The Data Breach Investigation Report 2015 (DBIR) released a few weeks ago by Verizon is the result of quite a huge analysis, representing 61 countries and describing almost 80K security incidents.
This comes as a surprise to no one that web application attacks are an important topic in this report, and the figures coming out are very interesting.
Our main focus at VAADATA is web applications security, so we extracted web apps related information from this report and gathered it in this article.
Warning: The figures that follow are related to data breaches only, meaning that it does not provide a full overview of web application attacks. Other risks like brand damage or business continuity are not discussed here.
One first very interesting fact is about strategic web attacks: A strategic web attack can be considered as a first step in an overall cyber attack, where the attacker uses the website as a mean to serve up malwares, hoping that the final target will be infected to further the next steps of the attack.
This means that the website is not necessary the target, but a secondary victim.
Statistics tell us that there is a secondary victim in 70% of the attacks where the motive for the attack is known.
The role of web app attacks
4.1% of security incidents are the result of a web application attack. When it comes to incidents with confirmed data breaches, the proportion jumps to 9.4%.
Conclusion, web app attacks are still quite efficient!
Another conclusion of the report, still in terms of incident classification patterns, is that web app attacks remain quite stable over time, in proportion.
Web application attacks and threat actors
Looking at threat actors, we can see that 61% of data breaches performed by activists (for political or ideological means) are done through web app attacks.
22% for those performed by “unaffiliated” attackers, 20% for organized crime and 3% for state-affiliated.
In 2014, organized crime has become the most frequently seen threat actor for web application attacks. And not surprisingly, the primary motive for attacking is financial gain.
Victims of web application attacks
The classification per victim industry is also interesting, and tells us that 35% of data disclosures affecting the information industry are performed through web app attacks.
- Financial services: 31%
- Administrative: 18%
- Educational: 9%
- Healthcare: 9%
- Other services: 8%
- Entertainment: 7%
- Public: 6%
- Retail: 5%
- Professional: 4%
- Manufacturing: 1%
- Accommodation: 1%
Main types of attacks on web applications
To look at something more technical, hacking actions within web application attacks can be split in the following categories:
- Use of stolen credentials: 50.7%
- Use of backdoor or C2 (command & control): 40.5%
- SQL injections: 19%
- Remote File Inclusions (RFI): 8.3%
- Abuse of functionality: 8.3%
- Brute force: 6.8%
- XSS: 6.3%
- Path traversal: 3.4%
- Forced browsing: 2%
- OS commanding: 1.5%
We gathered all these figures in kind of an infographics, to make it more “visual”. Feel free to share!
Get the full report from Verizon: http://www.verizonenterprise.com/DBIR/2015/