FireHost Superfecta 2013 Year in Review

February 19, 2014

Lessons learned from blocking 100m cyber attacks: FireHost releases 2013 Superfecta report

Dallas, TX – February 19, 2014 — FireHost, the secure cloud hosting company, today announced the release of its 2013 year in review Superfecta report. Using real-life data from the 100m+ malicious hack attempts FireHost blocked in the last 12 months, the Superfecta report contains a quarter-by-quarter guide to the biggest cybercrime trends and incidents in 2013, including expert analysis from both FireHost’s IT security teams and partners.

Key overall findings and trends for 2013

  • FireHost blocked more than 100m cyber attacks in 2013
  • Cross-Site Scripting and SQL Injection were the most popular attack types in 2013
  • Hackers launched more attacks from the commodity cloud than ever before
  • FireHost’s data suggested the existence of a ‘blackholing’ effect
  • Major security incidents such as the Target data breach lowered the number of attacks on corporate web applications

Chris Drake, FireHost CTO and founder, outlined the purpose of FireHost’s Superfecta report, “Cyber attacks may seem like random incidents at the time, but when you have the kind of malicious attack data that we have developed over the last year, you can begin to correlate these attack trends with 2013’s biggest data breach stories – of which there were many.

“FireHost is working very closely with other leaders and innovative practitioners in the cyber security community to track, document and block attacks as soon as we encounter them. It is one of the major reasons for producing the quarterly Superfecta report.”

The year of Cross-Site Scripting and SQL Injection

The first quarter of 2013 set the tone for what was to come in the next 12 months. Cross-Site Scripting was the most prevalent Superfecta attack type in Q1 (with 1.2m attacks blocked) and it would continue to be so throughout the year, growing in popularity very slightly each quarter. SQL Injection attacks would follow a similar trend, increasing in volume substantially over quarters one, two and three.

Typically the preserve of only the most talented hackers, the increased popularity of SQL Injection and the possibility that these attacks were becoming easier to automate was cause for particular concern. FireHost issued a stark warning on the issue as part of its Q3 Superfecta report, where SQL Injection attacks had surged by nearly 100,000 compared to Q2.

The year hackers turned to the commodity cloud

During Q2 2013 FireHost blocked almost 24 million cyberattacks, including a large percentage increase in the number of common web attacks. In an attempt to uncover the root cause behind this trend, FireHost security experts discovered that blended, automated attacks were being used increasingly from within cloud service provider networks. Indeed this is supported by security services provider Solutionary’s claims that Amazon’s public cloud service hosts more malware than any other provider. In a recent IT security report, the company suggested that commodity cloud providers had “made it economical for malicious actors to use their services to infect millions of computers and vast numbers of enterprise systems.”

FireHost CTO and founder, Chris Drake explains the reasons behind this worrying trend, “Cybercriminals can easily deploy and administer powerful botnets that run on cloud infrastructure. Unfortunately, many cloud providers donʼt adequately validate new customer sign-ups so opening accounts with fake information is quite easy.”

FireHost uncovers new ‘blackholing’ effect

Powered by ThreatSTOP, FireHost’s new IP Reputation Management (IPRM) filter was implemented in Q4 2012 and the data was analyzed in each of FireHost’s 2013 reports. Using this data, FireHost’s IT security teams have since discovered evidence of a positive ‘blackholing’ side effect, whereby FireHost’s IPRM filters have, over time, helped to hide FireHost’s customers’ IPs from would-be hackers, by making them resemble darknet/honeypot space. No attacker wants to be detected by connecting to darknets and will take extra care to avoid them.

Indeed, the blackholing effect has contributed to the total number of attacks blocked by FireHost dropping from 32m in Q3 2013 to 23m in Q4 2013.

2013’s biggest IT security incidents explained using FireHost data

The biggest data breach incident in 2013 befell American retailing giant, Target, which exposed data from as many as 110 million customers – the ramifications of which have continued to develop this year. As well as the blackholing effect outlined in FireHost’s Q4 Superfecta report, Tom Byrnes, ThreatSTOP CEO, believes that the decreased number of attacks blocked by FireHost during Q4 2013 could be down to this single data breach.

“The Target data breach was monumental and it’s no surprise that it had an impact on FireHost’s attack data. There are only a few hundred criminal gangs worldwide running this kind of cybercrime operation so the actions of just a few can signal a big shift in the industry as a whole. We certainly saw this in the build up to the Christmas period and the Target attack. During this time, smart hackers may have ignored FireHost’s servers completely and focussed all their efforts on obtaining consumer data during the busy online retail season. Others would simply have been too busy running up charges on Target customers’ credit cards to bother with doing anything else.

“It was a similar case in spring/summer 2013. The number of attacks filtered by FireHost’s IPRM service fell dramatically and I wouldn’t be surprised if this was, in part, due to the big IRS data breach. Organized criminals were too busy snatching identities and stealing billions of dollars in tax refunds to worry about targeting corporate data, such as the applications hosted on FireHost’s infrastructure.”

Chris Hinkley CISSP and senior security architect at FireHost continued, “It’s interesting to compare attack trends and attack sources with the publicised information about known data breaches and attacks.

“As traffic from somewhat organized sources, e.g. botnets and other known bad IPs, is significantly greater than it is with the more usual DDoS style attacks, this usually correlates to hackers discovering a new exploit or attack type, and a broad sweeping effort to find susceptible targets. This may have very well been the case with the recent Target breach. It’s come to light that the Target breach may have come from just a single coordinated attack, in which hackers compromised several stores. What can be learnt from this is that, even though you may not think your business will draw direct attention from hackers, you can be certain there is a high chance that your servers are being probed by opportunistic cybercriminals who are constantly looking for that easy ‘open window’ in.”

*Superfecta

The Superfecta consists of four distinct web-application attack types that pose the most serious threat to businesses, comprising Cross-site Request Forgery (CSRF), Cross-site Scripting (XSS), SQL Injection and Directory Traversal.

Definitions

  • Cross-site Scripting (XSS) – Cross-site scripting involves the insertion of malicious code into webpages in order to manipulate website visitors. It is used by attackers for a range of reasons, from simply interfering with websites to launching phishing attacks against web users.
  • Directory Traversal – A Path Traversal attack aims to access files and directories that are stored outside the web root folder.
  • Cross-Site Request Forgery (CSRF) – CSRF is an attack that forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.
  • SQL Injection – SQL Injection involves the entering of malicious commands into URLs and text fields on websites that happen to be vulnerable, usually in an attempt to steal the contents of databases storing valuable data such as credit card details or usernames and passwords. The attack vector has been associated with many high profile data breaches.

About FireHost

FireHost offers the most secure, managed cloud IaaS available, protecting sensitive data and brand reputations of some of the largest companies in the world. With private, cloud infrastructure built for security, compliance, performance and managed service, responsible businesses choose FireHost to reduce risk and improve the collection, storage and transmission of their most confidential data. FireHost’s secure, managed cloud IaaS is available in Dallas, Phoenix, London, Amsterdam and Singapore, and offers robust, geographically redundant business continuity options across all sites. Based in Dallas, FireHost is the chosen secure private cloud service provider for brands that won’t compromise on the security of their payment card, healthcare, and other regulated data.