Basic Web Application Attacks

Does this make my infrastructure look big?

In Basic Web Application Attacks (BWAA), we are largely focusing on attacks that directly target an organization's most exposed infrastructure, such as Web servers. These incidents leverage one or the other of two entry points, the Use of stolen credentials or Exploiting a vulnerability. 

Hopefully, Figure 54 demonstrates the importance of proper password protection since over 80% of the breaches in this pattern can be attributed to stolen credentials. Figure 55 reveals the larger trends in terms of using stolen credentials vs exploiting vulnerabilities. There’s been an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the last four years. 

Figure 55 clearly displays how the vast majority of incidents involving Web applications are using stolen credentials. There is a sprinkling of other vectors in Figure 56, such as Backdoors (useful after you have a foothold), Remote injection (how malware gets on the system after an exploited vulnerability) and, of course, Desktop sharing software.

Mail servers under attack

With regard to what is being targeted, Figure 59 captures the high prevalence of Web applications (which seems obvious based on the title of the section) but also of Mail servers, which represented less than 20% of the total breaches in this pattern. Of those Mail servers, 80% were compromised with stolen credentials and 30% were compromised using some form of exploit. While this 30% may not seem like an extremely high number, the targeting of mail servers using exploits has increased dramatically since last year, when it accounted for only 3% of the breaches.

Basic != not useful

One might be forgiven for assuming that these types of attacks would largely be the work of enterprising criminals spraying the internet looking for weak credentials. However, it seems that Nation-state actors have also been leveraging this low-cost, high-pay-off strategy with over 20% of our BWAA breaches being attributed to Espionage. If the front door has a weak lock there is no reason to develop a complicated polymorphic backdoor with a fast flux network of C2 servers.

Misconfiguring the situation

While most patterns have changed over the years, one constant has been people making mistakes. In 2015, most mistakes were the Misdelivery of Media assets (Documents) while Misconfiguration accounted for less than 10% of breaches.  This year, however, Misconfiguration and Misdelivery have converged. 

The rise of the Misconfiguration error began in 2018 and was largely driven by cloud data store implementations that were stood up without appropriate access controls. Many security researchers made a name for themselves by finding these exposed databases on the internet. Despite the efforts of the major cloud providers to make the default configurations more secure (which we applaud), these errors persist.

These days Misdelivery data breaches are frequently electronic in nature and consist of email going to the wrong recipients, although physical Documents do remain a problem to some degree. 

The data types involved in these breaches are still overwhelmingly of the Personal variety. Medical and Banking information are occasionally involved, but they are not the norm. The data tends to be from customers, and it is also the customers who are notifying the breached organizations in a high number of cases. However, Security researchers are still the stars of this Discovery show (although their percentage is down from last year). 

Heavy traffic ahead

Welcome to the Denial of Service pattern—one that is perhaps all too familiar to many of you, as it continues to be the top type of incident in our dataset. This pattern consists of those annoying attacks where botnets or compromised servers are leveraged in order to send junk data to target computers with the hopes of denying that service by creating a “traffic jam in the pipes.” 

These types of irksome incidents aren’t isolated to any one industry. As Figure 63 demonstrates there are a wide range of companies from Information Services, Professional Services, Manufacturing and Government (which happens to cover many of the industries we write about). 

However, while they may be ubiquitous within industries, it does not mean that organizations in these industries are perpetually bombarded with DoS attacks. We found that the median Denial of Service attack lasted less than four hours (Figure 65) and that the vast majority of organizations that are monitored for these attacks experience less than 10 attacks a year. If, on the other hand, you’re one of those unlucky 1% of companies that experience over 1,000 DDoS attacks a year, you’re already aware of this and most likely have a service to help you manage the traffic. 

My, how big your DDoS have gotten

We first became acquainted with DDoS in the 2013 DBIR and it has since become a regular topic of discussion. It is interesting to look back and see how things have changed over the years. For 2013 era DDoS, the median attack was clocking in around 422 Mbps, with a very small number hitting the 100Gbps mark. By 2016, the median value was 1.1 Gbps (doubling from three years prior) and today the median is around 1.3 Gbps.

We can also see how DDoS has become narrowly centered. From 2013, through 2016, and on to 2021, DDoS has become tightly clustered around the median. We speculate²¹ that back in 2013, DDoS attacks were ad hoc, whereas today’s DDoS infrastructure is far more formalized and repeatable.

Losing it

In last year’s report, we mentioned that for security incidents (not confirmed breaches), assets were far more likely to be lost by employees than stolen by someone who does not work for the organization. However, when looking at breaches, we see the opposite is true. 

Stolen assets are more likely to be the causes of cases where we can confirm that data compromise occurred. Still, this is a pattern where most (approximately 90%) of the cases are classified as “security incidents” rather than “breaches,” because confirming that the data was compromised is difficult based on the assets stolen. 

We found it interesting that, despite the pandemic and the resulting lessening of travel, the Lost and Stolen Assets remained a common pattern in our dataset. It shows that if you entrust portable devices to employees, a certain percentage of them will either misplace their devices or leave them somewhere that they are vulnerable to theft. Leaving items in personal vehicles is a recurring theme in the data. People may just do it closer to home than before.

