SlideShare a Scribd company logo

CenturyLink 2018 Threat Report Insights

A
Andrew Prosser

The CenturyLink Threat Research Labs 2018 Threat Report provides insights into global cyber threats based on analysis of internet traffic traversing CenturyLink's global backbone network. Some key findings: 1) The top three countries for originating malicious traffic are the United States, Russia, and China. Within regions, European traffic most often came from Russia and Ukraine, Latin American from Brazil, and Asia Pacific from China. 2) The top ten countries hosting command-and-control servers directing botnets were similar to the overall malicious traffic origins, led by the US and Russia. 3) The United States had the most compromised hosts or "bots" averaging 1.8 million daily that were being directed by command-and-

Technology
1 of 20
Download to read offline
CENTURYLINK 2018 THREAT REPORT
As cyber threats proliferate, businesses, governments and consumers often seek to find the silver bullet for cyber security issues. With so many differing viewpoints of the threat landscape, the task of identifying actionable intelligence, while prioritizing who and what to protect, is a difficult one. Meanwhile, the growth of cyber threats continues to be explosive, and the cost to protect businesses and consumers is on the rise. No one is completely immune to today’s – or tomorrow’s – cyber threats. We can relate to the business challenges organizations face in our connected world. Like our customers, CenturyLink works tirelessly to protect itself from the evolving and increasingly sophisticated, malicious operators looking to exploit any weakness. In this report, as we do regularly for our customers, fellow security researchers and other leading ISPs, we are offering the IT community the same unique insights we use to protect ourselves and our customers with the goal of regaining the upper hand from cybercriminals. This intelligence varies from other industry threat reports because it is based exclusively on what CenturyLink® Threat Research Labs sees across the CenturyLink global backbone. The report opens with our insights around the sources of global malicious traffic and the victims they target. We then breakdown the components of attack traffic by identifying the origins of command and control servers (C2s) and the bots they control, along with a review of bot attack targets compared to those of all threats we monitor. Finally, we present an exclusive deep dive into the evolution and presiding trends with respect to DDoS IoT botnets. Executive Summary: 2
Table of Contents Understanding the GlobalThreat Landscape Puzzle................................4 Malicious Traffic by Country of Origin.......................................................4 C2s by Country of Origin............................................................................6 Top 5 Bot Hosting Countries......................................................................8 Compromised Hosts (Bots) by Country of Origin....................................9 Top Countries Hit with Bot Traffic.............................................................11 A Review of DDoS IoT Botnets................................................................13 Top 10 Active C2s for Gafgyt and Mirai Families....................................14 Gafgyt and Mirai Attack CommandTotals,Types and Volumes.............16 The CenturyLink Threat Research Labs Difference.................................18
More than 4 billion people – essentially half the world’s population – now have access to the internet. Among the petabytes of data traversing our global network backbone, CenturyLink Threat Research Labs tracked an average of 195,000 threats per day in 2017, impacting, on average, 104 million unique targets daily. For the purposes of this report, “targets” refers to servers, computers, handheld or internet- connected (IoT) devices owned by businesses, government entities and individual consumers. The term “victims” is used to refer to those entities with compromised servers, computers and devices being used to attack the targets described above. We look first at the attackers. As reported in previous editions of our threat report (see Attack of the Things and How the Grinch Stole IoT), geographies with strong or rapidly growing IT networks and infrastructure continue to be the primary source for cybercriminal activity. At a recent cybersecurity summit hosted in Denver, Colorado, speakers indicated that the emphasis on STEM (science, technology, engineering and math) training in rapidly developing countries has added to the proliferation of bad actors. However, the United States, Russia and China hold the lead as the three most common points of origin for malicious internet activities. For malicious traffic by country of origin, we’ve broken the data down by the top 10 countries generating traffic from a global perspective and provided additional breakouts for malicious traffic origins within Europe, Latin America and Asia Pacific. 4 Understanding the Global Threat Landscape Puzzle. Top 10 Countries Globally United States Russia China Brazil Ukraine Germany France Netherlands Turkey United Kingdom 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 1 4 2 39 5 6 7 8 10 MaliciousTraffic by Country of Origin FullYear 2017 Our Unique View of the World Source: CenturyLink Threat Research Labs, Full Year 2017
5 Source: CenturyLink Threat Research Labs, Full Year 2017 MaliciousTraffic by Country of Origin FullYear 2017 Russia Ukraine Germany France Netherlands United Kingdom Poland Italy Romania Spain 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 1 4 2 3 9 56 7 810 Top 10 European Countries 1 4 2 5 Brazil Argentina Mexico Chile Colombia 1. 2. 3. 4. 5. Top 5 Latin American Countries 3 China South Korea Vietnam India Australia 1. 2. 3. 4. 5. 1 4 2 3 5 Top 5 Asia Pacific Countries
