“Appandemic” sounds a bit like “appendectomy.” From a societal standpoint, it’s almost as alarming — if not more so — as the surgical procedure is from a personal standpoint. Because in the midst of the global pandemic we’ve all experienced over the past year and a half, web applications have experienced their own version of a massive breach to their immune systems. Unfortunately for web-application security, there is no miraculous universal vaccine for these breaches.
Over the years, the Verizon Data Breach Investigations Report (VDBIR) has highlighted similar concerns within the application-security ecosystem.
In 2018, Databases were the preferred attack vector, with web applications ranking fourth. But over the next 3 years up to now, we’ve seen a troubling trend in which web applications have shot up the rankings as the preferred method of entry. In 2019, they hovered around 30% compared to other vectors. In 2020, it tripled to nearly 90%, no doubt due in large part to the seismic cultural shift to working remotely and conducting more business online. This year’s VDBIR shows that number is sitting at about the same level today — around 90%.
What else does this year’s report have to say about the state of web-application security as the world begins its road to recovery, with more people getting vaccinated, heading back into offices, and going out and about again? Let’s take a look at 3 symptoms of the web appandemic highlighted in the 2021 VDBIR.
Symptom #1: Web apps processing payments
Attackers usually have to take a number of steps to gain access to a web application when they use a System Intrusion pattern. While they typically deploy malware or ransomware, the increasing share of Magecart-style attacks — those targeting payment card data — within the System Intrusion pattern is concerning.
This year’s report identifies that, within the specific System Intrusion attack pattern, 60% of web servers targeted were found to be sporting shiny new malware to capture information. How many of those incidents involved payment-card data?
It’s clear that attackers will keep coming for card data, forever and always.
- A vuln is exploited.
- Stolen credentials are used to gain access.
- Attackers modify code as they see fit.
- Card data is captured and quickly used or sold off.
When an incident is detected, companies can notify customers, who can then easily shut their card down and get their hands on a new one. But that’s also money and reputation lost for companies supposedly protecting those customers. It tends to leave a sour taste in a customer’s mouth, especially if it happens multiple times. Adaptable compliance solutions from Rapid7 are supported by strong institutional knowledge of what it takes to meet regulatory standards across the Payment Card Industry (PCI), no matter the region, which can help protect your customers’ card data and maintain your brand’s reputation.
65% is a big number when it comes to the likelihood that, in a given malware incident, the specific target is payment-card data. However, there is reason to be optimistic when it comes to PCI incidents: Over the past few years, attackers have specifically targeted card data less.
*Source: Verizon Data Breach Investigations Report
While promising, that doesn’t mean you should let your defenses down. If anything, now is the time to commit to even more stringent security measures, as those previously mentioned Magecart attacks — targeting PCI in web applications — begin to pull even with overall malware intrusions targeting that same PCI.
Symptom #2: Baddies being basic
In this situation, being basic is a good thing from the baddies’ perspective. This year's report found that baddies — aka attackers — are increasingly disclosing web-application data via a small number of steps. These are known as Basic Web Application Attack (BWAA) patterns, and they are easy for baddies to replicate in quick volume.
According to the report, attackers “are very focused on direct objectives, which include gaining access to email and web-application data.”
These rapid attacks can have maximum impact and create immediate chaos. Within a BWAA, sub-patterns exist that see attackers looking for easy credential grabs. This low-hanging fruit usually means they’re trying to compromise applications or mail servers through:
- Using stolen credentials. This might not be happening for the first time. Attackers could be exploiting the unwillingness of many organizations to engage in regular cybersecurity hygiene to gain access to a system using stolen credentials.
- Brute-force attacks. According to this year’s report, brute-force attacks were attempted between 637 and 3.3 billion times against 95% of companies analyzed in the report’s SIEM dataset. We can all thank the evil bots and worms out there tirelessly looking for these vulns.
- Exploiting vulnerabilities. While not as prevalent as using stolen credentials and going brute force, vulnerability exploitation still ranked as the third-most popular method of attacking web applications. More on that in the next section.
*Source: Verizon Data Breach Investigations Report
Of note: 96% of compromised mail servers were based in the cloud.
So, you know, cloud security is important. That’s why DivvyCloud by Rapid7 provides unified visibility and monitoring for your cloud environments, especially when your application infrastructure sits mostly, or exclusively, in the cloud.
Symptom #3: Weaponizing vulnerabilities
Whether it’s happened to you and your team before or not, watching the development and/or security team’s work be invaded, exploited, and weaponized is heartbreaking. According to this year's report, even though attackers are still gaining access via stolen credentials, it is definitely happening less often than web-application vulnerability exploitation.
In both instances however, attackers are more frequently focused on getting in and gaining quick leverage. Via a small number of steps, their intention might be to repurpose your app for malware distribution. Before you know it, they’re in and out with precious customer data, leaving you with lots of explaining to do.
From a solution standpoint, Rapid7 helps organizations hunt vulnerabilities by testing applications to find and remediate vulnerabilities. With powerful Runtime Application Self-Protection (RASP) capabilities, you can automatically apply protection against those attacks.
Application security: We all deserve access
Is there reason to be optimistic that we could be trending away from the current web appandemic, even with these symptoms? Much like the way the number of COVID-19 vaccinations is headed in the right direction in some parts of the world yet staying the same in other areas, it — as always — depends.
Deeper-pocketed and more-established security organizations have the ability to mount more defenses against attacks, quickly remediate incidents, and even spend big to institute a culture of offensive tactics that can ruin an attacker's day. But solutions like InsightAppSec from Rapid7 can help organizations of all sizes scale with ease, regardless of application portfolio size.
According to this year's report, small companies have pulled closer to their larger counterparts when bearing the brunt of web-application breaches and are losing ground in the time it takes to discover those breaches. Plus, depending on how many partners or outside contractors a smaller company has — or where that company sits in a larger and more-established partner’s supply chain — it’s in the interest of the industry at large to see that application-security equity spreads far and wide, lest breaches of every stripe proliferate the web appandemic beyond the ability of anyone to control.