1 for DT. (Note: Cross-site
scripting is not included in this chart as the geographic location of these attacks cannot be determined).
RFI SQLi DT
Country Attacks Country Attacks Country Attacks
USA 20918 USA 91606 USA 189474
United Kingdom 1897 China 47800 Sweden 13535
Netherlands 1879 Sweden 8789 France 9417
France 1253 Indonesia 3604 Netherlands 8320
Republic of Korea 1070 United Kingdom 3419 Germany 7656
Germany 1030 Netherlands 2793 United Kingdom 6692
Sweden 1012 Ukraine 2489 European Union 4159
Brazil 506 Republic of Korea 2374 Canada 3492
Russian Federation 490 Romania 2136 Republic of Korea 2838
European Union 460 Germany 1263 China 2507
Table 3: Countries from which most attacks were initiated
24
To properly understand the statistical significance of geographic traffic, these figures should be normalized by the overall traffic from these
countries or the total number of host IPs in each country. We did not do this normalization. 12
13. Imperva’s Web Application Attack Report
Figure 5: Remote File Inclusion - number of attacks from each country
Figure 6: SQL injection – number of attacks from each country
Figure 7: Directory Traversal - number of attacks from each country
13
14. Imperva’s Web Application Attack Report
RFI SQL injection DT
Country Attackers Country Attackers Country Attackers
USA 714 USA 20424 USA 5169
Germany 96 China 575 United Kingdom 733
Republic of Korea 93 United Kingdom 322 Germany 398
France 73 Canada 193 France 311
European Union 62 Russian Federation 105 European Union 264
Netherlands 61 Indonesia 105 Netherlands 214
United Kingdom 61 European Union 90 Australia 178
Italy 54 India 58 Canada 170
Russian Federation 42 Republic of Korea 56 China 149
Canada 36 Germany 53 Russian Federation 131
Table 4: Countries with the most distinct attackers
Figure 8: Remote File Inclusion - number of distinct attackers per country
Figure 9: SQL Injection - number of distinct attackers per country
14
15. Imperva’s Web Application Attack Report
Figure 10: Directory Traversal - number of distinct attackers per country
5.2 More of the Unfab Four
SQL Injection (SQLi) is an attack that exploits a security vulnerability occurring in the database layer of an
application (like queries). Using SQL injection the attacker can extract or manipulate the web application’s data.
The attack is viable when user input is either incorrectly filtered for string literal escape characters embedded in SQL
statements or user input is not strongly typed and thereby unexpectedly executed.
The monthly number of SQLi attacks is shown in Figure 11. There were 15000-53000 SQLi attacks each month on the observed
sites (27,000 attacks per month on average). Our data shows a general long-term decrease in the number of monthly attacks, but
we are still unable to explain this observation. We intend to check this trend in the following months.
Figure 11: SQLi attacks per month
We have also seen that a large portion of SQLi attacks (24%) show up as bursts of high-frequency attack attempts during short time
periods – typically up to a thousand attempts in less than an hour. Between these attack peaks, the average number of SQLi attacks
is low (10 per minute). Figure 12 shows this by zooming into the occurrences of SQLi attacks during March 2011. From the high
attack frequency (2705 per hour or 45 per second), we can conclude that the attack bursts are generated by automatic attack tools.
15
16. Imperva’s Web Application Attack Report
Figure 12: SQLi attack peaks
In a particular attack during a one hour period on March 5th, a few source hosts targeted the same web application with the same
type of payload. This attack was on a set of related application URLs. The attack’s payload was a variation on SQL waitfor delay.
Because of the repetitions of the same payload, we concluded that in this case the attacker intention was Denial of Service (DoS),
by tying-up the application’s database and shutting down the site.25
Remote File Inclusion (RFI) is an attack that allows an attacker to include a remote file, usually through a script,
on the web server. This attack can lead to data theft or manipulation, malicious code execution on the web server,
or malicious code execution on the application’s client side (such as Javascript which can lead to other attacks).This
vulnerability occurs due to the use of user-supplied input without proper validation.
The monthly occurrence of RFI attacks is summarized in Figure 13. There were 2300-13500 RFI attacks each month on the observed
sites (5200 attacks per month on average). We don’t have a firm conclusion about the long-term trend in RFI occurrences. We
intend to keep monitoring this in the following months.
