Companies’ front doors on the Internet, their Web applications, are attacked almost 120 days of the year on average, and attackers are more likely to pound on the door than pick the lock or quietly knock, according to an analysis of attack data published by business security firm Imperva on Aug. 7.
The company’s semi-annual Web Application Attack Report found that malicious hackers tended to group attacks together against the same targets. While remote and local file-inclusion attacks continued to dominate the total number of malicious requests detected by Imperva’s clients, the story changed when the company grouped events together into collective “incidents.”
By looking for such sustained attacks—defined as a series of 30 or more malicious requests in a five-minute period—Imperva found that SQL injection stood out with each application encountering 35 incidents per year, compared with 16 incidents per year for remote file-inclusion attacks and 12 for cross-site scripting attacks.
“It made us realize that attackers operate in ‘bursty’ modes,” said Amichai Shulman, co-founder and chief technology officer for Imperva. “They don’t try to slowly attack an application with a small footprint. They choose their targets and then go after them.”
The lesson is that companies should not plan for the average attack rate but for the occasional prolonged onslaught, he said. While the median attack lasted less than eight minutes, many lasted longer.
“For the longest incident, you had more than an hour of constant streaming of many attacks per second,” Shulman said. “And that is what your equipment, your security solutions and your security procedures should be able to deal with.”
In the past, the company had focused on the total number of malicious requests sent to the typical Web application. In its latest report, however, Imperva researchers focused on grouping the hundreds or thousands of requests that targeted the same application in a short time span into a single incident. The company argued that the analysis gets to the heart of the problem for the defense.
“In practice, the number of individual requests is usually less meaningful for the security manager, as the effort involved with mitigating the attack incident, or persisting campaign, is mostly unrelated to the total number of requests it contains,” the report stated in an updated discussion of the researchers’ methods.
Further grouping incidents into days in which at least one attack occurred, or “battle days,” found that companies can expect an application to be attacked during one-third of the days in a year. The days in which an attack happened did little to help predict when the next attack might come, according to the analysis.
The location of the apparent source of most attacks also came as a surprise. Past reports fingered servers in the United States, Western Europe, China and Brazil as the most likely jumping-off point for an attack. Imperva’s latest report, however, found that most SQL-injection attack incidents came from servers in France.
Shulman acknowledged, however, that there was no satisfactory explanation for the apparent source of the attacks.
“A large part of the data set that we have is from Web applications based in Europe, so it makes sense for an attacker to use European servers,” he said.