F5: 2021 Application Protection Report

The threat scenario during 2020 is seen in the categories of: ransomware, email compromise, formjacking, formjacking and database breaches.

F5 announced the results of the 2021 Application Protection Report: Of Ransom and Redemption based on 729 incidents.

As is well known, the information security professional’s mission has gradually become extraordinarily complex, responsibility for the various components that form an enterprise environment is spread not only among multiple teams within the enterprise but also among vendors, partners, and service providers. With this diffusion of responsibility comes added challenges in visibility and incident response.

Initial findings

  • Ransomware grew enormously over 2020. In 2019, malware was responsible for roughly 6% of U.S. breaches. In 2020, ransomware alone was a factor in roughly 30% of U.S. breaches.
  • Ransomware attacks are prevalent against targets with data that are difficult to monetize, suggesting that new popularity of ransomware among attackers is due to its monetization strategy, rather than its characteristics as malware.
  • In 2018 and 2019, retail was by far the most heavily targeted sector. In 2020, four sectors—finance/insurance, education, health care, and professional/technical services—experienced a greater number of breaches than retail, partly driven by the growth in ransomware.
  • Organizations that take payment cards are heavily targeted by web-injection attacks, known as formjacking. Formjacking accounted for more than half of breaches in the retail sector, but also targeted any organization that took payment information over the web, whether it was selling a product or only taking payments.
  • Business email compromise (BEC) accounted for 27% of breaches. Many of these incidents lacked any other information but are suspected to be credential stuffing attacks.
  • The Blackbaud cloud ransomware breach caused hundreds of organizations to mail out breach notifications, illustrating that the risk of supply-chain attacks is not limited to network infrastructure like SolarWinds.1
  • Essentially all cloud incidents and breaches about which we have information were attributable to misconfiguration; the inconsistency of responsibility boundaries in cloud systems makes the chances of misconfiguration unacceptably high.
  • Two-thirds of API incidents in 2020 were attributable to either no authentication, no authorization, or failed authentication and authorization.
  • The simplicity of API attacks and the poor state of API security indicate that the attack surface ramifications of API-first architectures are still not widely understood.
  • Analyzing breaches as attack chains illustrates the importance of an overarching security strategy that implements defense in depth and a coordinated security architecture (as opposed to a series of unrelated point controls).
  • Based on the breach analyses, the most important controls for dealing with the threat landscape are privileged account management, network segmentation, restricting web-based content, data backup, and exploit protection (in the form of a web application firewall [WAF]).
  • The nature of cloud and API incidents in 2020 also illustrates the importance of inventory, configuration management, and change control.

Incidents and attacks

Authentication Attacks

  • For the past three years, authentication attacks such as brute force and credential stuffing made up 32% of all reported security incidents to the F5 SIRT.
  • Financial services organizations had the highest percentage (46%) of reported authentication attack incidents, followed by public sector organizations at 39%.
  • U.S. and Canadian organizations had the highest percentage (45%) of reported authentication attack incidents.

Web Exploits

  • Web attacks contributed to about 15% of confirmed U.S. breaches in 2020.
  • Formjacking, the predominant category of web attack over the last few years, declined in prevalence, making up 61% of web breaches in 2020 as opposed to 87% in 2019.
  • Formjacking techniques vary by threat actor and target software, but masquerading as a legitimate service or file is common for all stages of the attack chain.

Cloud Breaches and Incidents

  • With the exception of the Blackbaud ransomware event discussed earlier, misconfiguration accounted for all of the cloud breaches we know of in 2020.
  • Twelve instances of specific clouds being compromised were due to a lack of access control.
  • Nearly 20,000 unsecured cloud databases were wiped by malicious or vigilante actors using scripts.

Tactical Recommendations

  • Privileged Account Management. It emerges as a potential mitigation for the web exploits that made up roughly 30% of the known techniques in the breaches.
  • Network Segmentation. Isolating critical systems from the Internet and from one another also emerged as a valuable strategy to mitigate the web exploits.
  • Restrict Web-Based Content. Extensions block malicious scripts and malware as well as proxies that control the use of web services.
  • Data Backup. It is the only recommended mitigation for ransomware.
  • Exploit Protection. The prevalence of formjacking attacks that depend on web exploits means that for our purposes, we are talking about WAFs. WAF is still considered a minimum for anyone running a public-facing web application.