Figure 13: RFI attacks per month
25
See: http://stackoverflow.com/questions/2023854/defending-against-a-waitfor-delay-sql-injection-attack 16
17. Imperva’s Web Application Attack Report
We have seen that a large portion of RFI attacks (41%) show up as bursts of high-frequency attack attempts during short time
periods – typically up to a 35 attempts per minutes or about 1 attack every two seconds. Between these attack peaks, the average
number of RFI attacks is low (4 per minute). This behavior can be observed, for example, by zooming into the occurrences of RFI
during January and March of 2011 (Figure 14, showing a single massive attack during January, and Figure 15 showing several
attack peaks during March). Judging by the rapid attack rate, the attack bursts are generated by automatic attack tools (see section
Error! Reference source not found.). We concluded that RFI attacks in particular are almost exclusively done by automatic tools:
hackers build automatic scripts that collect potential victims, prepare a pool of malicious scripts for exploitation, and try to inject
the script into the victim’s web application using a database of known RFI vulnerabilities. This process can be done without human
intervention.
Figure 14: RFI attack peaks – January 2011
Figure 15: RFI attack peaks - March 2011
Remote File Inclusion is used by an attacker to execute malicious code on vulnerable web servers, usually as a first step towards
taking over that server. Once the code is injected and executed on the server, the attacker can control the web application and
its interaction with the users. Furthermore, the attacker may escalate the penetration into the web server (for example, using
misconfigured files permissions) in order to use it for purposes like attacking other hosts.
17
18. Imperva’s Web Application Attack Report
In an RFI attack the attacker specifies a URL of a malicious script as a parameter in legitimate calls to the application’s code,
counting on the application to load and execute it without validation. We collected more than 800 different URLs that were used
as parameters in RFI attempts. We investigated more than 150 unique injected scripts that these URLs reference. These scripts
were variations on 10-15 basic scripts that were slightly modified by various hacker groups. They were usually written in the PHP
scripting language, since RFI vulnerabilities are typical to applications using PHP. A few of the scripts, however, were written in the
Perl language. There are various functionalities that the scripts provide:
› 85% of the scripts are just vulnerability probes. They test the attacker’s ability to execute code by including a distinctive
message in the application’s output. These scripts are short (less the 4Kbytes) and there are multiple copies of each one that
the attackers use interchangeably to avoid detection or overload in their hosting computers.
› 10% of the scripts are more sophisticated and open a control channel back to the attacker. This IRC-based channel enables the
attacker to remotely control actions performed by the scripts, like extracting information from the host, scanning the injected
host for other security vulnerabilities and exploiting the discovered vulnerabilities. Additionally, they enable the attacker to use
the host as a platform for attacking other sites, as part of a botnet. Scripts of this type are usually 4-90Kbytes long.
› The remaining 5% of the scripts are similar in attack potential to the previous category, but they also inject HTML pages
into the legitimate application. This lets the attacker control the injected script using a hidden Web UI that the application
unknowingly exposes instead of through IRC commands. The piggybacked attack-UI remains online while the vulnerable
web application is online. Scripts of this type are naturally longer, up to 200Kbytes.
Figure 16: Web UI of a malicious script injected via RFI vulnerability
18
19. Imperva’s Web Application Attack Report
The usual method for identifying RFI attacks is by matching HTTP requests against signatures of known vulnerabilities of common
web applications that may be vulnerable to RFI. A signature-based attack detection mechanism works well for protecting popular
applications with enough mileage that their security weaknesses were investigated and published. However, attackers may
succeed in bypassing signature-based defenses by exploiting newly discovered vulnerabilities in web applications (especially
in new versions of them) or exploiting vulnerabilities in custom code. We have compared this detection method against other
mechanisms for detecting RFI attacks:
› Matching HTTP requests with signatures for URLs of known remotely-included malicious files (which are passed in the HTTP
request of an RFI attack)
› Using black lists of RFI-initiating hosts.
These detection mechanisms are less application-specific, so they can be updated whenever an attack is detected in any set of sites
and then be rapidly published for protecting all the other sites. We note that this protection approach fits the modern model of RFI
attacks in which the same set of hosts acting as a centrally-controlled botnet attacks a large set of potential victims, and uses a shared
pool of malicious scripts in the RFI attacks they initiate. Initial results of this community-based detection and protection approach
show that it caught a large number of RFI attacks that were not identified using only vulnerability-related signatures.
