Why Basic Web Application Attacks are so successful at breaching our data

Attackers never lost money underestimating the internet-going public. It’s a cynical statement, but one that the numbers indicate is true. Rather than outsmarting cybercriminals, users would be wise to learn to play their game. Once inside the mind of a breach actor, the path to protection becomes painfully clear.

Success Rates Off the Charts

According to the 2023 Verizon Data Breach Investigations Report, Basic Web Application Attacks have a remarkably high success rate. The DBIR compares numbers of incidents to numbers “with confirmed data disclosure.” Social Media, for example, has 1700 incidents with 928 confirmed in a breach, giving it a ratio of 54%. Privilege Misuse has a 71% success rate, Lost and Stolen Assets a 7.6%, and Denial of Service a paltry (yes) 0.00064%. However, out of 1,404 attempted incidents employing Basic Web Application Attacks as a tactic, a total of 1,315 resulted in confirmed data breaches. That is an astounding 94% success rate, and the highest out of any other Incident Classification Pattern in this year’s DBIR. No wonder cybercriminals use what’s working; when you have a tool that works over nine out of ten times, why use anything else?

And the numbers don’t lie. As revealed in a recent report by Radware, malicious web application transactions increased by an undeniable 500% compared to the first half of 2022.

Anatomy of a Basic Web Application Attack

Basic Web Application Attacks include a number of familiar items on the MITRE ATT&CK list. Under the umbrella of Brute Forcing, they encompass:

• Credential Stuffing | Stolen usernames and passwords are automatically injected into logins.
• Password Cracking | Passwords are identified using an application program.
• Password Guessing | Easy passwords are guessed by attackers.
• Password Spraying | A single password is used across multiple accounts in the hopes that the credential has been reused.

They also take in compromised email accounts, exploit public-facing applications, and exploit vulnerabilities discovered during simple vulnerability scans. These are your garden-variety website security attacks like cross-site scripting, SQL injection, fuzzing, and the like. Nothing fancy; in fact, so deceptively simple that we may forget to prioritize them entirely.

We may forget, but attackers don’t.

While SOCs are busy spinning up super-effective XDR solutions and infusing their stacks with Generative AI (two very good practices), criminals are taking the opposite route and guarding what might be left undefended: the common employee.

Why So Many Low-Level Attack(er)s

There are a number of reasons why low-level attacks are so common. One, they are obviously successful. But another, and possibly equally valid, is that there are now a large number of low-level attackers.

Cybercrime is becoming a dying art, at least the way it was originally done. Gone are the days of lone geniuses hunched at a flickering computer screen, spinning up proprietary code in the early hours of the morning and unleashing carefully crafted advanced exploits en masse. One might still see this type of behavior, but it is more likely in the form of an Advanced Persistent Threat, and one most likely launched by a Nation-State Actor at a high-value target. These are not the types of exploits making the news for 90%-plus success rates.

Instead, today’s attackers are much more entry-level. Basic Web Application Attacks are the first thing learned in a Cyber 101 course or an online cybersecurity boot camp. Whenever anyone dabbles in cybersecurity, good or bad, they start here. If that doesn’t make them accessible enough, they are also the stuff of the cybercrime gig economy. Now, initiators of these attacks have more to do with their loot of pilfered credentials than launching their own individual attacks. According to Dark Reading, “Initial access brokers have productized the opportunistic compromise of enterprise networks and systems, often selling that access to ransomware groups.” More demand brings more supply. With every Script Kiddie now a valid, in-demand member of a greater cybercrime ring, common exploits are flooding the threat landscape.

However, this only explains the number of attempted Basic Web Application attacks. The unnaturally high success rate is an issue all on its own.

The Part We Play

If these attacks were only launched, it would be significant enough. However, they are launched and relaunched due to what can only be called negligence on our part.

Credential stuffing only works because an attacker is able to steal usernames and passwords. Protecting them could be as easy as using a one-way cryptographic hash function. This secures credentials stored in databases. Employing a company-wide Identity and Access Management (IAM) solution is another way to keep passwords from being stolen. Even changing passwords often can offset risk, so even if credentials end up in the wrong hands, they won’t be good for long.

The other attack methods derive their success from much the same clumsiness. Passwords can be cracked best when they are simple and non-randomized. Passwords can be guessed for similar reasons. And password spraying only works when a user has voluntarily used one password across multiple accounts. These are all low-level attacks that require only the lowest level of precautions to offset.

On the SOC’s side, an email security solution can be employed to catch malware before it compromises inboxes, and a basic vulnerability management system can catch bugs. While we are in the post-perimeter world, these are basic precautions that could have been implemented even before Industry 4.0. And they’re no less valuable now.

In fact, as attackers shy away from going head-to-head with advanced cybersecurity defenses, they may be even more so.

Data Breach Prevention 101

Basic Web Application Attacks are just one piece of the puzzle, albeit an important one. But they serve as an example of what threat actors today are going for – easy weak spots that we’ve missed.

For that reason, foundational guidance from leading frameworks might be just the ticket for companies looking to reduce the risk of breaches as quickly as possible. NIST, MITRE, the CIS Controls, and CISA all offer industry accepted recommendations for batting down the leading causes of breaches this year, as summarized in VIPRE’s recent report. From salting to hashing to malware protection software and configuration management, the solutions aren’t difficult. And judging by the level of exploits that continue to beat us, they don’t have to be.

About the Author: An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.