Next, we will look at a few of the different varieties of the malicious activity CenturyLink monitors, starting at the top of the heirarchy with the C2 systems directing the attacks. Traffic between a network and any C2 server is a powerful risk indicator that a vulnerable and potentially compromised host exists. Depending on the network’s topology, this compromised host may also give the attacker access to the devices behind the security mechanisms in place. Tracking C2 data reveals victim hotspots and activity hubs favored by malicious actors. C2s Top 10 Countries Globally United States Russia Ukraine China Germany Netherlands France United Kingdom Brazil Canada 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 1 9 23 45 7 6 810 Russia Ukraine Germany Netherlands France United Kingdom Italy Spain Poland Turkey 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 1 5 2 3 7 46 9 8 10 Top 10 European Countries by Country of Origin FullYear 2017 6 Source: CenturyLink Threat Research Labs, Full Year 2017
China South Korea Japan India Hong Kong 1. 2. 3. 4. 5. 1 4 2 3 5 Top 5 Asia Pacific Countries C2s 1 5 3 2 4 Brazil Mexico Argentina Colombia Chile 1. 2. 3. 4. 5. Top 5 Latin American Countries While the C2 breakdown matches closely to the overall malicious traffic by country, it is important to note the person controlling the C2 may not be located in the same country as the C2 server. The location of the C2 is driven by the mechanisms available to the bad actor. The United States is at the top of the list because of the robust networks and volume of devices within its borders. Conversely, countries that allow the unchecked operation of bullet-proof hosting companies will also show a disproportinate volume of C2s within their borders – in this case pushing up Russia and Ukraine higher in the chart. Internet service providers that operate in countries with limited or relaxed regard to laws or regulations governing allowable activity are generally referred to as bullet-proof. 7 Source: CenturyLink Threat Research Labs, Full Year 2017 by Country of Origin FullYear 2017
While CenturyLink Threat Research Labs works with providers to take down the supporting services, the bullet-proof hosters seldom comply and, as a result, find their traffic mitigated over our global backbone. To initiate an effective attack, C2 servers generally need a botnet to control. A botnet is a group of individual compromised hosts, or bots, often controlled by a single C2. A bot can be a compromised server, computer or any IoT device such as a DVR, security camera, cell phone and so on. The most dangerous botnets contain hundreds of thousands of members waiting to attack at a moment’s notice – fortunately botnets of this size are becoming rare these days. As a bot, the compromised device has already been infected by malware. It has communicated with the C2, identifying both what it is and what its capabilities are. Now the bot is just waiting to be directed to launch an attack against a target utilizing a specific set of parameters. Each of the millions of bots CenturyLink Threat Research Labs tracks was witnessed communicating with a known C2 server. Top 5 Bot Hosting Countries – Daily Average United States China Brazil United Kingdom Germany 1.8M 454K 248K 158K 147K 8 Source: CenturyLink Threat Research Labs, Full Year 2017
This chart and the subsequent charts show a more comprehensive view of the bot landscape by region. These hosts have been witnessed interacting with known C2s across the CenturyLink global backbone. Top 10 Countries Globally United States China Brazil United Kingdom Germany Canada Russia France Italy India 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 1 3 7 26 10 5 8 94 Compromised Hosts (Bots) United Kingdom Germany Russia France Italy 1. 2. 3. 4. 5. 3 4 2 1 5 Top 5 European Countries by Country of Origin FullYear 2017 9 Source: CenturyLink Threat Research Labs, Full Year 2017
Compromised Hosts (Bots) 1 4 3 5 Brazil Mexico Argentina Venezuela Colombia 1. 2. 3. 4. 5. Top 5 Latin American Countries 2 China India Japan Taiwan South Korea 1. 2. 3. 4. 5. 1 2 5 3 4 Top 5 Asia Pacific Countries We’ve been talking primarily about the bad actors controlling the C2s and the botnets, but it is also important to evaluate the targets of these attacks. Not only are countries and regions with robust communication infrastructure unknowingly supplying bandwidth for these attacks, but they are also the largest targets based on attack command volume. by Country of Origin FullYear 2017 10 Source: CenturyLink Threat Research Labs, Full Year 2017
1. United States 13. Spain 2. China 3. Germany 4. Russia 5. United Kingdom 6. Brazil 11. Canada 12. Netherlands 7. Japan 8. France 9. Italy 10. South Korea 15. South Africa14. Taiwan 18. Australia16. Sweden 17. Poland 20. Argentina19. Norway Top 20 Countries Globally Hit with Bot Traffic FullYear 2017 11 Source: CenturyLink Threat Research Labs, Full Year 2017
In this set of graphs, you can see the distribution of attacks by top target countries and regions. Top 5 Asia Pacific Target Countries FullYear 2017 Top 5 Latin American Target Countries FullYear 2017 Top 5 European Target Countries FullYear 2017 Top 5 Globally Target Countries FullYear 2017 China Japan Korea India Taiwan United Kingdom Germany Russian Spain France Brazil Mexico Argentina Colombia Chile 12 Source: CenturyLink Threat Research Labs, Full Year 2017 China United Kingdom Brazil Germany United States
A Review of DDoS IoT Botnets How IoT botnets work:Gafgyt and Mirai The exploitation of IoT devices to create botnets for volumetric DDoS attacks began in earnest within the last several years. As previously reported by the CenturyLink Threat Research Labs, Gafgyt, a precursor to Mirai, started using IoT devices as botnets for DDoS attacks in 2014. Gafgyt (which also goes by the names BASHLITE, Lizkebab and Torlus) is a form of malware architected to infect Linux systems for the purpose of launching DDoS attacks. Written in C, Gafgyt was designed to be easily cross-compiled for multiple architectures running Linux, making it especially effective in compromising IoT devices and other systems which often use open source operating systems to minimize cost. Gafgyt implements a standard client/server architecture modeled loosely on an internet relay chat (IRC). Mirai first appeared in the fall of 2016 and quickly proved to be an effective evolution in launching IoT based cyberattacks. Mirai is responsible for launching what was, until March 2018, the largest DDoS attack on record. In addition to attacking