Figure 69 shows the devices most often lost or stolen. User devices (including desktops, laptops and mobile phones) are most frequently the type of item that is either lost or stolen. However, Documents still account for a good percentage of these breaches. This occurs most often in the Public Administration and Healthcare industries, which goes some way towards explaining the prevalence of Medical data compromised in these incidents. The government (of almost any country) administers large programs that manage health related data, as of course, do the members of the Healthcare industry. Industries that handle Protected Health Information (PHI) tend to have higher regulatory requirements for reporting breaches, and therefore we have better visibility into these events as well.

Organic free range data

Mobile data is something that appears only sparingly in our data, which seems ironic considering who we are. Unfortunately (or fortunately), mobile phones hover around 1% or less in our breach dataset with the associated causes being somewhat random. This is likely due to bias in the data; when a phone is used to phish creds, it’s likely the email server that gets reported, not the device used to access it. When we see breaches involving malware on mobile phones, it is not uncommon for the malware to be there to collect data. And if that’s your goal, it helps to be quiet and not get caught, especially considering the difficulty it takes to get on the devices in the first place. 

However, when we look at sensor data, we get a clearer view of the role mobile plays in the security ecosystem. Figure 70 gives an idea of the threats that mobile phones see. 

Only 42% of devices avoided blocking access to any URL while 84% of devices avoided an unwanted app. However that means the other 58% of devices had at least one malicious URL clicked and 16% of devices had at least one malware or riskware app installed. While that may not sound like a lot, a quick look at your Mobile Device Management console (or a company headcount) will tell you those numbers can add up rapidly.

And it’s not just texts tempting the telephonic users. Phone honeypot data reveals that 5% of honeypots get at least one call a day, and we’re about 90% sure the honeypots don’t need to refinance their student loans or even own a car with an extended warranty (they prefer leasing). Figure 71 gives an idea about the content of those calls. About a third of them have little to no audio or are silent which sounds to us like vishing (voice phishing) for live numbers. 

Another 29% are known scams (with 7% of the 29% known to be targeting businesses specifically) and the rest being other stuff or simply unknown.

Thankfully it’s not as if the targeting of mobile devices is a big surprise to the security community. Sandboxed OSs and high prices for vulnerabilities suggests mobile security inherited a lot of hard-fought lessons learned from personal computers (PC ) and so security has been incorporated into mobile devices from the get-go.

We point out in the Social Engineering pattern that 82% of breaches involve the human element; something the silicon isn’t going to be mitigating. Eighteen percent of clicked phishing emails come from a mobile device. Admittedly, we can’t say if more or less folks click on mobile vs PC since no-one’s phone is narc’ing on them. Still, since almost a fifth of phishing successes came from mobile devices, that should be good enough confirmation that it needs to be within your security estate.

Part of the problem is trying to get users to improve their security behavior. One such approach is providing access to key security information and knowledge quizzes within reach of their thumbs in the form of a mobile app. For one such security dashboard app, 66% of users who accepted the terms and conditions, never interacted with the dashboard. Of those that did, 99% interacted more than once, but as you can see in Figure 72, the median interaction time was 15 seconds. Still, about half of folks came back after minutes, hours, or even months.

Making information available to the user about their specific security risks is the first step in the journey to changing behavior. The next is helping the user envision the impact of those risks on themselves. Finally, you need to give users the means to improve, which is where training comes in.²⁴ It may feel like throwing spaghetti at the wall to see what sticks, but sometimes that’s what is required to make it better.

The Best Laid Plans of Mice and Men

We get it. You’ve honed your hiring processes to a fine edge. You’re well prepared to ensure that you onboard only the most qualified people to join your organization. And yet, things somehow go wrong despite your best efforts. Privilege Misuse is the pattern where people use the legitimate access granted to them as employees to steal data. They use the legitimate access granted to them as employees to steal data. Often, they act alone, but they sometimes act in concert with others. Either way, you have a data breach and must deal with the fallout.

It's Not That Easy

Far and away the most common Action in this pattern is Privilege abuse. However, Data mishandling also shows up, albeit to a much lesser degree, and is typically associated with the motive of Convenience. Sometimes people do unsafe things to get around a security control designed to protect the data from exposure. While some controls may make it harder for people to get their jobs done, it is important to pair these controls with education to at least let people know the “why” behind the process. Regardless, offering a less laborious process that remains secure would be something to consider if your organization repeatedly suffers this kind of event. 

In this pattern the threat actor already has access to perform their day-to-day duties, therefore, we do not see Credentials as the data type affected. Instead, Personal data (whether of customers, employees, or even partners) is of the highest interest to those looking to capitalize on their access. 

Medical data is still taken in 22% of breaches in this pattern. When you realize that the most common industry represented in this pattern is Healthcare, that makes sense. In fact, Healthcare has had an ongoing problem with internal actors accessing their data without a valid reason for a long time. And while it is no longer in the top tier of the patterns in Healthcare, it should not be discounted as a solved problem.

²¹ Read “guess”

²² Well, not sounds sounds. Well… You get the picture.

²³ Yes, we spelled out ‘PC’. Look, we both know what a PC is, but the kids these days, with their mobile phones and metaverses. Who knows?! 

²⁴ And if you’re wondering about how, check out the “Changing Behavior” Appendix!