Report on Cyber Security Alerts Processed by CERT-RO in 2015
Author(s): CERT, RO
Issue: Volume 5, Issue 1, Year 2016
The objective of this report is to analyze the cybersecurity alerts collected and processed by CERT-RO in 2015, so as to obtain an overview on the events relevant for evaluating the cybersecurity risks incurred by the cyber infrastructures on Romanian territory, which are under the CERT-RO constituency.
During the reference period, respectively 01.01.2015 – 31.12.2015, CERT-RO has collected and processed 68,206,856 cybersecurity alerts, with a drop of 13% compared to 2014 (78,769,993), out of which:
- Alerts collected and processed automatically (feeds): 68,205,633;
- Alerts collected and processed manually (email ticketing): 1,223;
Cybersecurity alert means, within the context of this report, any signalling containing an IP address or a web domain (URL), with regards to a possible cybersecurity incident or event, which involves or might involve informatics systems from the national cyber-space held / managed by natural or legal persons from Romania.
The alerts collected by CERT-RO in 2015 regarded a set of 2,321,931 unique IP addresses. The total number of unique IPs assigned to organizations from Romania is of 8,958,498, thus dropping compared to 2014 (approximately 10 million) and 2013 (approximately 13.5 million).
Following the analysis of the cybersecurity alerts collected by CERT-RO in 2015, the following have been determined:
- 26% (2.3 mil.) out of the total unique IPS assigned to the national cyber-space have been involved in at least one cybersecurity alert processed by CERT-RO in 2015, compared to 24% (2.4 mil.) in 2014 and 16% (2.2 mil.) in 2013;
- 78% (53 mil.) of the collected and processed alerts are related to vulnerable information systems, namely unsecured or inadequately configured systems. Some of such vulnerable information systems are used by the attackers to launch cyber-attacks on other targets and to mask their identity, most of the times not being necessary to compromise them, but to simply use the available services (such as: DNS servers of Open Resolver type, proxy servers without authentication, NTP servers with inadequate configuration etc.);
- 20,78% (14 mil.) of the collected and processed alerts are related to information systems which are infected with various malicious software versions (malware), defined through the fact that they have mechanisms that allow attackers to remotely control the infected information systems;
- 64% (3 mil.) of the total number of incidents resulted from the processing of alerts (section 3.2) consist of information systems which are part of botnet type networks, there being a chance that they might be used for cyber-attacks on targets from Romania or abroad;
- 17,088 of the „.ro” domains have been reported at CERT-RO as having been compromised in 2015, rising by approximately 58% towards the years 2014 (10.759) and 2013 (10.239). Out of the total 855,9972 domains registered in Romania in February 2015, this number represents approximately 2% of the total „.ro” domains and approximately 6.5% of the total active „.ro” domains.
Types of alerts processed by CERT-RO
CERT-RO processes two types of cyber-security alerts:
- Alerts collected and sent through automatic systems. These alerts are sent by specialized organizations which have detection systems for cybersecurity incidents. The majority of such alerts (99%) is automatically processed by CERT-RO and transmitted to the internet services providers, who hold / manage the infrastructures targeted by the alerts (IP, domain/URL, etc.). In case of such alerts, CERT-RO does not have precise data on the IP address user, his/her identification being possible only by the internet services provider (ISP), who should, as a matter of fact, to resend the alert to the client also;
- The manually processed alerts are significantly fewer than the automatic ones, but they contain more complete and relevant information about the incident and the affected organization, as well as the attack source and method. In most cases, the data is collected from the affected entities (natural or legal persons from the country or abroad) by the CERT-RO analysts, once the incident is reported.
Consequently, in terms of cybersecurity analysis, these alerts are much more valuable, because they reflect better the evolution of a security incident.
Statistics based upon the alerts received
The number of alerts collected by CERT-RO in 2015 dropped by 13% (68,205,856) compared to 2014 (78.769.993), as it is also shown in Fig. 1.