krebsonsecurity.com, its variants were responsible for the attack on Dyn, which brought traffic destined for numerous popular websites in Europe and North America to a halt. Since the Mirai source code was released in October 2016, CenturyLink has tracked various evolutions of Mirai, including Satori, Masuta, OMG and Okiru. We continue to work with research peers across the globe to isolate and identify new variants. Because these copycat derivatives are not substantively different to the original Mirai, they are categorized under the header of Mirai in our research. Scanning for vulnerable devices is the basis for both botnets. Once vulnerable devices are identified, they are instructed to connect to a download server to install the malware. They then may be instructed to port scan for vulnerable devices or use external scanners to find and harvest new potential bots. In some cases, actors utilize the C2 servers themselves to scan and infect. There is a variety of other infection methods, including brute forcing login credentials on secure shell (SSH) and telnet servers, as well as exploiting known security weaknesses in other services. How do bad actors decide which malware variant to use? Bad actors have many tools at their disposal when attacking their targets. These DDoS botnets are just a few of the tools they may utilize. We have seen the same operators move back and forth between Gafgyt and Mirai, sometimes attacking the same target. Mirai and Gafgyt have been tied to DDoS attacks against gaming servers and the botnet owner’s perceived rivals. Operators attempt to drive traffic to the gaming servers they control. According to Krebs on Security, a large, successful Minecraft server with more than a thousand players logging on each day can easily earn the server’s owners more than $50,000 per month. The revenues come mainly from players renting space on the server to build their Minecraft worlds and purchasing in-game items and special abilities. They can also operate under a DDoS-for-hire scenario in which they rent their website stressor services to anyone – under the guise that you, as a site owner, want to ‘test’ or stress your website’s connectivity to the internet. Of course, there is no confirmation that you are the owner of the organization’s website that you wish to ‘test’. 13
It is important to note: with both of these families and their operators, targets tend to change frequently. Recently, we have identified several of these operators shifting to bitcoin mining utilizing the bots that they have cultivated to steal their processing resources rather than utilize them in attacks. Mirai and its variants have been the focus of numerous headlines and consistent news coverage, but CenturyLink Threat Research Labs has witnessed more Gafgyt attacks affecting more victims, with noticeably longer attack durations. This chart tracks the top active C2s for the Gafgyt and Mirai botnet families and the length of time they’ve been active. While CenturyLink cannot fully deactivate a C2 that is not within our sphere of control, we can stop it from accessing our network and resources. However, mitigating a C2 is always a last resort and we aim to work with the broader internet community to resolve the risk first. After a C2 is identified, CenturyLink Threat Research Labs confirms it is a viable threat with intent to harm others and makes several attempts to notify the hosting and upstream service providers of the problem. Following these attempts, we mitigate the C2’s traffic over our global backbone so the cybercriminals cannot use our network resources to perpetrate attacks. In many cases, we even contact the top level domain (TLD) and registrar when required, in an attempt to have the domain deactivated – but this step yields varying results. Therefore, even though the chart below indicates some C2s have been active for up to four months, CenturyLink Threat Research Labs mitigated the traffic within days of identifying the threat, consistent with our desire to be a good steward of the internet. Top 10 active C2s for each family in 2017: network.bigbotpein.com ikbensupercool.nl snicker.ir cn.uvgczsuidrtg.com 185.188.206.99 upfiles.online cnc.linuxam.com internetpolice.ml serversrus.club neuvostoliitto.tk 83 60 60 57 54 53 51 39 39 36 Active Days Mirai C2 185.165.29.39 185.165.29.47 185.165.29.25 185.165.29.41 185.165.29.111 103.214.111.121 179.43.146.30 185.165.29.117 185.165.29.125 104.168.171.25 117 104 95 67 66 58 50 44 44 43 Active Days Gafgyt C2 C2 count by family – for activity tracked in 2017: 562 unique C2s tracked in 2017, minimum uptime - one day, maximum uptime - 117 days 339 unique C2s tracked in 2017, minimum uptime - one day, maximum uptime - 83 days Gafgyt Mirai 14 Source: CenturyLink Threat Research Labs, Full Year 2017
The significant maximum uptime for both Gafgyt and Mirai C2s is often a result of bullet-proof hosting providers, as described above. The attraction of Mirai and Gafgyt deployments is that they offer bad actors a wide variety of customizable options to carry out their assaults. The determination of the specific attack type used is based on the capability of the software, the wishes of the malicious client, the target and the desired outcome. Each attack command may include a list of target IP addresses, target domains, ports, services and specified durations. The chart below reveals UDP and STD (descriptions below) as the leading attack type for Gafgyt based on our observations. 22,000 20,000 18,000 16,000 14,000 12,000 10,000 8,000 6,000 4,000 2,000 June July August September October November December Total Gafgyt Mirai 112,013 71,473 Attack Commands Issued Types and Volumes of Gafgyt Attack Commands Observed Total Per Month Total 12,000 11,000 10,000 9,000 8,000 7,000 6,000 5,000 4,000 3,000 2,000 1,000 June July August September October November December 10,248 47,877 8,281 45,607 udp std tcp http 2nd Half 2017 2nd Half 2017 15 Source: CenturyLink Threat Research Labs, 2nd half 2017
HTTP flood and UDP (plain and flood) attacks are the three most commonly used attack types with Mirai, according to our observations. A Variety of Attack Types Associated with Gafgyt and Mirai UDP Flood [Mirai] and STD [Gafgyt] A User Datagram Protocol (UDP) flood attack is used to launch a barrage of packets toward a specific target. In a UDP flood attack, the destination port may be predefined or random. The source port is typically randomized and the source IP can be easily spoofed, protecting the attacker from receiving any responses from the remote targeted system.   Valve [Mirai] Valve Source Engine Query Flood is a UDP-based attack designed to send Source Engine Query requests, which create excessive resource demands against the target server when sent from multiple spoofed addresses at high volumes. The volume of requests inundates the server, resulting in a denial of service. Bad actors have used this type of attack on gaming servers because of their amplification possibility. When sending this type of query, the server responds back with information about the gaming server and is leveraged to cause game delay or outages for competitive advantage.   SYN Flood [Mirai] TCP [Gafgyt] A TCP SYN flood attack involves a bad actor sending successive synchronize (SYN) requests to overwhelm the victim’s servers, resulting in its inability to simultaneously respond to legitimate traffic requests.   ACK Flood [Mirai] TCP [Gafgyt] An acknowledge (ACK) flood attack is closely related to a SYN flood. A bad actor inundates a victim’s firewall with spoofed ACK packets in an attempt to overwhelm the server. Total 10,000 9,000 8,000 7,000 6,000 5,000 4,000 3,000 2,000 1,000 June July August September October November December ack_flood http_flood syn_flood udp_flood udp_plain valve 5,671 21,180 10,339 8,370 20,517 5,396 Types and Volumes of Mirai Attack Commands Observed 2nd Half 2017 16 Source: CenturyLink Threat Research Labs, 2nd half 2017
   UDP Plain [Mirai] UDP [Gafgyt] The UDP Plain Attack is essentially the UDP Flood attack type, only optimized for speed. Spoofing is not possible with this attack type.   HTTP [Gafgyt] HTTP Flood [Mirai] The HTTP attack type is instigated as a layer 7 attack. It creates a valid connection with randomized data and HTTP headers are populated based on HTTP response. Assailants can use both GET and POST request types to execute their attack. 17
Making Sense of the Data Businesses and government agencies need intelligence that offers the ability to maintain the confidentiality, integrity and availability of data, network resources and other assets. CenturyLink Threat Research Labs culls its data from one of the world’s largest internet backbones, giving us tremendous depth to our field of vision when it comes to emerging and evolving cyber threats. As one of the leading security research teams in the industry for tracking and reporting on botnets, and due to our unique view of the internet, CenturyLink contributes to several leading media outlets to inform the wider technology community about threats that may impact them, including Ars Technica, CSO, MIT Technology Review, PC Mag, Wall Street Journal, WIRED and many others. CenturyLink collects 114 billion NetFlow records each day, allowing us to capture over 1.3 billion security events daily and to monitor for 5,000 known C2 servers on an ongoing basis. CenturyLink also collaborates with other leading global threat intelligence teams to share critical insights with the goal of creating a safer internet. Unlike other security research entities, CenturyLink Threat Research Labs doesn’t just passively monitor malicious traffic flowing through the network; the team works to actively prevent bad actors from using CenturyLink network resources to conduct criminal activities. The team identifies dozens of new C2s monthly and works with the upstream service providers to disable their services. If they are unable or unwilling to take action, then CenturyLink steps in and takes measures to protect our network and our customers – nearly 40 C2s per month receive this enhanced treatment. 18 The CenturyLinkThreat Research Labs difference:
To stay abreast of an enemy that is constantly evolving, businesses and governments need to understand the entirety of the threat landscape as it applies to their network. At the same time, threat intelligence without the appropriate filters and customizations can easily result in a flood of information leading ultimately to analysis paralysis. With the sheer volume and variety of threat types – even within the subset of IoT DDoS attacks – it is easy to lose sight of the most dangerous threats. We see this when news headlines seek to reveal the motives, techniques and sources of threats, yet miss important developments. This is demonstrated by the disproportionate attention paid to Mirai, with its notably shorter dwell time and lower victim count by volume, over that paid to Gafgyt, which has so far shown itself to be a more persistent threat. As organizations continue to realize operational benefits from greater adoption of cloud-based services, the security perimeter continues to wander and, in some cases, dissolve. Meanwhile, security spend is growing exponentially. By taking a holistic approach to security, one that is informed by actionable threat intelligence, businesses and government agencies can bridge the protection gap. The scope and depth of CenturyLink Threat Research Labs’ intelligence is derived from one of the world’s largest IP backbones, critical infrastructure supporting CenturyLink’s global operations and those relationships formed with our customers and industry peers. CenturyLink takes a proactive approach to securing the internet: when we see something, we stop it. We believe the internet is a village and each of us must do our part to protect it. This document is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. CenturyLink does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. This document represents CenturyLink’s products and offerings as of the date of issue. Services not available everywhere. Business customers only. CenturyLink may change or cancel products and services or substitute similar products and services at its sole discretion without notice. ©2018 CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product names are the property of CenturyLink. All other marks are the property of their respective owners. 19
CenturyLink 2018 Threat Report Insights

