Internet Security Systems - AlertCon(TM)

Mid-Year Threat Report

Posted by Holly Stewart on July 28, 2008 at 3:13 AM EDT.

We have just completed our mid-year threat report, which will be released tomorrow.  I wanted to say a few words about it, since the format and topics we cover are fairly different from what we've done in the past.  This report is significantly more detailed than previous reports.  Instead of simply presenting our standard statistics, we have really tried to dig deeper into our data set this (mid) year to present an analysis of the threat landscape that, we hope, will be much more valuable to you.

After running our initial statistics, we questioned and challenged the data, and kept re-analyzing the numbers with additional data points to find answers.  For example, we knew that image-based spam was disappearing, but what did this mean?  Is spam declining? (no)  If not, then what is replacing it?  As the report describes, spammers are going back to the basics and there’s nearly a mirror-image trend of image-based spam going down and these simpler techniques going up.

Similarly, we were well aware that new web application vulnerabilities pop up every week, but we had never calculated an exact percentage of how prevalent they were.  So, we did an analysis of how many disclosures were directly attributed to vulnerabilities in web applications versus everything else.  I can't tell you the percentage in this blog post today, but I can tell you that the answer was a bit shocking, especially when you consider that it doesn’t include custom-developed web applications.  We then took these vulnerabilities and broke them down into categories such as SQL injection, cross-site scripting, and so on.  Based on the SQL injection attacks we've been tracking in our alert, you can guess which category may have been most prevalent.  (As a side note, if you haven't checked out that alert lately, you may want to if you're using ColdFusion—these SQL injection attacks aren't showing any signs of slowing down and after their initial bout with ASP, they appear to be moving on to new targets.)

Another question we wanted to answer was related to who releases the most vulnerability disclosures, and I don't mean what organization or person in particular releases the most disclosures.  (Although some vendors may not admit this in public, I think it's fair to say that counting the number of disclosures you do is about as tired as counting how many signatures your product has—in the end, these numbers by themselves are a bit arbitrary.)  Our analysis instead focuses on what type of researcher (an independent researcher versus someone that is funded by an organization) discloses the most vulnerabilities, and we even go into some detail about the severity of the vulnerabilities they discover and the amount of disclosure detail that they provide.  There's more I'd like to say about this topic, but I'll wait until after the report has come out.

These aren’t the only topics in the report, of course.  There's a nice section on virtualization vulnerabilities, a brand new type of malware analysis that focuses on common malware behaviors, and great commentary from one of our top researchers, Tom Cross, about some of the most interesting disclosures and discoveries that happened in the first half of this year.

We hope this year's mid-year report is interesting and informative for our customers, the public, and fellow researchers alike.  Although our "blog" doesn't support feedback, I’ll do my best to address other public posts as I see them.  Feel free to send comments through our feedback form, or, if you happen to be at BlackHat next week, I'd love to talk to you in person about it then.

Thanks and happy mid-year!

-Holly

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.