"Community Defense" For a Safer Internet

By | May 03, 2013

Posted in: Network Security Trends

Early identification of attacks across a community of Web applications can significantly improve the effectiveness of application security, according to the latest Imperva Hacker Intelligence Initiative report.

The report, "Get What You Give: The Value of Shared Threat Intelligence," analyzed real-world attack traffic against 60 web applications between January and March 2013 to identify common attack patterns.

Multiple targets were responsible for a disproportionate amount of attack traffic: SQL attackers targeting multiple sources generated nearly six times their share of the population, accounting for 17 percent of all attack, while spam attackers generated four times their share of the population in the report amounting to 56 percent of all incidents, according to the report.

The report also found that threats aimed at a broad industry sector were usually more impactful than one aimed at a specific organization. Mark Kraynak, Director of Product Marketing at Imperva, told Security Bistro that attacker motivation usually dictates the outcome, and that spells bad news certain high-value industries.

"Financial services is unlucky enough to be a choice for those motivated both politically and financially. On the political front, critical infrastructure and governments are obvious additional targets," Kraynak said. "On the financial front, though, the targeting tends to be broader. When you take into account that a large number of DDoS attacks are financially motivated, virtually any organization that relies on its online presence makes a 'good' target for DDoS extortion."

But Kraynak argues that these threats can be mitigated through information sharing and threat "crowd sourcing."

The security community has long understood the benefits of intelligence sharing. With a new version of the Cyber Intelligence Sharing and Protection Act (CISPA) passing the House of Representatives last week, the concept of shared threat intelligence -- and how to do it without compromising user privacy -- has been vaulted back into the spotlight.

The Imperva report [pdf] found that recognizing -- and quickly disseminating -- attack behavioral analysis can go a long way towards mitigating future incidents.

"Tools which behave in an automated manner may signify a reconnaissance attack where the hacker is testing a vulnerable application. Recognition of a reconnaissance attack allows quick identification of similar vectors targeting other applications and allows for blacklisting of the suspicious source IPs – before they actually start to attack," said the report.

The report found that security cooperation between organizations that suffer from multiple targeted Web attacks "can create a 'network effect' in which all members of the cooperating community can benefit by exchanging security and threat information." Along with a more cooperative approach, Kraynak said there are additional steps organizations can take to improve intelligence.

"The primary vector for this sort of attack is the web site or online application. Many organizations mistakenly rely on their existing network and endpoint security solutions which were never built to protect against modern application threats," Kraynak said. "So, for most organizations, investing in dedicated application security solutions is the fastest route to an improved security posture."

Kraynak believes that limited information sharing can create a safer Internet without impinging on individuals’ civil liberties.

"The main criticism leveled against CISPA is that it would seem to allow indiscriminate data sharing," said Kraynak. "[Our] research has shown that sharing a limited set of data on activity that is considered malicious by the sharing organization, as opposed to any and all data about a given set of users, can dramatically improve the overall defense posture of the community."

That "community defense" concept of cooperative threat intelligence sharing is one that Kraynak maintains will pay big dividends for organizations that choose to participate.

"The anti-spam community has had great success reducing the threats from unsolicited email via techniques very similar to what Imperva is announcing today. The difference is that they are focused on the specific problem of malicious email. What’s needed for a successful community defense approach is the context and specificity of the solution [...] a specific focus on protecting the most common vector of attack: the web application," said Kraynak.

You May Also Be Interested In: