Cybercrime automation demands new response and new skills

Security researchers have revealed that websites are attacked once every two minutes on average, which shows that cyber criminals are increasingly using automated attacks.

Security researchers have revealed that websites are attacked about 27 times an hour, or once every two minutes, on average, but what does this mean for IT security teams within businesses?

According to the latest Web Application Attack Report by security firm Imperva, this shows that cyber criminals are increasingly using automated attacks launched from captured "botnet" computers.

This conclusion is reinforced by the fact that attack traffic during the six-month period from December last year to May this year was characterised by short peaks of high activity followed by longer periods of lighter activity.

The study looked at attacks against the top 30 web applications based on more than 10 million individual attacks.

High rate of automated cyber attacks

During the peaks, the number of attack vectors was in the thousands, the attack rate was as high as seven per second, and each of the primary attack methods observed was executed in high-volume bursts or waves, all confirming the use of automation.

"The level of automation in cyber attacks continues to shock us. The sheer volume of attacks that can be carried out in such a short period of time is almost unimaginable to most businesses," said Amichai Shulman, lead researcher and chief technology officer at Imperva.

The way hackers have exploited automation is one of the most significant innovations in criminal history, he said.

"You can't automate car theft or purse stealing, but you can automate data theft. Automation will be the driver that makes cyber crime exceed physical crime in terms of financial impact," Shulman said.

Websites of all sizes must be protected

Perhaps the most important thing for IT security teams to note is that the researchers analysed attacks against website rankings and found that site popularity was not a factor that determined targets.

Detecting and stopping automated application attacks will be an essential security skill, because in a world of automated attacks, applications of all sizes will be targeted, said the research report.

The research finding that hackers have become adept at automating attacks confirms the finding of the 2011 Verizon Data Breach report, which noted that hackers have created economies of scale by refining standardised, automated and highly repeatable attacks directed at smaller, vulnerable and largely homogenous targets.

This trend demands a new focus and approach from IT security professionals, who should monitor and analyse attack data to extract relevant information and apply security countermeasures.

Gathering the required data requires monitoring protocol anomalies, said the Imperva researchers, even if these are not malicious or if the web application is not vulnerable, and combining this data with intelligence gathered on known malicious sources will help enlarge the knowledge base for identifying attacks and selecting appropriate attack mitigation tools.

The Imperva research team recommended that IT professionals should ensure their organisations deploy controls that deter automated attacks, because having the capacity to quickly identify thousands of individual attacks as a single attack helps prioritise resources more efficiently and can help detect "zero-day" or previously unknown attack methods included in an attack.

Make data security a top priority

IT security professionals need to be aware of known vulnerabilities and have an up-to-date list to know what can and will be exploited by attackers, according to the researchers. They should acquire intelligence on malicious sources and apply it in real time, and they should take part in a security community and share data on attacks.

In general, the researchers said IT security teams should assume their organisation is a target and has already been compromised, but the most attractive targets are those organisations that hold sensitive information with value for hackers, governments, employees or competitors.

Shulman said businesses need to make data security a strategic priority and give security a seat at the table. "Some firms have security reporting to the CEO or the board of directors, others have put cybersecurity into every technology decision and reversed conventional wisdom by having IT report into security, instead of vice versa," he said.

Tips for optimising data security

Shulman said organisations should work with law enforcement to help pinpoint hackers, even overseas. "What may seem like a minor cyber attack could be part of a larger criminal effort that only law enforcement can recognise," he said.

And organisations should embrace rather than resent data security regulations, according to Shulman. A 2011 Ponemon survey showed that companies complying with payment card industry data security standards (PCI DSS), for example, were twice as likely to avoid breaches as non-compliant firms.

Finally, organisations should ensure that they put the right technology in place. "The CEO should ask if the organisation has identified all sensitive data and put in place technology with the audit and protection capabilities required to safeguard that data," said Shulman.

He noted that organisations still tend to spend the bulk of their IT security budgets on network firewalls and anti-virus protection, while leaving applications ripe for attack.

The essential question is whether an organisation's web applications could withstand 25,000 attacks a minute, or seven per second, which was the peak measured by Imperva's research team. If not, then it is time to take action.

Photo: Thinkstock

Read more on IT risk management