Fig. 1 – Evolution in the number of alerts collected in 2013, 2014, and 2015
The drop in the number of alerts collected during 2015 in comparison with 2014 can be explained by the fact that a part of the vulnerable information systems (DNS servers of Open Resolver type, proxy servers without authentication, NTP servers with inadequate configuration, etc.) have been remedied in the previous year.
The significant number of alerts presented in the CERT-RO reports highlights the institution’s demand for ensuring high performance systems, which would be able to achieve the automatic processing and dissemination of a large data volume.
3.1. Alert distribution depending on the class (alert category)
The alerts collected and processed by CERT-RO have been classified based upon a taxonomy where several alerts classes and types have been defined (an alerts class is a generic category, which may integrate several specific types of alerts).
The table and graphic below show the distribution of the 5 most frequent categories of alerts, depending on their number.
Tab. 1 – Top 5 security alerts, on alert classes (categories)
Fig. 2 – Alert distribution on classes (categories)
3.2. The alerts’ distribution on number of incidents
Given that some of the alerts collected by CERT-RO are repetitive, meaning that more than one refers to the same IP address and the same problem (class / alert type), a reduplication of the alerts through a grouping on incidents has been performed.
The general principle standing at the basis of the alerts’ grouping on incidents was to gather all alerts which refer to the same information system and the same type of problem (class / alert type).
Considering that the alerts collected by CERT-RO only refer to public IP addresses, it is impossible to determine the exact number of affected information systems (victims), because of the following 2 reasons:
- The internet services providers (ISP) dynamically assign (DHCP) the public IP addresses to the residential clients. So, throughout a calendar year, public IP addresses can be assigned to several clients;
- Public IP addresses can be an internet connection gateway for an infrastructure composed of several information systems. So, behind a public IP address, there can be several information systems.
Under such circumstances, grouping alerts on incidents has been made depending on the following:
- The alerts regarding vulnerabilities have a significant weight in the total number of alerts (78.33%). Such vulnerabilities refer to applications and services that run on server-type platforms (web servers, data bases servers, time servers, etc.), whose IP addresses are not dynamically assigned, and that generally do not even change their IP address too often. Consequently, related to vulnerabilities alerts, we have considered that it would be enough for the aggregation to be made on the IP address and the alert class/type;
- In case of botnet type alerts, whose weight is of 20.78%, we refer to information systems belonging to household users which are infected with various types of botnet malware. In the majority of cases, in such information systems the IP addresses assignment is made dynamically. Consequently, for botnet alerts, their grouping into incidents has been made based upon the IP address, alert class / type, and the time between 2 reports (up to 14 days).
In conclusion, following the grouping of alerts on incidents, according to the algorithm and considerations mentioned above, there resulted a number of 4,900,651 incidents in 2015, distributed according to the table and graphic below.
Tab. 2 – Alert distribution on number of alerts
Fig. 3 – Alert distribution on incidents
The statistics based upon the aggregation of the collected alerts on incidents show that the main problem of the national cybernetic space consists in information systems which are part of botnet networks (64%), although the statistics based upon the number of alerts show that 78% of these refer to vulnerabilities, and only 20% to botnet networks. This is due to the fact that the alerts that refer to vulnerabilities are more repetitive, many of the targeted systems staying vulnerable for a long period of time, thus being reported several times.
3.3. Malware types typical for the Romanian cybernetic space
A percentage of 20% of the total alerts collected and processed by CERT-RO in 2015 also contain information regarding the type of malware associated to the alert (such as botnet type alerts or the ones referring to malicious URLs).
Tab. 3 – Top 10 malware types in Romania 2015
3.4. Types of affected information systems
A percentage of 23.87% of the total alerts collected and processed by CERT-RO in 2015 also contain information regarding the operation system of the information systems targeted by the alerts.
Tab. 4 – Distribution of the total alerts on affected operation systems
3.5. Peculiarities of the manually processed alerts
Next to automatic alerts, the CERT-RO analysis took over during the reference period a set of cybersecurity alerts reported directly by people or organizations in the country or abroad, classified as manually processed alerts.