Recommended

Grift horse money stealing trojan takes 10m android users for a ride
Grift horse money stealing trojan takes 10m android users for a rideGrift horse money stealing trojan takes 10m android users for a ride
Grift horse money stealing trojan takes 10m android users for a rideRoen Branham
 
Ransomware Gang Masquerades as Real Company to Recruit Tech Talent
Ransomware Gang Masquerades as Real Company to Recruit Tech TalentRansomware Gang Masquerades as Real Company to Recruit Tech Talent
Ransomware Gang Masquerades as Real Company to Recruit Tech TalentLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013Комсс Файквэе
 
ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019- Mark - Fullbright
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013Комсс Файквэе
 
Ransomware Review 2017
Ransomware Review 2017Ransomware Review 2017
Ransomware Review 2017Dryden Geary
 
Netscout threat report 2018
Netscout threat report 2018Netscout threat report 2018
Netscout threat report 2018Gabe Akisanmi
 
BLURRING BOUNDARIES
BLURRING BOUNDARIESBLURRING BOUNDARIES
BLURRING BOUNDARIES- Mark - Fullbright
 

Recommended

Grift horse money stealing trojan takes 10m android users for a ride
Grift horse money stealing trojan takes 10m android users for a rideGrift horse money stealing trojan takes 10m android users for a ride
Grift horse money stealing trojan takes 10m android users for a rideRoen Branham
 
Ransomware Gang Masquerades as Real Company to Recruit Tech Talent
Ransomware Gang Masquerades as Real Company to Recruit Tech TalentRansomware Gang Masquerades as Real Company to Recruit Tech Talent
Ransomware Gang Masquerades as Real Company to Recruit Tech TalentLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013Комсс Файквэе
 
ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019- Mark - Fullbright
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013Комсс Файквэе
 
Ransomware Review 2017
Ransomware Review 2017Ransomware Review 2017
Ransomware Review 2017Dryden Geary
 
Netscout threat report 2018
Netscout threat report 2018Netscout threat report 2018
Netscout threat report 2018Gabe Akisanmi
 
BLURRING BOUNDARIES
BLURRING BOUNDARIESBLURRING BOUNDARIES
BLURRING BOUNDARIES- Mark - Fullbright
 
NAGTRI Journal Article
NAGTRI Journal ArticleNAGTRI Journal Article
NAGTRI Journal ArticleTaylre Janak
 
Cyber Crime Multi-State Information Sharing and Analysis Center
Cyber Crime Multi-State Information Sharing and Analysis CenterCyber Crime Multi-State Information Sharing and Analysis Center
Cyber Crime Multi-State Information Sharing and Analysis Center- Mark - Fullbright
 
Estado del ransomware en 2020
Estado del ransomware en 2020Estado del ransomware en 2020
Estado del ransomware en 2020iDric Soluciones de TI y Seguridad Informática
 
Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Roen Branham
 
Cyber Readiness Index 2.0
Cyber Readiness Index 2.0Cyber Readiness Index 2.0
Cyber Readiness Index 2.0Francesca Spidalieri
 
Hi-Tech Crime Trends 2016
Hi-Tech Crime Trends 2016Hi-Tech Crime Trends 2016
Hi-Tech Crime Trends 2016Group-IB
 
Hi-Tech Crime Trends 2015
Hi-Tech Crime Trends 2015Hi-Tech Crime Trends 2015
Hi-Tech Crime Trends 2015Group-IB
 
Eset trends report_2018
Eset trends report_2018Eset trends report_2018
Eset trends report_2018malvvv
 
Enabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSEnabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSPaul Walsh
 
14 cyber threats
14 cyber threats14 cyber threats
14 cyber threatsmahesh43211
 
HR's Critical Role in Protecting Company Data
HR's Critical Role in Protecting Company DataHR's Critical Role in Protecting Company Data
HR's Critical Role in Protecting Company DataParsons Behle & Latimer
 
Istr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantecIstr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantecSoluciona Facil
 
Symantec Intelligence Report - Oct 2015
Symantec Intelligence Report - Oct 2015Symantec Intelligence Report - Oct 2015
Symantec Intelligence Report - Oct 2015CheapSSLUSA
 
6 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 20196 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 2019BluePayProcessing
 
Ransomware-as-a-Service: The business of distributing cyber attacks
Ransomware-as-a-Service: The business of distributing cyber attacksRansomware-as-a-Service: The business of distributing cyber attacks
Ransomware-as-a-Service: The business of distributing cyber attacksΔρ. Γιώργος K. Κασάπης
 
RSA Monthly Online Fraud Report -- December 2014
RSA Monthly Online Fraud Report -- December 2014RSA Monthly Online Fraud Report -- December 2014
RSA Monthly Online Fraud Report -- December 2014EMC
 
Hi-Tech Crime Trends 2014
Hi-Tech Crime Trends 2014Hi-Tech Crime Trends 2014
Hi-Tech Crime Trends 2014Group-IB
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attackКомсс Файквэе
 
Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Reham Maher El-Safarini
 
2019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 20202019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 2020Jonathan Cran
 
Assignment_7__ERM__Netflix.pptx.pdf
Assignment_7__ERM__Netflix.pptx.pdfAssignment_7__ERM__Netflix.pptx.pdf
Assignment_7__ERM__Netflix.pptx.pdfdollumehta1
 
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sWSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sDr Lendy Spires
 

More Related Content

What's hot

NAGTRI Journal Article
NAGTRI Journal ArticleNAGTRI Journal Article
NAGTRI Journal ArticleTaylre Janak
 
Cyber Crime Multi-State Information Sharing and Analysis Center
Cyber Crime Multi-State Information Sharing and Analysis CenterCyber Crime Multi-State Information Sharing and Analysis Center
Cyber Crime Multi-State Information Sharing and Analysis Center- Mark - Fullbright
 
Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Roen Branham
 
Hi-Tech Crime Trends 2016
Hi-Tech Crime Trends 2016Hi-Tech Crime Trends 2016
Hi-Tech Crime Trends 2016Group-IB
 
Hi-Tech Crime Trends 2015
Hi-Tech Crime Trends 2015Hi-Tech Crime Trends 2015
Hi-Tech Crime Trends 2015Group-IB
 
