Cyber-criminals have embraced automated tools to expand the number of targets and to exploit multiple attack vectors.
The average large business sees 27 attacks per minute hitting its Website.
Attackers can use automation technologies to generate up to seven attacks per
second, or 25,000 attacks per hour.
Security firm Imperva uncovered these figures after analyzing more than 10
million Web application attacks that targeted Websites belonging to 30 large
businesses and government agencies between January 2011 and May 2011, according
to the report released July 25. The Web
Application Attack Report
(WAR) also analyzed anonymized traffic.
Cyber-criminals are increasingly using automation and botnets to carry out
their attacks, the report found. IT departments aren't the only ones that rely on automated tools to speed up
operations, after all. The way criminals are automating their attacks is
"one of the most significant innovations in criminal history," Rob
Rachwald, director of security strategy at Imperva
in a blog post.
"You can't automate car theft or purse snatching-but you can automate
data theft," Rachwald wrote, predicting that cyber-crime will soon exceed
physical crime in terms of financial impact as more attackers rely on
While some of the attacks called for highly complex programs, many were
launched by relatively simple scripts, the researchers found. Attackers could
point the single script at a large number of targets to launch simultaneous
attacks or to attack several sites in sequence. Many of the scripts are readily
available with instructions on how to use them on various sites online.
Many of the scripts are also based on the Metasploit penetration testing
platform, a legitimate security testing tool often used by cyber-criminals to
uncover security holes, Imperva found. The tool comes with hundreds of
automated exploits and malware payloads that attackers can use.
Attackers are likely to combine several techniques instead of relying on a
single attack method, Imperva's researchers discovered. Directory traversal, a
method used to identify what files are on the system and to access those files
that weren't intended to be publicly accessible, may be used during the
"reconnaissance phase" before launching an exploit, such as a
remote-file-include (RFI), Imperva wrote in its report.
Directory traversal was the most prevalent Web attack according to Imperva's
analysis, accounting for 37 percent of the attacks. Another 36 percent of the
attacks were cross-site scripting, followed by SQL injection, at 23 percent.
With the exception of directory traversal, the most prevalent attacks against
Web applications Imperva identified also showed up on the list of top
25 Web vulnerabilities
released by the SANS Institute
Attackers often employed those techniques in combination, whether to steal
data, surreptitiously install malware on servers, or simply create a denial of
service. "For example, a hacker may use directory traversal during a
reconnaissance phase of the combined attack to identify the directory structure
of an attacked server before sending an additional effective exploit vector,
such as an RFI," according to the report.
Even though Imperva didn't analyze any of the attacks perpetrated by
cyber-prankster group LulzSec and hacker collective Anonymous, the researchers
said their findings mirrored the groups' focus on stealing data by attacking
the Web application. "The battlefield has shifted to applications and
databases and away from network firewalls and anti-virus," Rachwald wrote.
More than 61 percent of attacks originated from botnets with zombies in the
United States, Imperva found. The other countries named in the report were
China, at 9 percent, Sweden with 4 percent and France with 2 percent. However,
it is "increasingly difficult" to trace attacks to specific entities
or organizations despite figuring out the country of origin, Rachwald said. Not
being able to trace the attacks makes it difficult to shut down cyber-criminal
gangs or identify potential acts of war, according to Rachwald.
And not being able to identify perpetrators
behind specific cyber-incidents
is one of the reasons it would be difficult
for the Department of Defense to react to cyber-attacks
as an act of war
Imperva predicted that government-sponsored cyber-attacks against critical
infrastructure will become more sophisticated as attackers expand on techniques
already being used by attackers against commercial targets.