The folks at the HoneyNet Project have released a new “Know Your Enemy” paper entitled “Know Your Enemy: Web Application Threats” This is a great resource as it provides a real-world based view of the types of automated attacks being waged against web applications in the wild. It also provides an analysis of several web-based worms and well-known exploits. This is worth a read for anyone concerned about the security of their web-facing applications.
One thing I noticed when reading through this paper is that it is almost entirely focused on attacks against technical flaws in well-known packaged web applications. That makes complete sense within the mission of the HoneyNet Project. One thing to note, however, is that the risk picture is very different for most large enterprises. Large enterprises we work with are typically less concerned (although not unconcerned) about these sorts of flaws. The real thing to fear are targeted attacks focused on logical flaws in enterprise-specific applications.
Almost the entire goal of the attacks outlined in the Know Your Enemy paper was to capture a new host from which to join botnets or directly send spam emails. Some of them did try to capture local password files or make connections to databases, but by far the focus was on attacks that were indifferent to the specific host being compromised. Obviously a compromise such as this would be bad for an organization, but there is arguably much more damage that would occur as the result of a targeted attack against the organization’s systems.
Attackers that have specific goals for information they want to steal or transactions they want to subvert are going to be much more focused in their attacks on applications and those attacks are going to be much harder to detect. Most of the assessments we do for our clients are not against packaged applications that they are deploying in their environment but rather against line of business applications supporting some specific function. Message board software and blogs are interesting, but access to the really valuable information resources is typically found behind applications that organizations develop themselves. These are the apps whose compromise can result in huge volumes of customer data being lost and other nightmare scenarios.
In short – the paper was fantastic and highlights major threats to the world’s web infrastructure. However it is important to understand the sorts of attacks they were able to gather information about and understand that there are other attacks being waged organizations need to protect against.
dan _at_ denimgroup.com