Keep your enemy closer

1 June, 2019

Majority of the break-in attempts by hackers are fully automated and the defense against most of these attempts is surprisingly simple.

 

The Setup

As opposed to robbing a bank hacking into an online bank is not a one-time activity after which there are typically three options for the bank robber: a) run away with the money, b) go to jail or c) get shot. The online bank robbers are active day and night. Well to be precise, most of the hackers (backed by the organized crime) are active during regular working hours and there is typically much less activity during the night, weekends and even the holiday seasons. There are several established types of hacker profiles describing who these people are. However tracing them to someone specific is close to impossible. We are more interested in what these people do and just like in physical bank robberies it is relatively straightforward to monitor what these people actually do.

This is precisely what we did to figure out what people who try to break into Codific web systems actually do. We have installed Codific Secure Patrol on all our production servers and for the past 6 months we have monitored all activity. Codific Secure Patrol is a web-application firewall that can automatically detect and block all suspicious activities. For the sake of our experiment we ran Secure Patrol with the rebuff feature turned off. The rebuff feature actually blocks any subsequent hacking attempts once a hacker has been detected.

 

The Numbers

 

Over 1000 break-in attempts per day

Our servers have been bombarded with over 1000 attacks on average per day.

The number of attacks on Codific software systems was shocking. On average the most heavily attacked servers were bombarded about 1000 times per day. In the remaining of this blog we will zoom into some details regarding the numbers.

Attacks per country
Attacks per country
Attacks per type
Attacks per type

By Country

It is argued that most of the hackers are located in a number of countries including China, Russia, Ukraine, Iran. We believe that the lack of regulations in these countries allows such individuals to operate more freely. Oddly enough most of the attempts to break-in were from the United States. We speculate that the main reason behind this are machines in the US that are part of a botnet (i.e., a network of computers that are hacker controlled).
Note that during the experiment our servers were dynamically blocking some of the countries by IP. Hence these numbers might not be representative.

 

By type

 

Majority of the attacks were not targeted.

We have noticed that most of the attempts were leveraging relatively old and simple payloads.

Like we have stated earlier, hackers in general do not sit down and try to hack your web-based application. They typically write scripts (or simply download them from the internet) that automate the whole hacking process. Back to our bank robber analogy – imagine if after a successful robbery the bank robbers published in the local newspaper how they actually robbed the bank. It wouldn’t last long before other malicious individuals would try to rob the bank using exactly the same proven method, right?!

Most of the recorded attacks on our infrastructure was done precisely using well-known vulnerabilities (such as, directory traversal, exploiting wp-config files, trying unrestricted file upload). Moreover, most of the attacks were using rather outdated and simple techniques. For instance, we have detected break-in attempts using a WordPress exploit on a non-WordPress software system. This leads us to the conclusion that a majority of the attacks on our servers were not targeted. The malicious users just tried to “push all doors” and see if any of them would budge.

A very small percentage of the attacks was actually targeted. We cannot disclose the specifics of these attacks aside from mentioning that Secure Patrol has actually blocked all these attacks. The great thing about Secure Patrol is that with every hacking attempt it grows smarter.

 

Lessons learned

The following lessons learned apply to virtually any web-based software system out there:

 

  1. Update third party components regularly
    Most of the hacking attempts are based on known vulnerabilities. It is obviously much easier and less time-consuming to break-in using a known method and even perhaps a ready-to-use script.
  2. Monitor and notify of suspicious activity
    Monitoring what is actually going on behind the screens on your web-server will always provide you with more information of what’s actually going on.
  3. Leverage security best practices
    No amount of updates nor monitoring will keep you safe if you don’t use security primitives like HTTPS, MFA, complex passwords, etc.
  4. Start using a web-application firewall
    Finally, using a web-application firewall like Codific’s Secure Patrol can help in blocking attacks even against actually vulnerable components.

 

Conclusion

 

As opposed to bank robbing online hacking has 0 risk in some countries.

To make matters even worse, there are precise instructions on how to break-in available on the internet.

Despite the general public image most of the hackers are actually using relatively simple techniques to hack into your web system. These are automated scripts that try to break in using previously known vulnerabilities. That is great news as keeping your software systems’ third party components up-to-date means you can already successfully wend 80% of the attacks.

There is good news for another 10% of the attacks as well. While trying to break into your web-based systems hackers will leave a trail of breadcrumbs indicating what did they actually try. Even for an average-sized software firm it should be feasible to establish a basic logging mechanism to monitor suspicious activity. All the error logs are a great candidate to figure out what is and what is not suspicious. This means if you regularly keep an eye on your error logs you will preempt any possible attacks. To block the final 10% of the attacks you will need more advanced techniques and expertise.

 

Did you know we have a security management posture tool?

Author

Aram is the founder and the CEO of Codific. With over 15 years of experience, he has a proven track record in building complex software systems by explicitly focusing on software security. Aram has a PhD in cybersecurity from DistriNet KU Leuven. His contributions to the refinement and streamlining of the LINDDUN privacy engineering methodology have been incorporated into ISO and NIST standards. Aram is also a core contributor to OWASP SAMM project and the architecture and security mentor for all our teams.

If you have questions, reach out to me here

Contact