According to our 2018 Application Protect Report, the most common initial breach target over the last year was the web application, at 53 percent. Application-related attacks accounted for the highest percentage (47 percent) of the associated breach costs. Different web attacks come and go, but the number one web application threat is always the same: injection attacks. Typically these are database (SQL) injection attacks, but we have been seeing code injection attacks against login pages as well.
The second most common method of breaching an organization is through compromised identities (33 percent of the initial breach targets). Phishing attacks continue to be a huge problem, but now we are seeing sustained campaigns of credential stuffing. With credential stuffing, attackers attempt to crack new web applications with the hundreds of millions of compromised usernames and password that were revealed in all the previous breaches. Credential stuffing is effective because 75% of Internet users re-use their passwords.
Compromised credentials account for 24 percent of breach costs. If you add these to the breach costs associated to web application attacks then you will find that over 70 percent of breach costs come from the threat vectors of web application attacks and identities. Many conventional security teams are still searching in the wrong places such as network hacking but the attackers have figured out the real weak spots.
Our top three recommendations for a modern defense strategy are:
1. Shift your focus to the primary target, i.e., applications. Too much attention is spent on just blocking ports and segmenting networks. Of course, those strategies have their value, but as the 2018 Application Protection report shows, attackers are getting deep into the data through the applications. Our survey respondents identified the Web Application Firewall as their primary tool in defending applications.
2. Prevent user mistakes that result in massive data extraction. For example, broaden the use of two-factor authentication especially for key personnel like administrators. If possible, extend two-factor to all employees. Reduce the threat surface by using proper access control.
3. Since we live in an assume-breach world, get your visibility in order. Properly decrypt application traffic coming into data centers, and user traffic exiting headquarters so that you can send it to your security inspection stack. There are a legion of instruction detection, prevention, and forensic tools available today, but they are useless if they inspect only encrypted data.