Lessons learnt from blocking millions of cyber attacks

FireHost has announced the release of its 2013 year in review Superfecta report (available for download here link and by request). Using real-life data from the 100m+ malicious hack attempts FireHost blocked in the last 12 months, the Superfecta report contains a quarter-by-quarter guide to the biggest cybercrime trends and incidents in 2013, including expert analysis from both FireHost’s IT security teams and partners.

  • 10 years ago Posted in

Key overall findings and trends for 2013
· FireHost blocked more than 100m cyber attacks in 2013
· Cross-Site Scripting and SQL Injection were the most popular attack types in 2013
· Hackers launched more attacks from the commodity cloud than ever before
· FireHost’s data suggested the existence of a ‘blackholing’ effect
· Major security incidents such as the Target data breach lowered the number of attacks on corporate web applications


Chris Drake, FireHost CEO and founder, outlined the purpose of FireHost’s Superfecta report, “Cyber attacks may seem like random incidents at the time, but when you have the kind of malicious attack data that we have developed over the last year, you can begin to correlate these attack trends with 2013’s biggest data breach stories – of which there were many.


“FireHost is working very closely with other leaders and innovative practitioners in the cyber security community to track, document and block attacks as soon as we encounter them. It is one of the major reasons for producing the quarterly Superfecta report.”


The Year of Cross-Site Scripting and SQL Injection
The first quarter of 2013 set the tone for what was to come in the next 12 months. Cross-Site Scripting was the most prevalent Superfecta attack type in Q1 (with 1.2m attacks blocked) and it would continue to be so throughout the year, growing in popularity very slightly each quarter. SQL Injection attacks would follow a similar trend, increasing in volume substantially over quarters one, two and three.


Typically the preserve of only the most talented hackers, the increased popularity of SQL Injection and the possibility that these attacks were becoming easier to automate was cause for particular concern. FireHost issued a stark warning on the issue as part of its Q3 Superfecta report, where SQL Injection attacks had surged by nearly 100,000 compared to Q2.

Read the full Q3 report here (link).
The Year Hackers Turned to the Commodity Cloud
During Q2 2013 FireHost blocked almost 24 million cyberattacks, including a large percentage increase in the number of common web attacks. In an attempt to uncover the root cause behind this trend, FireHost security experts discovered that blended, automated attacks were being used increasingly from within cloud service provider networks. Indeed this is supported by security services provider Solutionary’s claims that Amazon's public cloud service hosts more malware than any other provider. In a recent IT security report, the company suggested that commodity cloud providers had "made it economical for malicious actors to use their services to infect millions of computers and vast numbers of enterprise systems."
FireHost CEO and founder, Chris Drake explains the reasons behind this worrying trend, “Cybercriminals can easily deploy and administer powerful botnets that run on cloud infrastructure. Unfortunately, many cloud providers don?t adequately validate new customer sign-ups so opening accounts with fake information is quite easy.”


FireHost Uncovers New ‘Blackholing’ Effect
Powered by ThreatSTOP, FireHost’s new IP Reputation Management (IPRM) filter was implemented in Q4 2012 and the data was analyzed in each of FireHost’s 2013 reports. Using this data, FireHost’s IT security teams have since discovered evidence of a positive ‘blackholing’ side effect, whereby FireHost’s IPRM filters have, over time, helped to hide FireHost’s customers’ IPs from would-be hackers, by making them resemble darknet/honeypot space. No attacker wants to be detected by connecting to darknets and will take extra care to avoid them.


Indeed, the blackholing effect has contributed to the total number of attacks blocked by FireHost dropping from 32m in Q3 2013 to 23m in Q4 2013.


2013’s Biggest IT Security Incidents Explained Using FireHost Data
The biggest data breach incident in 2013 befell American retailing giant, Target, which exposed data from as many as 110 million customers – the ramifications of which have continued to develop this year. As well as the blackholing effect outlined in FireHost’s Q4 Superfecta report, Tom Byrnes, ThreatSTOP CEO, believes that the decreased number of attacks blocked by FireHost during Q4 2013 could be down due to this single data breach.
“The Target data breach was monumental and it’s no surprise that it had an impact on FireHost’s attack data. There are only a few hundred criminal gangs worldwide running this kind of cybercrime operation so the actions of just a few can signal a big shift in the industry as a whole. We certainly saw this in the build up to the Christmas period and the Target attack. During this time, smart hackers may have ignored FireHost’s servers completely and focussed all their efforts on obtaining consumer data during the busy online retail season. Others would simply have been too busy running up charges on Target customers’ credit cards to bother with doing anything else.


“It was a similar case in spring/summer 2013. The number of attacks filtered by FireHost’s IPRM service fell dramatically and I wouldn’t be surprised if this was, in part, due to the big IRS data breach. Organised criminals were too busy snatching identities and stealing billions of dollars in tax refunds to worry about targeting corporate data, such as the applications hosted on FireHost’s infrastructure.”


Chris Hinkley, CISSP and senior security architect at FireHost continued, “It's interesting to compare attack trends and attack sources with the publicised information about known data breaches and attacks.


“As traffic from somewhat organised sources, e.g. botnets and other known bad IPs, is significantly greater than it is with the more usual DDoS style attacks, this usually correlates to hackers discovering a new exploit or attack type, and a broad sweeping effort to find susceptible targets. This may have very well been the case with the recent Target breach. It's come to light that the Target breach may have come from just a single coordinated attack, in which hackers compromised several stores. What can be learnt from this is that, even though you may not think your business will draw direct attention from hackers, you can be certain there is a high chance that your servers are being probed by opportunistic cybercriminals who are constantly looking for that easy ‘open window’ in.”


*Superfecta:
The Superfecta consists of four distinct web-application attack types that pose the most serious threat to businesses, comprising Cross-site Request Forgery (CSRF), Cross-site Scripting (XSS), SQL Injection and Directory Traversal.
 

Research shows ‘game needs to be changed,’ with security innovation years behind that of the...
Node4 has released its Mid-Market IT Priorities Report 2021. The independent report reveals that...
Atos has launched Atos OneCloud Sovereign Shield, a set of solutions, methodologies, and...
New distribution agreement set to bolster Westcon-Comstor’s Zero Trust offering in more markets...
Research from Avast has found that employees in almost a third (31%) of Small and Medium...
This year, over half of MSPs or their end customers have been attacked by ransomware but only 53%...
Trend Micro has published new research revealing that 90% of IT decision makers claim their...
Cyber consultants call on businesses to act now, or risk budgets shrinking further in ‘real...