Eset trends report_2018
Eset trends report_2018Eset trends report_2018
Eset trends report_2018malvvv
 
Enabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSEnabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSPaul Walsh
 
14 cyber threats
14 cyber threats14 cyber threats
14 cyber threatsmahesh43211
 
HR's Critical Role in Protecting Company Data
HR's Critical Role in Protecting Company DataHR's Critical Role in Protecting Company Data
HR's Critical Role in Protecting Company DataParsons Behle & Latimer
 
Istr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantecIstr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantecSoluciona Facil
 
Symantec Intelligence Report - Oct 2015
Symantec Intelligence Report - Oct 2015Symantec Intelligence Report - Oct 2015
Symantec Intelligence Report - Oct 2015CheapSSLUSA
 
6 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 20196 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 2019BluePayProcessing
 
RSA Monthly Online Fraud Report -- December 2014
RSA Monthly Online Fraud Report -- December 2014RSA Monthly Online Fraud Report -- December 2014
RSA Monthly Online Fraud Report -- December 2014EMC
 
Hi-Tech Crime Trends 2014
Hi-Tech Crime Trends 2014Hi-Tech Crime Trends 2014
Hi-Tech Crime Trends 2014Group-IB
 

What's hot (18)

NAGTRI Journal Article
NAGTRI Journal ArticleNAGTRI Journal Article
NAGTRI Journal Article
 
Cyber Crime Multi-State Information Sharing and Analysis Center
Cyber Crime Multi-State Information Sharing and Analysis CenterCyber Crime Multi-State Information Sharing and Analysis Center
Cyber Crime Multi-State Information Sharing and Analysis Center
 
Estado del ransomware en 2020
Estado del ransomware en 2020Estado del ransomware en 2020
Estado del ransomware en 2020
 
Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021
 
Cyber Readiness Index 2.0
Cyber Readiness Index 2.0Cyber Readiness Index 2.0
Cyber Readiness Index 2.0
 
Hi-Tech Crime Trends 2016
Hi-Tech Crime Trends 2016Hi-Tech Crime Trends 2016
Hi-Tech Crime Trends 2016
 
Hi-Tech Crime Trends 2015
Hi-Tech Crime Trends 2015Hi-Tech Crime Trends 2015
Hi-Tech Crime Trends 2015
 
Eset trends report_2018
Eset trends report_2018Eset trends report_2018
Eset trends report_2018
 
Enabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSEnabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMS
 
14 cyber threats
14 cyber threats14 cyber threats
14 cyber threats
 
HR's Critical Role in Protecting Company Data
HR's Critical Role in Protecting Company DataHR's Critical Role in Protecting Company Data
HR's Critical Role in Protecting Company Data
 
Istr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantecIstr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantec
 
Symantec Intelligence Report - Oct 2015
Symantec Intelligence Report - Oct 2015Symantec Intelligence Report - Oct 2015
Symantec Intelligence Report - Oct 2015
 
6 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 20196 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 2019
 
Ransomware-as-a-Service: The business of distributing cyber attacks
Ransomware-as-a-Service: The business of distributing cyber attacksRansomware-as-a-Service: The business of distributing cyber attacks
Ransomware-as-a-Service: The business of distributing cyber attacks
 
RSA Monthly Online Fraud Report -- December 2014
RSA Monthly Online Fraud Report -- December 2014RSA Monthly Online Fraud Report -- December 2014
RSA Monthly Online Fraud Report -- December 2014
 
Hi-Tech Crime Trends 2014
Hi-Tech Crime Trends 2014Hi-Tech Crime Trends 2014
Hi-Tech Crime Trends 2014
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attack
 

Similar to CenturyLink 2018 Threat Report Insights

Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Reham Maher El-Safarini
 
2019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 20202019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 2020Jonathan Cran
 
Assignment_7__ERM__Netflix.pptx.pdf
Assignment_7__ERM__Netflix.pptx.pdfAssignment_7__ERM__Netflix.pptx.pdf
Assignment_7__ERM__Netflix.pptx.pdfdollumehta1
 
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sWSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sDr Lendy Spires
 
Get Ahead of Cyber Security by Tiffy Issac, Partner EY India
Get Ahead of Cyber Security by Tiffy Issac, Partner EY IndiaGet Ahead of Cyber Security by Tiffy Issac, Partner EY India
Get Ahead of Cyber Security by Tiffy Issac, Partner EY IndiaRahul Neel Mani
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco Security
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEoin Keary
 
2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdfssuserc3d7ec1
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Davide Cioccia
 
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...Black Duck by Synopsys
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35Felipe Prado
 
2020-trustwave-global-security-report.pdf
2020-trustwave-global-security-report.pdf2020-trustwave-global-security-report.pdf
2020-trustwave-global-security-report.pdfOscarMauricioHernand9
 
IoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The InternetIoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The InternetPaul Brody
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationPECB
 
Middle East IoT Workshop
Middle East IoT WorkshopMiddle East IoT Workshop
Middle East IoT WorkshopHaider Iqbal
 
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Black Duck by Synopsys
 
MEMO[date][Your name and course numbersection][
MEMO[date][Your name and course numbersection][MEMO[date][Your name and course numbersection][
MEMO[date][Your name and course numbersection][AbramMartino96
 
The #Darknet Index: #Black #Hat Edition
The #Darknet Index: #Black #Hat EditionThe #Darknet Index: #Black #Hat Edition
The #Darknet Index: #Black #Hat EditionGhader Ahmadi
 
NormShield Crypto Currency Report 2018
NormShield Crypto Currency Report 2018NormShield Crypto Currency Report 2018
NormShield Crypto Currency Report 2018NormShield
 

Similar to CenturyLink 2018 Threat Report Insights (20)

Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.
 
