Last week we released our latest Quarterly Attack Trends Report and what would a good report be without an accompanying blog post? We’re going to take some time in this post to inspect this raw and insightful look into the Internet’s ever-shifting cybersecurity landscape known as “Edgio’s Quarterly Attack Trends Report.” The report unveils a myriad of data points from request methods and MIME types to geolocation trends and everything in between. All providing a vivid picture of emerging threats targeting modern websites and applications.
Jumping right in, two key data points that caught my attention: Request Methods and Request MIME types. At first glance, discovering that over 98% of requests are GET and POST isn’t surprising. Welcome to the Internet, right? “Unremarkable,” one might say, but these seemingly pedestrian functions provide valuable knowledge about an application, how it’s being used or attacked, and where it might be vulnerable. It should also beg the question, what types of request methods does your application require to function? Should you allow any others to even reach your application, or should you reduce the opportunity for exposure by blocking such actions far before they even reach your origin server?
Jumping over to MIME types, an overwhelming 76% of blocks were tied to application/json MIME types. This insight isn’t just a statistic; it’s a narrative about the shift in modern application architecture and the evolving nature of threats targeting these architectures. Clearly it shows your APIs are highly targeted by threat actors and highlights the need to protect APIs – both known and “shadow” or “zombie” APIs that your security team may not yet have discovered.
We categorized the protections in this report into three main strategies: access control rules, managed rulesets, and custom signatures. Of the three it’s worth noting that 45% of blocks were access control rules. Speaking further to the foundations of an effective defense really starts with basic, yet extremely effective tactics like preventing access to known bad sources (blacklisted IP addresses, user agents, and countries). Block these far before they get close to your applications, infrastructure, and data for immediate benefits – not only from a security standpoint but also from a cost perspective. Mitigating bad requests at the edge with a web application firewall (WAF) saves both bandwidth and compute cycles.
The report also acts as a reminder that attackers are continually seeking ways to bypass these defenses. Although one’s access control rules might be tight, we can’t be solely reliant on them. Take for example, geofencing tactics. The top five countries from which malicious requests originated included the US, France, Germany, Russia, and Chechnya, with China notably absent. We should expect China to be toward the top of that list like other major internet-connected countries. However, this insight challenges the overreliance on geofencing and emphasizes the need for a more layered approach to compliance and security measures. We know that attackers often compromise servers, VPCs, and IoT devices to leverage in the same region as their ultimate targets. Understand your business needs and regulatory requirements (like not selling to embargoed countries) when using the geofencing tactic. It’s not that this tactic should be thrown away, but rather not overly relied upon.
One very specific and notable threat that ticked upward in Q4 was Path/Directory Traversal attacks. Imagine your application as a fortress. Now, think of path traversal attacks as cunning method invaders that exploit the smallest oversight in your fortress’s architecture to infiltrate deep into your domain via over-permissioned folders on your webserver. These attacks are not just about knocking on the door; they’re about finding a hidden passage that leads straight to the heart of your empire. The consequences? Unauthorized access, loss of personally identifiable information (PII), and potentially handing over the keys to your kingdom through remote code execution. The significance here cannot be overstated, as these intrusions threaten the very pillars of confidentiality, integrity, and availability of data that our digital world stands on.
In short, the quarterly report on attack trends is not just a collection of data; it’s a narrative that highlights the ongoing battle in the digital realm. It serves as a reminder that understanding and adapting to the intricacies of application architecture is key to not just surviving but thriving in this landscape. By employing a strategy that includes layered defenses, leveraging threat intelligence, and tailoring solutions to the unique needs of your application, you can erect a fortress that stands resilient against the ever-evolving threats of the cyber world. Effective security isn’t just about putting tools in place; it’s about understanding how your business operates and using that knowledge to inform your security controls.
One more thing, this report is just the tip of the iceberg. The Edgio team is working tirelessly on adding more data points to future reports. Keep an eye out for our 2024 Q1 report. I’m confident you won’t be let down.
Jumping right in, two key data points that caught my attention: Request Methods and Request MIME types. At first glance, discovering that over 98% of requests are GET and POST isn’t surprising. Welcome to the Internet, right? “Unremarkable,” one might say, but these seemingly pedestrian functions provide valuable knowledge about an application, how it’s being used or attacked, and where it might be vulnerable. It should also beg the question, what types of request methods does your application require to function? Should you allow any others to even reach your application, or should you reduce the opportunity for exposure by blocking such actions far before they even reach your origin server?
Jumping over to MIME types, an overwhelming 76% of blocks were tied to application/json MIME types. This insight isn’t just a statistic; it’s a narrative about the shift in modern application architecture and the evolving nature of threats targeting these architectures. Clearly it shows your APIs are highly targeted by threat actors and highlights the need to protect APIs – both known and “shadow” or “zombie” APIs that your security team may not yet have discovered.
We categorized the protections in this report into three main strategies: access control rules, managed rulesets, and custom signatures. Of the three it’s worth noting that 45% of blocks were access control rules. Speaking further to the foundations of an effective defense really starts with basic, yet extremely effective tactics like preventing access to known bad sources (blacklisted IP addresses, user agents, and countries). Block these far before they get close to your applications, infrastructure, and data for immediate benefits – not only from a security standpoint but also from a cost perspective. Mitigating bad requests at the edge with a web application firewall (WAF) saves both bandwidth and compute cycles.
The report also acts as a reminder that attackers are continually seeking ways to bypass these defenses. Although one’s access control rules might be tight, we can’t be solely reliant on them. Take for example, geofencing tactics. The top five countries from which malicious requests originated included the US, France, Germany, Russia, and Chechnya, with China notably absent. We should expect China to be toward the top of that list like other major internet-connected countries. However, this insight challenges the overreliance on geofencing and emphasizes the need for a more layered approach to compliance and security measures. We know that attackers often compromise servers, VPCs, and IoT devices to leverage in the same region as their ultimate targets. Understand your business needs and regulatory requirements (like not selling to embargoed countries) when using the geofencing tactic. It’s not that this tactic should be thrown away, but rather not overly relied upon.
One very specific and notable threat that ticked upward in Q4 was Path/Directory Traversal attacks. Imagine your application as a fortress. Now, think of path traversal attacks as cunning method invaders that exploit the smallest oversight in your fortress’s architecture to infiltrate deep into your domain via over-permissioned folders on your webserver. These attacks are not just about knocking on the door; they’re about finding a hidden passage that leads straight to the heart of your empire. The consequences? Unauthorized access, loss of personally identifiable information (PII), and potentially handing over the keys to your kingdom through remote code execution. The significance here cannot be overstated, as these intrusions threaten the very pillars of confidentiality, integrity, and availability of data that our digital world stands on.
In short, the quarterly report on attack trends is not just a collection of data; it’s a narrative that highlights the ongoing battle in the digital realm. It serves as a reminder that understanding and adapting to the intricacies of application architecture is key to not just surviving but thriving in this landscape. By employing a strategy that includes layered defenses, leveraging threat intelligence, and tailoring solutions to the unique needs of your application, you can erect a fortress that stands resilient against the ever-evolving threats of the cyber world. Effective security isn’t just about putting tools in place; it’s about understanding how your business operates and using that knowledge to inform your security controls.
One more thing, this report is just the tip of the iceberg. The Edgio team is working tirelessly on adding more data points to future reports. Keep an eye out for our 2024 Q1 report. I’m confident you won’t be let down.
Want more insight?
Tom and members of Edgio’s Security team discuss the Quarterly Attack Trends Report in the latest episode of ThreatTank.