TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Top Attacks Against Service Providers 2017-2019

2020-02-06 · Read original ↗

ATT&CK techniques detected

10 predictions
T1110Brute Force
92%
"use common lists of default credential pairs ( for example, admin / admin ), commonly used passwords, or even randomly generated password strings. we saw this attack trend significantly downward over the three - year period we reviewed, from 72 % of total f5 sirt incidents in 201…"
T1110Brute Force
89%
". from a defensive point of view, as mentioned above, these attacks can appear to simply be either a general outage of a service, such as dns, or a surge of network traffic. the ability to quickly compare the characteristics of normal, expected network traffic against samples of …"
T1498Network Denial of Service
83%
"2019, accounting for 77 % of all incidents handled by the f5 sirt, up from just a third of all incidents in 2017 ( see figure 1 ). figure 1. ddos incidents reported to the f5 sirt from 2017 through 2019. what does a typical ddos attack look like at a service provider? a denial - …"
T1110.003Password Spraying
82%
"for 10, 000 combinations, making exhaustive, automated attacks quick. service providers also see brute force attacks against web login pages, such as those used for webmail or account access. because many users continue to use the same credentials for multiple web - based account…"
T1498Network Denial of Service
63%
"the leveraged service end up going to the target, not to the initiator. dns water torture attacks, also known as pseudo - random subdomain attacks, are a form of reflection attack. these attacks use intentionally incorrect dns queries to generate response traffic directed to the …"
T1190Exploit Public-Facing Application
55%
"##os attacks, the first indications of such an attack are customer complaints of account lockout rather than any sort of automated detection. this, in itself, can constitute a denial of service if a large number of accounts are locked out, and certainly can cause increased, at ti…"
T1584.005Botnet
54%
"articles / threat - intelligence / the - hunt - for - iot - - multi - purpose - attack - thingbots - threaten - intern. html ) series, we have been following the targeting of port 7547 by botnets, as well as other ports commonly used to remotely administer soho routers. attacker …"
T1498.001Direct Network Flood
48%
"2019, accounting for 77 % of all incidents handled by the f5 sirt, up from just a third of all incidents in 2017 ( see figure 1 ). figure 1. ddos incidents reported to the f5 sirt from 2017 through 2019. what does a typical ddos attack look like at a service provider? a denial - …"
T1499Endpoint Denial of Service
44%
"2019, accounting for 77 % of all incidents handled by the f5 sirt, up from just a third of all incidents in 2017 ( see figure 1 ). figure 1. ddos incidents reported to the f5 sirt from 2017 through 2019. what does a typical ddos attack look like at a service provider? a denial - …"
T1110.001Password Guessing
41%
". from a defensive point of view, as mentioned above, these attacks can appear to simply be either a general outage of a service, such as dns, or a surge of network traffic. the ability to quickly compare the characteristics of normal, expected network traffic against samples of …"

Summary

Three years of data shows DDoS attacks against service providers are growing while brute force and other authentication attacks are slowly waning.