Figure 17: Detected RFI attacks over time - using vulnerability signatures (RFI) and scripts-URLs signatures (RFI param)
Directory Traversal (DT) is an attack that orders an application to access a file that is not intended to be accessible
and expose its content to the attacker. The attack exploits insufficient security validation or insufficient sanitization
of user-supplied input file names, so that characters representing “traverse to parent directory” are passed through to
the file APIs.
The monthly occurrence of Directory Traversal attacks is summarized in Figure 18. There were 29000-73000 DT attacks each month on
the observed sites (42000 attacks per month on average). The number of monthly occurrences of DT attacks is generally increasing.
The average number of hourly DT attacks (63 per minute) is high relative to the other attacks.
19
20. Imperva’s Web Application Attack Report
Figure 18: Directory Traversal attacks per month
Directory Traversal is a prevalent attack that is traditionally used to expose the contents of sensitive files on the attacked web server to
the attacker. For example, a common DT attack attempts to extract the user’s passwords from the system file in which they are stored.
Our observation is that in addition to this traditional notion of DT, this attack is also used together with other attack types. Directory
Traversal is used by attackers during a reconnaissance phase of the combined attack to identify the directory structure of an attacked
server before sending an additional effective exploit vector.
Significant changes in the volume of Directory Traversal attacks are less common than in other attack types. However, when DT is
used in conjunction with other attack types like RFI, the attack burst includes both DT reconnaissance attempts and the RFI exploit
attempts, as can be seen from the DT occurrences during March.
Figure 19: Directory Traversal and RFI attacks during March
20
21. Imperva’s Web Application Attack Report
Cross Site Scripting (XSS) is an attack that lets the attacker execute scripts in a victim’s browser to hijack user
sessions and steal his credentials, deface web sites, insert hostile content, redirect users, hijack the user’s browser
using malware, etc. XSS flaws occur when an application includes user supplied data in a page sent to the browser
without properly validating or escaping that content.
The monthly volume of traffic related to Cross Site Scripting is summarized in Figure 20. Cross Site Scripting is targeted at web
users rather than servers. It is used to attack the application’s client executing malicious browser code in the context of the trusted
application, potentially abusing the trust between the user and the application and vice versa. The traffic we have been able to
monitor represents the attacker’s set up (see below) and not the traffic of victimized clients.
According to the data, the amount of XSS traffic is growing.
Figure 20: Cross Site Scripting traffic per month
There are several flavors of XSS attacks. An interesting variant of XSS injects specially crafted links to XSS-vulnerable sites into the
results returned by search engines for popular queries. A user that issues such a query and selects one of the injected results is
unknowingly redirected to a site controlled by the attacker (see our report that we cited earlier). This is a sophisticated attack that
requires detailed preparations by the attacker. Apparently, the benefits are well worth the effort, since this attack has been going
on continuously for at least 18 months.
Figure 21: Cross Site Scripting traffic - March
21
22. Imperva’s Web Application Attack Report
We have observed waves of Search-Engine Poisoning (SEP) XSS traffic during the past 6 months, as seen in Figure 22.26 This traffic
is generated by automatic crawlers of search engines that pick up the maliciously-crafted links on the Internet. This occurrence
pattern shows that periodically (approximately once a month) maliciously-crafted links are followed by the search engine’s crawlers
into XSS-vulnerable sites. This periodicity is due to a combination of the scan cycle of the search engine and the spreading of new
malicious links on the internet by the attacker.
Figure 22: Search Engine Optimization XSS traffic
Figure 23 shows the distribution of search engine crawlers that we have observed following the maliciously-crafted XSS links.
According to this comparison, Yahoo is the most susceptible to SEP-related XSS, while Google apparently filters most of these links.
Figure 23: Search engine crawlers following XSS links
26
http://www.imperva.com/docs/HI_Search_Engine_Poisoning_SEP.pdf 22
23. Imperva’s Web Application Attack Report
6 Recommendations
6.1 Technical Recommendations
1. Deploy security solutions that deter automated attacks.
Automation is a key arsenal in a hacker’s toolset. Trying to mitigate their attacks manually is like bringing a knife to a gun fight.
It’s impossible to manually handle attacks incoming at a rate of few events per second.