2019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 20202019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 2020
 
Assignment_7__ERM__Netflix.pptx.pdf
Assignment_7__ERM__Netflix.pptx.pdfAssignment_7__ERM__Netflix.pptx.pdf
Assignment_7__ERM__Netflix.pptx.pdf
 
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sWSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
 
Get Ahead of Cyber Security by Tiffy Issac, Partner EY India
Get Ahead of Cyber Security by Tiffy Issac, Partner EY IndiaGet Ahead of Cyber Security by Tiffy Issac, Partner EY India
Get Ahead of Cyber Security by Tiffy Issac, Partner EY India
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security Report
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics Report
 
2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server
 
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
 
2020-trustwave-global-security-report.pdf
2020-trustwave-global-security-report.pdf2020-trustwave-global-security-report.pdf
2020-trustwave-global-security-report.pdf
 
IoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The InternetIoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The Internet
 
Cisco 2018, Annual Cybersecurity Report
Cisco 2018, Annual Cybersecurity ReportCisco 2018, Annual Cybersecurity Report
Cisco 2018, Annual Cybersecurity Report
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
 
Middle East IoT Workshop
Middle East IoT WorkshopMiddle East IoT Workshop
Middle East IoT Workshop
 
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
 
MEMO[date][Your name and course numbersection][
MEMO[date][Your name and course numbersection][MEMO[date][Your name and course numbersection][
MEMO[date][Your name and course numbersection][
 
The #Darknet Index: #Black #Hat Edition
The #Darknet Index: #Black #Hat EditionThe #Darknet Index: #Black #Hat Edition
The #Darknet Index: #Black #Hat Edition
 
NormShield Crypto Currency Report 2018
NormShield Crypto Currency Report 2018NormShield Crypto Currency Report 2018
NormShield Crypto Currency Report 2018
 

