Story image

State-affiliated threat actors attribute 57% of all known web app incidents over last five years - Report

By Ryan Morris-Reade, 27 Jul 2021

According to a multi-source report, state-affiliated threat actors attributed to 57% of all known web application incidents over the last five years.

The research firm the Cyentia Institute says web application exploits are the largest cybersecurity risk facing organisations today. It found 56% of the most significant cybersecurity incidents over the past five years were related to web applications

The conclusion forms part of a new F5 Labs-sponsored report entitled The State of the State of Application Exploits in Security Incidents.

The first of its kind report draws heavily from the Cyentia Research Library and input from a range of other datasets. One of the key reasons behind the report’s publication is to progress how the cybersecurity industry uses disparate pieces of research to piece together the bigger picture.

“Meta-analysis is difficult to impossible given the current state of security industry research,” says Cyentia Institute partner & co-founder, Wade Baker.

“Nevertheless, multi-source analysis is achievable, and part of our goal in this study is to demonstrate that approach. Multi-source analysis of this nature is important and anticipates the challenges inherent to integrating, normalising, and analysing data sets that differ in numerous ways.”

In the report, the Cyentia Institute found 56% of the most significant cybersecurity incidents from the past five years tie back to some form of web application issue. Responding to these incidents cost more than $7.6 billion, representing 42% of all financial losses recorded for Extreme Cyber Loss vents. During six of the last eight years, these attacks were the leading incident pattern among data breaches.

The exploitation of publicly facing applications was the number one or two technique from all sources that reported initial attack tactics to MITRE ATT&CK, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

The Cyentia Institute discovered the average time-to-discovery for incidents involving web application exploits was 254 days, significantly higher than the 71-day average for other extreme loss events studied.

Notably, the report found 57% of all known losses for the most prominent web application incidents over the last five years were attributed to state-affiliated threat actors. This alone caused $4.3 billion in damages.

“The reports analysed by The Cyentia Institute approach their subject with different definitions and assumptions,” says F5 Labs director, Raymond Pompon.

“Some focus on incidents as the most intelligible level on which to examine security. Some focus on attacker motivation or tactics, techniques and procedures. And some focus on vulnerability types. This niche appears the most disjointed, with Cyentia researchers noting a Tower of Babel effect preventing them from reaching conclusions more definitive than the prevalence of SQL injection and cross-site scripting.” 

“Despite these differences, however, all these various approaches arrived at similar conclusions, attacks against web applications, most prominently authentication attacks and web exploits, constitute the greatest source of risk,” he says.

The Cyentia Institute analysed data and reports revealing a consensus on key recommendations for security measures, which The Cyentia Institute summarises as, “Fix your code, patch your systems, double up your creds and watch your back (door).”

“We were surprised to see that underneath the surface, the ‘state of the state of’ is not one of discontinuity and fragmentation, but one of consensus about the difficulty of execution,” says Pompon.

“It appears many security teams know what they need to do in theory. Putting that theory into practice over time is the real problem here.”

He says in reality this is quite an eye-opening conclusion. But creating meaningful guidance at this level of detail is challenging as all organisations are slightly different in many subtle ways, such as business model, organisational model, risk tolerance, technological footprint, and others. 

“Because of this, a shift towards a model of security intelligence and guidance is more about how, and less about what might inadvertently drive greater technological and operational conformity, is expected,” says Pompon.

“As ever, F5 Labs will continue helping to bring practice closer to theory for defenders everywhere.”
 

Recent stories
More stories