November: The top attacks ADR caught on the brink of exploit

Attackers targeted applications and application programming interfaces (APIs) with an average of 50 confirmed attacks per app in the month of November 2024. That’s down from the previous month, but an alarming number of attacks continue to circumvent other defenses, and are only caught by Contrast Application Detection and Response (ADR). Every 30 days, Contrast Security publishes data about the detection and response of real-world application and API attacks with ADR.

Context

First, some context to explain how we use the word “attack.” We are talking only about attacks that are confirmed to reach their intended vulnerability and are about to launch the exploit, not “the noise of the internet” type attacks that would never have turned into a noteworthy breach. Contrast tunes out the noise clarity, filtering out the false positives. 

When we talk about “probes,” we mean active reconnaissance by attackers who are doorknob rattling in a search for weakness, misconfigurations and vulnerabilities open to exploit. While the probe may have made it past the web application firewall (WAF), many of the resulting attacks are obvious, get caught by a WAF and don’t result in a serious threat. 

Contrast’s attack data is measured directly from real world running applications and APIs. Our attacks aren’t measured in millions, billions or even trillions, because that’s part of the problem: too much noise. Because Contrast Security instruments the code, we’re not reporting on signatures or theoretical attacks, only what’s actually a dangerous anomaly. 

False positives are exhausting. Here’s how to shut them up. 

November numbers

The November numbers for probes and attacks are in the charts below. As you can see, there were over 4K probes and more than 50 real attacks per app/API. That means that real attacks were about 1% as frequent as probes.

Analysis

The important message for November is that the average app/API was hit with over 50 attacks that were able to navigate the maze of code and find their way to the exact kind of vulnerability they targeted. 

1. 1. Notice that the distribution of probes is wildly different from the distribution of real attacks. Strong risk management means focusing on the attacks that are the most likely and have the worst consequences. Don’t get distracted by all those probes. For example, despite 3.4 million path traversal probes in November, only 1.27 of those were actually able to reach the file system.
   
   
2. 2. Focus on the attacks that lead to remote code execution (RCE). Despite pretty low numbers of probes, the average app/API is getting hit with over 12 confirmed unsafe deserialization, expression language (EL) injection, and Java Naming and Directory Interface (JNDI) attacks every month. Remember, these are real attacks that successfully bypassed traditional controls and reached the vulnerability. You may be getting hit and not even know it.
   
   
3. 3. Remember the classics: SQL injection and command injection. These are the second- and third-highest probed attack vectors. The numbers are relatively low, but you shouldn't ignore them. SQL injection resulted in 3.09 real attacks per app/API, which is concerning. Command injection, despite obvious attacker interest, only yielded 0.08 real attacks per month.

What’s next: 

Since we publish data monthly, we’ll be keeping an eye on trends. Attackers know that there are a lot of vacations in December. We will be keeping an eye on attack volume, which typically goes up at this time of year. If the pattern holds, we will see criminals continue to shift toward the types of attacks that bypass WAFs and endpoint detection and response (EDR) tools. 

Most organizations using data from perimeter tools are surprised when they see how many dangerous attacks are making it through to their applications and APIs. Contact Contrast Security if you’d like to see what’s really happening in your application layer. 

Read more:

• Contrast blog: Why Contrast Security is making the case for Application Detection and Response (ADR)
• Contrast blog: Contrast Security founder Jeff Williams explains how to fix AppSec in production
• Contrast blog: Understanding ADR’s detection and response layers
• Contrast blog: Why application detection and response is sparking excitement in cybersecurity