With the flu season coming upon us, we’re lucky that its signs and symptoms—aches, congestion, and fever—are easily recognized within the general population. Doctors know how to dispense treatment and advice through years of practicing the diagnostic process: the act of collecting, synthesizing, and interpreting health information gathered from a number of different sources.
Security professionals are not unlike doctors, especially when trying to diagnose nasty bugs and viruses. They identify malicious activity on their web application by seeing anomalies on the data streams available to them. But in order to run through the diagnostic process, members of the security, development, and operations teams need to know how to identify the symptoms of a web attack.
Top attack indicators for web applications
Visibility is critical when organizations are dealing with malicious activity across their web applications. Layer 7 attacks such as app-level DDoS, API abuse, and account takeovers pose both security and resource-utilization risks for a company and its users: these attacks can cause excessive resource consumption and impact performance across applications.
But how do you know when your apps, APIs or microservices are under attack? In other words, what’s the right information development and security teams need to identify and diagnose the bugs that point to a web app attack?
In our “Identifying Web Attack Indicators” whitepaper, the Signal Sciences team presents the signs of the top four web attack types commonly seen throughout our customer base. By inspecting over one trillion production web requests per month, we have the ability to dive deep into how these attacks affect different industries.
Here’s a small preview of these top attack types and indicators:
- Account Takeover: With the automated testing of leaked credentials, attackers try gain access to and takeover a user’s account. One key indicator is an increasing number of failed login attempts across all users.
- API Abuse: Attackers can crash an application with an overwhelming number of API requests. Exceeding a threshold of 50 API requests per second could raise suspicion.
- SQL Injection: Attackers can access SQL databases containing sensitive data. A SQL server response of 405 (“method not allowed”) can indicate an attack attempt.
- Business Logic Attack: Reverse engineering critical application features can disrupt user experience or gain access to accounts. Look for anomalous API calls to see if this is happening on your application.
Security monitoring with Signal Sciences
As the world’s fastest growing web application security company, Signal Sciences protects over 28,000 applications and inspects and makes decisions on over a trillion production requests per month with our award-winning next-gen WAF (web application firewall) and RASP (runtime application self-protection) solution.
With Signal Sciences you’ll have the insights to determine if your app is under attack or if you’re seeing errors resulting from a bad code deployment. You’ll also gain visibility over suspicious traffic coming from untrusted sources like TOR exit nodes, data centers, and malicious IPs identified by the SANS institute.
Get the Deep Dive into Prevalent Web Attack Indicators
We’ve touched on just a few of the signs of a web attack in this blog. Find out about the others organizations should be monitoring for as well as the comprehensive visibility Signal Sciences provides that both detects and protects against these prevalent web attacks by downloading our ebook, “Identifying Web Attack Indicators.”