The OWASP Automated Threat Handbook provides meaningful insight into the most frequently used application breach techniques hackers are utilizing. Most security vendors want you to believe that your applications are under constant compromise yet in reality, hackers are not necessarily solely looking for bugs or misconfigurations but rather the ability to misuse valid functionality of the application to breach your network. Even Verizon’s Data Breach study states “With so many credential lists available for sale or already in the wild, why should criminals actually earn his/her keep through SQL injection when simple login will suffice”. The most common exploitation is what OWASP calls automated application attacks.
OWASP believes that there needs to be more visibility into threat events targeting web applications using automated actions. These attacks can vary in scale, timing, duration, and frequency. The most frequently used automated attacks are:
With tools such as Sentry MBA readily available to hackers, credential stuffing is one of the most popular attack vectors used by hacker given its simplicity. Sentry MBA automates the process of testing millions or tens of millions of username/password combinations to see which ones work. Below are the findings of a study conducted by Shape Security analyzing automated application attacks.
Unfortunately, many organizations do not have the budget or possibly the skill set in-house to manage yet another appliance to solve this issue. Many CSOs have mentioned that over the last three years, their organizations have purchased too many tools and are now looking to consolidate those solutions. One VP of Security from a large software company mentioned that she has 87 people in her organization yet they have 89 tools to manage which according to her was untenable.
Organizations looking for a holistic approach to application security need to not only consider identifying vulnerabilities in web applications and APIs but also protect against the most sought after attack vector – automated attacks.
Gartner postulates that there are two ways to defend against automated attacks: deflection and detection. Deflection methods use polymorphism technology creates an environment for a hacker that does not exist. By serving up a website that looks different each time, automated attacks are extremely difficult to execute. In using a detection methodology, abnormal behavior is analyzed. According to Gartner, the three areas that need to be analyzed are endpoint behavior, navigation, and user behavior. Although both methods are complementary, deflection technology requires a significant amount of full-time resources, expertise in identifying the attacks and a seven-figure budget. Conversely, detection methodology, if offered as a service, will provide full management of the operation using subject matter experts at a fraction of the cost.
Find out if your website can be attacked with automated attacks with AppTrana Free Website Security Scan.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in the security industry and had held various mgmt/leadership roles in Product Development, Professional Services, and Sales @Entrust.