These are significantly fewer than the automatic ones, but they contain more complete and more relevant information on the incident, the affected organization, as well as on the source of attack and the attack method. In the majority of cases, data is collected from the affected entities (natural or legal persons in the country or abroad) by the CERT-RO analysts, once the incident is reported.
Consequently, during the reference period, CERT-RO collected 1,223 manually processed alerts, distributed as follows:
Tab. 5 – Distribution of individual alerts
The remainder of 8% of the manually processed alerts can be included in various classes and types of alerts, such as: botnet, spam, defacement, bruteforce, malware, or confidential information dissemination, etc.
In the table below, there is a top 5 most affected types of systems, extracted from the alerts manually processed by CERT-RO.
Tab. 6 – Distribution of manually processed alerts on types of affected systems
3.6. Compromised ”.ro” domains
Throughout the reference period, CERT-RO received alerts regarding 17.088 compromised ”.ro” domain.
Out of 855,9973 domains registered in Romania in February 2015, the number represents approximately 2% of the total ”.ro” domains, and approximately 6.5% of the total active ”.ro” domains.
The distribution of the affected domains according to the type of incident can be found in the table below:
Tab. 7 – Compromised .ro domains
Conclusions
Based upon the findings above, the following conclusions can be drawn:
- The cyberthreats and vulnerabilities targeting the national cyberspace continue to become more diverse, aspect highlighted by the fact that, in 2015, CERT-RO has introduced new types of alerts;
- Most collected alerts refer to vulnerable information systems (inadequately configured or unsecured) and to information systems which are infected with various types of botnet malware;
- Any of the two information systems mentioned above can be used as an interface (proxy) for the running of attacks on targets outside the country, thus representing potential threats to other internet connected systems;
- The household network devices or equipment (e.g. wireless routers) or the ones which are part of the Internet of Things (IoT) category (web cameras, smart TV, smartphone, printers, etc.), once connected to the internet, become a target for the attackers, and their vulnerabilities are exploited by them so as to compromise the network they are connected to or to launch attacks on other targets on the internet;
- Some Romanian entities have been the target of some directed and complex cybernetic attacks of APT type (Advanced Persistent Threat), launched by groups which have the required capacity and motivation to persistently attack a target in order to obtain some benefits (usually access to confidential information);
- Romania is both a country that generates cybersecurity incidents, and a (transit) proxy for the attackers from outside the national territory, in terms of using vulnerable or compromised information systems which are part of the national cybernetic space.
Despite the technical aspects which make it impossible to identify the exact number of affected devices or people which are behind the over 2.3 mil. IP addresses or 68 mil. alerts reported at CERT-RO, it is important to remember that they cover approximately 26% of the national cybernetic space (in relation to the number of IPs assigned to RO), and, consequently, it is necessary to take measures to solve the situation through the involvement of all actors with technical or legal responsibilities.
Title: Report on Cyber Security Alerts Processed by CERT-RO in 2015
Author(s): CERT, RO
Publication: International Journal of Information Security and Cybercrime
ISSN: 2285-9225, e-ISSN: 2286-0096
Issue: Volume 5, Issue 1, Year 2016
Section: Cyber-Attacks Evolution and Cybercrime Trends
Page Range: 89-100
Copyright ©2012-2024
The International Journal of Information Security and Cybercrime (IJISC)
All rights reserved
The International Journal of Information Security and Cybercrime is a trademark of the Romanian Association for Information Security Assurance (RAISA).
No part of this publication may be reproduced, stored in a retrieval system, photocopied, recorded or archived, without the written permission from RAISA. When authors submit their papers for publication, they agree that the copyright for their article be transferred to the Romanian Association for Information Security Assurance, if the articles are accepted for publication. The copyright covers the exclusive rights to reproduce and distribute the article, including reprints and translations.