FireHost is a secure cloud company that protects the applications and data of organisations with the most stringent compliance needs, keeping them safe from the latest threats and hacks being deployed by online criminals.
Protecting this data and the reputation of its customers is of paramount importance to FireHost and, to this end, the company blocked more than 100m attacks in 2013 alone.
FireHost’s IT security teams and partners have compiled a new attack report using real-life data from each and every one of the 100m+ malicious hack attempts that FireHost blocked over the past year. The results formed FireHost’s ‘Superfecta: Year in review’ report, a detailed analysis of hacker behaviour and the biggest IT security trends of 2013.
TechRadar Pro: TechRadar Pro talks to FireHost founder Chris Drake to find out more.
CD: What’s the purpose of this report and why does FireHost publicise the data of its blocked attacks?
FireHost is in a unique position to deliver both an accurate and comprehensive overview of cybercrime trends and we are working very closely with other leaders and innovative practitioners in the cybersecurity community to track, document and block attacks as soon as we encounter them.
It is one of the major reasons for producing the quarterly Superfecta report. By communicating all known instances of attacks to web applications, we are all able to better understand and respond to threats.
Cyber attacks may seem like random incidents at the time, but when you have the kind of malicious attack data that we have collected over the last year, you can begin to correlate these attack trends with 2013’s biggest data breach stories – of which there were many.
TRP: What are the four ‘Superfecta’ attack types and what makes them so special?
CD: Although our report takes many different types of attack into account, the Superfecta consists of four distinct web-application attack types that we think pose the most serious threat to businesses.
Cross-Site Request Forgery (CSRF), an attack that forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.
Cross-site Scripting (XSS), the insertion of malicious code into webpages in order to manipulate website visitors. It is used by attackers for a range of reasons, from simply interfering with websites to launching phishing attacks against web users.
SQL Injection, the entering of malicious commands into URLs and text fields on websites that happen to be vulnerable, usually in an attempt to steal the contents of databases storing valuable data such as credit card details or usernames and passwords. This attack vector has been associated with many high profile data breaches.
Directory Traversal – A Path Traversal attack aims to access files and directories that are stored outside the web root folder.
TRP: According to your stats, what were the most popular or fastest growing attack types in 2013?
CD: 2013 was the year of Cross-Site Scripting and SQL Injection, with the first quarter of 2013 setting the tone for what was to come in the next 12 months.
Cross-Site Scripting was the most prevalent Superfecta attack type and it would continue to be so throughout the year, growing in popularity very slightly each quarter. SQL Injection attacks would follow a similar trend, increasing in volume substantially over quarters one, two and three.
TRP: Did you notice any new trends within the hacking community last year that the IT industry should be aware of?
CD: This year we saw a large percentage increase in the number of common web attacks and, in an attempt to uncover the root cause behind this trend, our security experts discovered that blended, automated attacks were being used increasingly from within cloud service provider networks.
The reason behind this worrying trend could be due to the fact that cybercriminals can easily deploy and administer powerful botnets that run on cloud infrastructure. Unfortunately, many cloud providers donʼt adequately validate new customer sign-ups, so opening accounts with fake information is quite easy.
TRP: These stats may seem a bit abstract on their own, has FireHost been able to match its figures against specific security incidents in 2013 such as the Target data breach?
CD: Absolutely, there was a significant decrease in the number of attacks blocked by FireHost following this incident and we believe this could be down to the Target data breach alone.
Tom Byrnes, CEO of FireHost partner, ThreatSTOP, summed up the situation incredibly well as part of our full report so I’ll defer to him here:
"The Target data breach was monumental and it’s no surprise that it had an impact on FireHost’s attack data. There are only a few hundred criminal gangs worldwide running this kind of cybercrime operation so the actions of just a few can signal a big shift in the industry as a whole.
"We certainly saw this in the build up to the Christmas period and the Target attack. During this time, smart hackers may have ignored FireHost’s servers completely and focussed all their efforts on obtaining consumer data during the busy online retail season. Others would simply have been too busy running up charges on Target customers’ credit cards to bother with doing anything else.
"It was a similar case in spring/summer 2013. The number of attacks filtered by FireHost’s IPRM service fell dramatically and I wouldn’t be surprised if this was, in part, due to the big IRS data breach. Organized criminals were too busy snatching identities and stealing billions of dollars in tax refunds to worry about targeting corporate data, such as the applications hosted on FireHost’s infrastructure."
TRP: With so many cyber attacks, there are bound to be a few anomalies – are there any that stand out and how would FireHost go about explaining them?
CD: Interestingly, FireHost’s IT security teams discovered evidence of a positive ‘blackholing’ side effect this year, whereby FireHost’s IP Reputation Management (IPRM) filters have, over time, helped to hide FireHost’s customers’ IPs from would-be hackers, by making them resemble darknet/honeypot space.
No attacker wants to be detected by connecting to darknets and will take extra care to avoid them. Indeed, the blackholing effect has contributed to the total number of attacks blocked by FireHost dropping from 32m in Q3 2013 to 23m in Q4 2013.
TRP: Do you have any final words of advice for companies looking to secure their online data?
CD: Even though you may not think your business will draw direct attention from hackers, you can be certain there is a high chance that your servers are being probed by opportunistic cybercriminals who are constantly looking for that easy ‘open window’ in.