DBIR 2021: 3 critical web application vulnerabilities you should address now

Jonathan Stock, Sr. Manager, Security Product Marketing, Verizon Media

The Verizon 2021 Data Breach Investigations Report (DBIR) analyzes more than 70,000 data breach incidents from 88 countries and uses the aggregate analysis to inform teams about security risks that are not just “possible, but probable.” This report is a gold standard that every security team can use to benchmark operational practices, prioritize actions and most importantly, focus limited resources where they matter most — preventing loss associated with downtime and a data breach.

In this blog, we provide a summarized view of the DBIR’s findings related to the leading asset variety targeted in breaches (the web application/server), the leading vector in incidents (DDoS attacks), and the 2nd leading breach pattern (basic web application attacks) and include recommendations and best practices that can address these risks.

‍Vulnerability 1: Unpatched applications

‍Most breach activities recorded in the DBIR were “basic” attacks against web applications — defined as having a small number of steps or additional actions after the initial compromise. These attacks focus on direct objectives, which range from getting access to email and web application data to repurposing web apps for malware distribution, defacement or future DDoS attacks.

There were 4,862 basic web application attacks recorded, with almost all coming from external threat actors. Of these, 1,384 experienced confirmed data disclosures, with financial gain being the primary motive for the attack 89% of the time. Credentials were compromised 80% of the time, while personal information was acquired 53% of the time.

What security basics should you be implementing to protect your organization against web application attacks? The data above suggests patching vulnerabilities is a great place to start for most organizations, especially those that continue to be unpatched for a long time. Remember, every day a vulnerability is unpatched, an attacker could be performing an exploratory hack of your applications in hopes of finding gold. Let’s explore these two issues a bit more.

‍Vulnerability 2: Legacy applications

‍The mission of cybercriminals is to infiltrate your company. And they want to do so as quickly, quietly and cheaply as possible.

The DBIR confirms attacks on older vulnerabilities (four or more years old) are more common than attacks on newer vulnerabilities. Bad actors continue to exploit these older vulnerabilities because they are often the stacks IT security teams ignore. They are also easy to research, find exploits for and relatively inexpensive to mount.

Older stacks also have more vulnerabilities. Plus, there is more common knowledge within the cybercriminal community on which tools to use to attack these older technology stacks while remaining undetected.

This problem has existed for years and will continue to be a challenge for quite some time until there are significant improvements in secure application development and patch management capabilities.

Additionally, by leveraging well-known older vulnerabilities, cybercriminals don’t have to pull out (and risk exposing) their most prized tools. They can target the older apps using older tools and still have plenty of surface area to work with — at a much lower cost.

‍Vulnerability 3: DDoS

Distributed denial-of-service (DDoS) has risen sharply since 2018, becoming the number one security issue in 2020. Technically, the DBIR categorizes DDoS as an incident pattern (not a breach). Regardless of how it’s classified, a DDoS can severely disrupt Availability — the third leg of the Confidentiality, Integrity and Availability triad.

Just as cybercriminals are breaching systems to see what they can extract, they are using cheap and readily available DDoS botnets to discover vulnerable systems that can be taken offline as part of ransom or disruption campaigns. The DBIR also confirms a bit of good news: DDoS is “one of the infosec trends that can actually be addressed.” Unfortunately, too many organizations may assume they have adequate protections — until a DDoS attack reveals points of failure, at the cost of business downtime.

Although DDoS mitigation services are widely available and may be deployed in your network and application infrastructure, with these attacks rising, it’s time to review the scope of your DDoS protection. We suggest you evaluate how your protection is triggered and the impact on your operations if the attack is successful across layers 3, 4 and 7.

‍The cost of inaction

‍Now that we’ve discussed some key results from the DBIR, let’s review a security threat not covered in the report: Inaction. A common challenge with reducing the application attack surface is that your web applications are in constant motion. Many are evolving, adding new features and moving to the cloud. Implementing security fixes continues to plague application pipelines, forcing tradeoffs between business, engineering and security interests. Removing old vulnerabilities, especially from legacy applications, suffer from the opposite challenge — getting developer and project management attention on web applications still in use but no longer receiving business focus/investment. In both scenarios, bad actors are counting on these management lapses and inaction to find and exploit vulnerabilities.

While you build and strengthen your processes to manage risks, CDNs and web application firewalls are a proven method for identifying and blocking harmful traffic lurking on the edge of the internet. These include DDoS attacks and automated probes that programmatically target and log vulnerabilities in your web services, without requiring heavy doses of developer investment and project management.

Our next-generation web application firewall and DDoS protection capabilities, built into our network edge, offer a straightforward and scalable solution that addresses web application risks reported by the 2021 DBIR. For example, in the fourth quarter of 2020, we mitigated 1.5 billion requests. We define “mitigate” as any WAF event that triggers a block, custom response, or URL redirect. These are the same nefarious activities, reported by the DBIR, known legacy vulnerabilities and DDoS incidents driving the majority of web application attacks.

‍Start with the basics

‍The DBIR reveals blind spots that can occur because of “noise” that happens when a serious breach occurs. As the DBIR authors say, “The next time you are up against a paradigm-shifting breach that challenges the norm of what is most likely to happen, don’t listen to the ornithologists on the bluebird website chirping loudly that ‘We cannot patch, manage or access-control our way out of this threat.’”

In fact, by “doing the basics,” you can stop the vast majority of attacks that are most likely to affect your organization.

Connect with us now by filling out the form below to learn how our CDN and WAF can mitigate your web application vulnerabilities as part of a complete security solution.

*Verizon, “2021 Data Breach Investigations Report,” verizon.com/business/resources/reports/dbir/‍