Lessons learned from blocking 100 million cyber attacks
Using real-life data from the 100m+ malicious hack attempts FireHost blocked in the last 12 months, they produced a Superfecta report which contains a quarter-by-quarter guide to the biggest cybercrime trends and incidents in 2013, including expert analysis from both FireHost’s IT security teams and partners.
Key overall findings and trends for 2013:
- FireHost blocked more than 100m cyber attacks in 2013
- Cross-Site Scripting and SQL Injection were the most popular attack types in 2013
- Hackers launched more attacks from the commodity cloud than ever before
- FireHost’s data suggested the existence of a “blackholing’ effect
- Major security incidents such as the Target data breach lowered the number of attacks on corporate web applications.
Chris Drake, FireHost CEO and founder, outlined the purpose of FireHost’s Superfecta report, “Cyber attacks may seem like random incidents at the time, but when you have the kind of malicious attack data that we have developed over the last year, you can begin to correlate these attack trends with 2013’s biggest data breach stories – of which there were many.”
“FireHost is working very closely with other leaders and innovative practitioners in the cyber security community to track, document and block attacks as soon as we encounter them. It is one of the major reasons for producing the quarterly Superfecta report.”
The year of XSS and SQL Injection
The first quarter of 2013 set the tone for what was to come in the next 12 months. Cross-Site Scripting was the most prevalent Superfecta attack type in Q1 (with 1.2m attacks blocked) and it would continue to be so throughout the year, growing in popularity very slightly each quarter. SQL Injection attacks would follow a similar trend, increasing in volume substantially over quarters one, two and three.
Typically the preserve of only the most talented hackers, the increased popularity of SQL Injection and the possibility that these attacks were becoming easier to automate was cause for particular concern. FireHost issued a stark warning on the issue as part of its Q3 Superfecta report, where SQL Injection attacks had surged by nearly 100,000 compared to Q2.
The year hackers turned to the commodity cloud
During Q2 2013 FireHost blocked almost 24 million cyberattacks, including a large percentage increase in the number of common web attacks. In an attempt to uncover the root cause behind this trend, FireHost security experts discovered that blended, automated attacks were being used increasingly from within cloud service provider networks. Indeed this is supported security services provider Solutionary’s claims that Amazon’s public cloud service hosts more malware than any other provider. In a recent IT security report, the company suggested that commodity cloud providers had “made it economical for malicious actors to use their services to infect millions of computers and vast numbers of enterprise systems.”
FireHost CEO and founder, Chris Drake explains the reasons behind this worrying trend, “Cybercriminals can easily deploy and administer powerful botnets that run on cloud infrastructure. Unfortunately, many cloud providers donʼt adequately validate new customer sign-ups so opening accounts with fake information is quite easy.”
2013’s biggest IT security incidents
The biggest data breach incident in 2013 befell American retailing giant, Target, which exposed data from as many as 110 million customers – the ramifications of which have continued to develop this year. As well as the blackholing effect outlined in FireHost’s Q4 Superfecta report, Tom Byrnes, ThreatSTOP CEO, believes that the decreased number of attacks blocked by FireHost during Q4 2013 could be down to this single data breach.
“The Target data breach was monumental and it’s no surprise that it had an impact on FireHost’s attack data. There are only a few hundred criminal gangs worldwide running this kind of cybercrime operation so the actions of just a few can signal a big shift in the industry as a whole. We certainly saw this in the build up to the Christmas period and the Target attack. During this time, smart hackers may have ignored FireHost’s servers completely and focussed all their efforts on obtaining consumer data during the busy online retail season. Others would simply have been too busy running up charges on Target customers’ credit cards to bother with doing anything else.
“It was a similar case in spring/summer 2013. The number of attacks filtered by FireHost’s IPRM service fell dramatically and I wouldn’t be surprised if this was, in part, due to the big IRS data breach. Organized criminals were too busy snatching identities and stealing billions of dollars in tax refunds to worry about targeting corporate data, such as the applications hosted on FireHost’s infrastructure.”
Chris Hinkley CSSIP and senior security architect at FireHost continued, “It’s interesting to compare attack trends and attack sources with the publicised information about known data breaches and attacks.
“As traffic from somewhat organized sources, e.g. botnets and other known bad IPs, is significantly greater than it is with the more usual DDoS style attacks, this usually correlates to hackers discovering a new exploit or attack type, and a broad sweeping effort to find susceptible targets. This may have very well been the case with the recent Target breach. It’s come to light that the Target breach may have come from just a single coordinated attack, in which hackers compromised several stores. What can be learnt from this is that, even though you may not think your business will draw direct attention from hackers, you can be certain there is a high chance that your servers are being probed by opportunistic cybercriminals who are constantly looking for that easy “open window’ in.”