The F5 Security Incident Response Team (F5 SIRT) helps customers tackle security incidents in real time. In 2020, we wrote about what happened in the beginning of the pandemic based on F5 SIRT cases. Now we're looking back at all F5 SIRT cases from the beginning of 2018 to the end of 2020. We’re going to break down what changed and what didn’t in the cyberthreat landscape because of the pandemic. To protect customer confidentiality, we do not mention specific organizations. We won’t divulge specific numbers, but instead compare increase levels in incident reports. But first, a quick summary of our findings before we dig deeper:
- In an average year, password login attacks made up 32% of all reported security incidents.
- U.S. and Canadian organizations had the highest percentage (45%) of reported password login attack incidents.
- Organizations based in Asia, the Pacific, People's Republic of China, and Japan (APCJ) had the highest percentage (57%) of reported denial-of-service (DoS) attack incidents, followed by organizations based in Europe, the Middle East, and Africa (EMEA) at 45%.
- Financial service organizations had the highest percentage (46%) of reported password login attack incidents, followed by public sector organizations at 39%.
- Service providers and educational organizations had the highest percentage (59%) of reported DoS attack incidents.
- Four percent of all reported security incidents were API-related, with 75% of those incidents involving password login attacks—38% of the reported API security incidents were from financial service organizations and 13% were from service providers.
A Note on Classifications
When we talk about password login attacks, it means we combined incident data on brute force attacks with credential stuffing attacks. Both attack types involve automated attempts to log in that usually overwhelm a victim’s authentication system. Denial-of-service (DoS) attacks encompass the entire gamut of distributed DoS attacks, including direct denial attacks on DNS systems. We discuss these nuances in more detail below.
Trends and Leaders
The F5 SIRT takes calls from customers around the world in all major industry sectors. But before we discuss the details, let’s make sure we’re not comparing apples to kumquats. Since our data set is from F5 customer reports, and we know that our customer base is not perfectly distributed across all regions and industry sectors, we don’t want our analysis to be skewed or one region or sector to be overrepresented in the data. So, we need to resolve this before comparing.
What we’ve done is compare the percentages of the reported incidents within a category. For example, if we see a hundred security incidents from the elven shoe manufacturing sector and 30 of them are DoS attacks, we’ll report that as “30% of elven shoemakers reported DoS attacks.” Then, we can compare this percentage against others, such as, “But we also see that only 10% of goblin sock knitters reported DoS attacks.”
For this report, we break out regions. Specifically, U.S./Canada, EMEA, Latin America (LatAm), and APCJ. Some regions see more of some types of attacks than others. Password login attacks are the most reported type of incident in the United States and Canada, at 45% of all their reported incidents (see Figure 1).
DoS attacks were the highest reported calls for APCJ (57%) and second highest for EMEA (47%), as shown in Figure 2.
Why is APCJ so much higher than U.S./Canada? We suspected there was something more to the story there, so we took a closer look at how DoS changed regionally over time (see Figure 3).