Automation mitigation should be applied with care, since some web automation tools (such as search engine crawlers) are
considered to be good and even crucial for the web application’s functionality. This also means detecting protocol anomalies
even if they are not considered malicious is essential. It can be the first sign of automated attack. Some of the attacks’ scanning
is vertical across the entire web application. Therefore, it’s important to detect in real time reoccurring violation of the security
policy from the same sources.
2. Detect known vulnerabilities attacks
The security organization needs to be aware of known vulnerabilities and have an up-to-date list to know what can and will
be exploited by attackers. We hope that this report will help with the prioritization process.
Even if your application isn’t vulnerable to the attack an early detection of malicious scans can assist in mitigating unknown
“0 days” vectors included in the scan as demonstrated by the RFI signatures.
3. Acquire intelligence on malicious sources and apply it in real time.
Having advanced knowledge on malicious sources that is integrated into your security solution – can help you stop them at
the gate of your web application. For example, from our sampling, even knowing the top ten malicious sources for RFI can
help you mitigate up to 40% percent of the malicious traffic seeking to exploit this vulnerability.
4. Participate in a security community and share data on attacks.
Some of the attacks’ scanning is horizontal across similar applications on the internet. Having a community that shares data
would be beneficial for the early detection of automation and blocking of attacks.
5. Detect automated attacks early.
It is very important and beneficial to detect automation attacks as a whole and not only treat it in a per request context. Quickly
identifying thousands of individual attacks as one attack allows you to prioritize your resources (such as security analysts,
complicated attack detection mechanisms, etc.) more efficiently. Furthermore, detecting the sources of an automated attack
as malicious can help in the detection of previously unknown attack vectors (e.g., “0 days”) included in the attack.
To summarize, automated attack detection requires collecting data, combining it and then analyzing it automatically in
order to extract relevant information and apply security countermeasures. Gathering the required data requires monitoring
protocol anomalies even if they are not malicious or if the web application is not vulnerable. Combining this data with
intelligence gathered on known malicious sources will help enlarge the knowledge base for identifying attacks and selecting
appropriate attack mitigation tools.
23
24. Imperva’s Web Application Attack Report
6.2 Nontechnical Recommendations: CEO Checklist
The McKinsey Quarterly recently investigated cyber security, saying “Eliminating threats is impossible, so protecting against them
without disrupting business innovation and growth is a top management issue.”27 Our technical recommendations won’t amount
to anything if CEOs (or the equivalent) does not take responsibility to protect data.
1. Assume you’re a target and have already been compromised. Consider yourself a target if you have an application.
Consider yourself an even more attractive target if you hold sensitive information with value for hackers, governments,
employees or competitors. Producing a full inventory of what is attractive and how it can be abused by external or internal
threats will be sobering.
2. Make data security a strategic priority. For example, and admittedly at the top end of the spectrum, a major finance
company that is a frequent target of cyber attacks, codified an approach to security saying, “We’re not a bank, we’re a security
company that does banking.” This may seem extreme. However, would any of the recently breached organizations wished
they’d have adopted such an attitude before the hack?
3. Give security a seat at the table. Organize the company for security. To enhance security’s authority and stature, some
firms have security reporting to the CEO or the board of directors. Another firm decided to put cyber security in into every
technology decision and reversed conventional wisdom by having IT report into security, instead of vice versa.
4. Work with law enforcement. Companies have worked with the FBI and state departments to help pinpoint hackers,
even overseas, to ensure that the weeds don’t grow back. The NSA has even put together a program called “Perfect Citizen”
designed to aggregate information about cyber attacks and help private organizations improve their security posture. What
may seem like a minor cyber attack could be part of a larger criminal effort that only law enforcement can recognize. In 2010,
law enforcement took down the servers disseminating spam – dropping spam levels by 30% overnight.
5. Embrace data security regulations. The credit card industry, for instance, regulated itself and created the payment card
industry data security standard (PCI-DSS). It’s working. PCI forced companies transacting credit cards to implement the basic
elements of data security. And something has proved better than nothing: a Ponemon survey on the topic from 2011 showed
that companies complying with PCI were twice as likely to avoid breaches as noncompliant firms.
6. Put the right technology in place. By design, this is last on the list. Without having pursued the above steps technology
can’t help. In today’s world, this does not mean “we have updated our anti-virus and put in place a network firewall.” Rather,
it means “we have identified all sensitive data and have put in place technology with the audit and protection capabilities
required to safeguard that data.”
27
https://www.mckinseyquarterly.com/Meeting_the_cybersecurity_challenge_2821 24