Given that we protect APIs, websites, apps, and the like from hackers and denial of service attacks, you can imagine that the last week has been an interesting time for Snapt. We've largely stayed quiet, but we're often asked questions like "what are you seeing from Russia?" and so on. The answers are often counterintuitive.
Fewer Unique Active Threats From Russia
In the last week, we've seen around 25% fewer unique active threats from Russia – an active threat being a single unique system (cloud instance, server, etc.) that's engaged in attacks within the last 24 hours. Although threats vary greatly, threat counts originating in Russia show on average 2,500 fewer unique attackers per day.
Threats Don't Come From Where You Expect
In everyday cyber security, it's very uncommon to see threats coming from the basement of a hacker. Similarly, in wartime, it's unlikely that we would see state-sponsored cyber threats coming directly from one combatant country.
Tracking threats is an extremely complex task, and the challenge increases dramatically when you try to identify the origin of a threat. It's effortless today to purchase a cloud account and launch servers in the US regardless of where you might be. You can then use these US-based servers to launch attacks.
To give you an idea, the host with the most current active threats is a cloud provider in the US, not Russia.
Behavior Matters More Than Geography
An interesting statistic from our threat intelligence platform is that the average threat is typically only active for between 4 and 48 hours. These are often temporary cloud instances or compromised (hacked) servers belonging to another organization or user. They are then cleaned up and reset etc. and now need to be declassified as a threat as they are no longer hostile.
This back-and-forth between seeing a dangerous system and not blocking systems that are no longer dangerous means that threat identification today is driven by two key factors:
- Speed: we want to list and de-list threats as fast as possible.
- Accuracy: we don't want to list a non-threat or de-list an active threat.
Taking the "source" of the attack into consideration is mostly unhelpful in threat identification because we need to focus almost entirely on the actions of a system. I say "almost" because there is an element of the network, IP, host, location, and more reputation, which does serve as an indicator for likelihood.
The cyber security data we are observing might challenge previous expectations.
- The sources, types, and lifespans of attacks are counterintuitive.
- Attacks typically do not come from the attacker but rather a botnet or set of recently compromised systems belonging to legitimate users.
- The "top threats" always exist in the countries, cities, or locations with the most cloud capacity as most of them are compromised systems.
- Identifying the "attacker" behind the system is nearly impossible, given the high number of attacks and the short lifetime of compromised servers.
- Protecting your assets from being used to attack others is critical.
It is important to align our cyber security strategies with reality and not with assumptions. In this case, the main lesson is that cyber warfare is not obviously drawn on territorial lines with a simplistic "frontier" model of defense.
The best defense to globalized security threats is to focus on behavioral analysis and rapid blocking/unblocking rather than geographic origin, and for cloud providers to remove compromised hosts as fast as possible to prevent attackers from leveraging their infrastructure.