The F5 Security Incident Response Team (F5 SIRT) helps customers tackle security incidents in real time. We reviewed all the reported incidents from January through August 2020 to see how the pandemic changed the cyberthreat landscape. To protect customer confidentiality, we do not mention specific organizations. We also do not divulge numbers, but instead compare increase levels in incident reports.
Rise in Attacks during the Pandemic Lockdown
The first striking thing we saw in our review was the unprecedented rise of reported incidents at the beginning of the pandemic lockdown period in March 2020. The year started out slow, with the number of reported incidents in January of 2020 at half the average reported in previous years. However, as the pandemic shelter-in-place took effect in March of 2020, reported incidents rose sharply. They plateaued with a threefold spike over previous years in April and only began to return to normal in May and June. However, in July, they started to creep back up to twice the 2019 level. Figure 1 shows reported attacks for the January through August time period for the past three years.
What Were These F5 SIRT-Reported Incidents?
The phrase reported security incidents refers to an aggregate measure of several kinds of attacks in which customers sought help from the F5 SIRT. Primarily, these attacks fell into two large buckets: distributed denial-of-service (DDoS) and password login attacks. Password login attacks were comprised of brute force and credential stuffing attacks. Both of these involve attackers trying to guess their way past a password login.
Over the period of January through August, 45% of reported security incidents were DDoS and 43% were password login attacks. The remaining 12% of reported security incidents were for things like malware infections, web attacks, or attacks that were unclassified.
As seen in Figure 2, DDoS attacks dominated the pandemic lockdown incidents. Reports of DDoS attacks started off as just a tenth of reported incidents in January, but then grew to three times that of all incidents in March. DDoS has remained significant on an ongoing basis.