Infosec 2013

Infosec 2013: Research shows value in crowd-sourced threat intelligence

Warwick Ashford

Businesses can reduce risk by sharing information on attacks targeting multiple sources, research reveals.

Analysis of real-world attack traffic against 60 web applications in the first quarter of 2013 shows that a lot of the attack traffic is generated by a small group of attack sources for all application layer attacks.

The research indicates that identifying a “noisy” attack source – an attacker, payload or tool that repeatedly attacks – is important.

Sharing this information would enable organisations to identify and block common attacks, reducing the risk of successful attacks, according to the latest Hacker Intelligence Initiative report from Imperva.

These key attack sources can be identified only by analysing crowd-sourced attack data from a broader community, according to the report launched at Infosecurity Europe 2013 in London.

Block sources of multi-target attacks

The research shows that multiple-target SQL injection attack sources accounted for nearly six times their share of the population.

Questions to ask a security supplier

  • Do you have a community defence programme?
  • Do you collect information on attack sources and methods?
  • How do you ensure information is safe and does not include sensitive data?
  • Is the protection of the data certified in some way?
  • Are you able to analyse that information in an automated way?
  • Are you able to redistribute results in an automated way?
  • Is this capability streamed into the product as a feature?
  • Is the quality of the data analysis backed by a publishing research group?

“In other words, by identifying and blocking the sources of multiple-target SQL injection attacks, which are just 3% of IP addresses associated with attacks, businesses would be able to block 17% of SQL injection attacks,” said Amichai Shulman, CTO of Imperva.

Similarly, by blocking just 13% of attacks, organisations could block more than half of comment spam attacks, he told Computer Weekly.

“Our report shows that businesses can greatly reduce the number of successful attacks by blocking attack sources that are known to target multiple sites or applications,” said Shulman.

The same value can be achieved by sharing information on attack vectors, the research shows. Some 31% of attack vectors used against multiple target applications accounted for 80% of attack traffic.

“By identifying attack vectors in the early stages and sharing this information, we can easily detect and remove 80% of malicious traffic,” said Shulman.

Because a single attack source tends to be used for multiple attack types over time, by identifying an active attack source and blocking, businesses will protect themselves not only against a single attack, but several other attacks in future, he said.

Businesses can greatly reduce the number of successful attacks by blocking attack sources that are known to target multiple sites or applications

Amichai Shulman, Imperva

Share security intelligence

According to Shulman, the research data highlights the need for early identification of these types of attack sources and payloads across a community of web applications, and underlines value in organisations sharing share this information.

Sharing security information is a hot topic, he said. Historically in the application security space there has been no way to share that information effectively, but technology has evolved to the point where it is possible.

US and UK authorities are encouraging information sharing, and Imperva’s research demonstrates the value, said Shulman.

“In combination, these should make it easier for organisations to participate in information sharing programmes in future,” he said.

It is now up to organisations to choose security suppliers that are capable of gathering information across a community, analysing it in an automated way, and distributing actionable intelligence quickly (see panel).

In the anti-malware industry, organisations can take part in a programme where they can share every suspicious sample with their security provider.

“A similar approach needs to be applied to other domains such as web applications,” said Shulman, who believes Imperva is well-positioned to be among the first to provide it.


Image: Thinkstock


 

COMMENTS powered by Disqus  //  Commenting policy