FireHost announced trends for the attacks it blocked from its clients’ web applications in Q4 2013. Security experts have noted that the company’s most recent Superfecta data on attempted cyberattacks could provide evidence of a “blackholing’ effect. Indeed, the blackholing effect has contributed to the total number of attacks filtered by FireHost dropping from over 17m in Q3 2013 to less than 9m in Q4 2013.
“For anyone new to cybersecurity and threat detection, the blackholing phenomenon must sound incredibly abstract,” admits FireHost CEO Chris Drake. “Thankfully, it’s actually quite simple and our latest statistics certainly quantify the positive benefits this effect has in terms of the protection of regulated data.”
How the blackholing effect works
In a virtualised infrastructure with comprehensive security layers, most of the malicious traffic seen and blocked comes from malevolent networks and botnets. An IP reputation filter intercepts web traffic at the perimeter layer and recognises when a would-be intruder has been black listed. This means that, when cybercriminals launch web-based attacks or perform reconnaissance on large chunks of the internet from known “bad’ IP addresses, the IP reputation filter can prevent them from connecting to a protected network space without reason or response.
Over time, the black hole makes the protected IPs invisible to attackers. As a result, these web applications are exposed to less and less attack traffic, improving memory and processor efficiency as well as reducing network traffic load, to name a few benefits. By the same token, the volume of spam and everything else associated with illegitimate sources also decreases.
“In a conflict zone, hostiles don’t shoot at trees on the off-chance there’s an incredibly well camouflaged infantry unit nearby,” explained FireHost CEO, Chris Drake. “That’s more or less the principle behind the black hole effect. If an automated attack detects a dead address, it’s unlikely to probe it any further. It will simply move on to another, a new vulnerable target, and launch the same attack there.”
Hackers favour the tried and tested
According to Chris Hinkley, senior security engineer at FireHost, the fact that the data for Q4 and Q3 2013 was so similar actually says a lot about the current cybersecurity landscape. Namely that attackers are presently less inclined and less incentivised to develop new attack methods, or at least aren’t creating new malicious tools on a large scale.
“Attackers are still using relatively old attack methods and it’s easy to see why, there’s very little resistance from potential victims and the security industry is struggling to keep up. While new tools and delivery methods are created periodically, recent data breaches such as those suffered by the likes of SnapChat and Target bear proof that old-hat is still good enough. Security measures and countermeasures are not advancing at a quick enough pace to force attackers to be incredibly innovative. There are still many potential victims vulnerable to attack using the same old exploits and tools.
“Until the information attackers seek is properly protected, and we break out of the status quo, intruders will stick to their favoured attacks and do well by them.”