Recently uploaded

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

CenturyLink 2018 Threat Report Insights

  • 2. As cyber threats proliferate, businesses, governments and consumers often seek to find the silver bullet for cyber security issues. With so many differing viewpoints of the threat landscape, the task of identifying actionable intelligence, while prioritizing who and what to protect, is a difficult one. Meanwhile, the growth of cyber threats continues to be explosive, and the cost to protect businesses and consumers is on the rise. No one is completely immune to today’s – or tomorrow’s – cyber threats. We can relate to the business challenges organizations face in our connected world. Like our customers, CenturyLink works tirelessly to protect itself from the evolving and increasingly sophisticated, malicious operators looking to exploit any weakness. In this report, as we do regularly for our customers, fellow security researchers and other leading ISPs, we are offering the IT community the same unique insights we use to protect ourselves and our customers with the goal of regaining the upper hand from cybercriminals. This intelligence varies from other industry threat reports because it is based exclusively on what CenturyLink® Threat Research Labs sees across the CenturyLink global backbone. The report opens with our insights around the sources of global malicious traffic and the victims they target. We then breakdown the components of attack traffic by identifying the origins of command and control servers (C2s) and the bots they control, along with a review of bot attack targets compared to those of all threats we monitor. Finally, we present an exclusive deep dive into the evolution and presiding trends with respect to DDoS IoT botnets. Executive Summary: 2
  • 3. Table of Contents Understanding the GlobalThreat Landscape Puzzle................................4 Malicious Traffic by Country of Origin.......................................................4 C2s by Country of Origin............................................................................6 Top 5 Bot Hosting Countries......................................................................8 Compromised Hosts (Bots) by Country of Origin....................................9 Top Countries Hit with Bot Traffic.............................................................11 A Review of DDoS IoT Botnets................................................................13 Top 10 Active C2s for Gafgyt and Mirai Families....................................14 Gafgyt and Mirai Attack CommandTotals,Types and Volumes.............16 The CenturyLink Threat Research Labs Difference.................................18
  • 4. More than 4 billion people – essentially half the world’s population – now have access to the internet. Among the petabytes of data traversing our global network backbone, CenturyLink Threat Research Labs tracked an average of 195,000 threats per day in 2017, impacting, on average, 104 million unique targets daily. For the purposes of this report, “targets” refers to servers, computers, handheld or internet- connected (IoT) devices owned by businesses, government entities and individual consumers. The term “victims” is used to refer to those entities with compromised servers, computers and devices being used to attack the targets described above. We look first at the attackers. As reported in previous editions of our threat report (see Attack of the Things and How the Grinch Stole IoT), geographies with strong or rapidly growing IT networks and infrastructure continue to be the primary source for cybercriminal activity. At a recent cybersecurity summit hosted in Denver, Colorado, speakers indicated that the emphasis on STEM (science, technology, engineering and math) training in rapidly developing countries has added to the proliferation of bad actors. However, the United States, Russia and China hold the lead as the three most common points of origin for malicious internet activities. For malicious traffic by country of origin, we’ve broken the data down by the top 10 countries generating traffic from a global perspective and provided additional breakouts for malicious traffic origins within Europe, Latin America and Asia Pacific. 4 Understanding the Global Threat Landscape Puzzle. Top 10 Countries Globally United States Russia China Brazil Ukraine Germany France Netherlands Turkey United Kingdom 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 1 4 2 39 5 6 7 8 10 MaliciousTraffic by Country of Origin FullYear 2017 Our Unique View of the World Source: CenturyLink Threat Research Labs, Full Year 2017
  • 5. 5 Source: CenturyLink Threat Research Labs, Full Year 2017 MaliciousTraffic by Country of Origin FullYear 2017 Russia Ukraine Germany France Netherlands United Kingdom Poland Italy Romania Spain 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 1 4 2 3 9 56 7 810 Top 10 European Countries 1 4 2 5 Brazil Argentina Mexico Chile Colombia 1. 2. 3. 4. 5. Top 5 Latin American Countries 3 China South Korea Vietnam India Australia 1. 2. 3. 4. 5. 1 4 2 3 5 Top 5 Asia Pacific Countries
  • 6. Next, we will look at a few of the different varieties of the malicious activity CenturyLink monitors, starting at the top of the heirarchy with the C2 systems directing the attacks. Traffic between a network and any C2 server is a powerful risk indicator that a vulnerable and potentially compromised host exists. Depending on the network’s topology, this compromised host may also give the attacker access to the devices behind the security mechanisms in place. Tracking C2 data reveals victim hotspots and activity hubs favored by malicious actors. C2s Top 10 Countries Globally United States Russia Ukraine China Germany Netherlands France United Kingdom Brazil Canada 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 1 9 23 45 7 6 810 Russia Ukraine Germany Netherlands France United Kingdom Italy Spain Poland Turkey 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 1 5 2 3 7 46 9 8 10 Top 10 European Countries by Country of Origin FullYear 2017 6 Source: CenturyLink Threat Research Labs, Full Year 2017
  • 7. China South Korea Japan India Hong Kong 1. 2. 3. 4. 5. 1 4 2 3 5 Top 5 Asia Pacific Countries C2s 1 5 3 2 4 Brazil Mexico Argentina Colombia Chile 1. 2. 3. 4. 5. Top 5 Latin American Countries While the C2 breakdown matches closely to the overall malicious traffic by country, it is important to note the person controlling the C2 may not be located in the same country as the C2 server. The location of the C2 is driven by the mechanisms available to the bad actor. The United States is at the top of the list because of the robust networks and volume of devices within its borders. Conversely, countries that allow the unchecked operation of bullet-proof hosting companies will also show a disproportinate volume of C2s within their borders – in this case pushing up Russia and Ukraine higher in the chart. Internet service providers that operate in countries with limited or relaxed regard to laws or regulations governing allowable activity are generally referred to as bullet-proof. 7 Source: CenturyLink Threat Research Labs, Full Year 2017 by Country of Origin FullYear 2017
  • 8. While CenturyLink Threat Research Labs works with providers to take down the supporting services, the bullet-proof hosters seldom comply and, as a result, find their traffic mitigated over our global backbone. To initiate an effective attack, C2 servers generally need a botnet to control. A botnet is a group of individual compromised hosts, or bots, often controlled by a single C2. A bot can be a compromised server, computer or any IoT device such as a DVR, security camera, cell phone and so on. The most dangerous botnets contain hundreds of thousands of members waiting to attack at a moment’s notice – fortunately botnets of this size are becoming rare these days. As a bot, the compromised device has already been infected by malware. It has communicated with the C2, identifying both what it is and what its capabilities are. Now the bot is just waiting to be directed to launch an attack against a target utilizing a specific set of parameters. Each of the millions of bots CenturyLink Threat Research Labs tracks was witnessed communicating with a known C2 server. Top 5 Bot Hosting Countries – Daily Average United States China Brazil United Kingdom Germany 1.8M 454K 248K 158K 147K 8 Source: CenturyLink Threat Research Labs, Full Year 2017
  • 9. This chart and the subsequent charts show a more comprehensive view of the bot landscape by region. These hosts have been witnessed interacting with known C2s across the CenturyLink global backbone. Top 10 Countries Globally United States China Brazil United Kingdom Germany Canada Russia France Italy India 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 1 3 7 26 10 5 8 94 Compromised Hosts (Bots) United Kingdom Germany Russia France Italy 1. 2. 3. 4. 5. 3 4 2 1 5 Top 5 European Countries by Country of Origin FullYear 2017 9 Source: CenturyLink Threat Research Labs, Full Year 2017
  • 10. Compromised Hosts (Bots) 1 4 3 5 Brazil Mexico Argentina Venezuela Colombia 1. 2. 3. 4. 5. Top 5 Latin American Countries 2 China India Japan Taiwan South Korea 1. 2. 3. 4. 5. 1 2 5 3 4 Top 5 Asia Pacific Countries We’ve been talking primarily about the bad actors controlling the C2s and the botnets, but it is also important to evaluate the targets of these attacks. Not only are countries and regions with robust communication infrastructure unknowingly supplying bandwidth for these attacks, but they are also the largest targets based on attack command volume. by Country of Origin FullYear 2017 10 Source: CenturyLink Threat Research Labs, Full Year 2017
  • 11. 1. United States 13. Spain 2. China 3. Germany 4. Russia 5. United Kingdom 6. Brazil 11. Canada 12. Netherlands 7. Japan 8. France 9. Italy 10. South Korea 15. South Africa14. Taiwan 18. Australia16. Sweden 17. Poland 20. Argentina19. Norway Top 20 Countries Globally Hit with Bot Traffic FullYear 2017 11 Source: CenturyLink Threat Research Labs, Full Year 2017
  • 12. In this set of graphs, you can see the distribution of attacks by top target countries and regions. Top 5 Asia Pacific Target Countries FullYear 2017 Top 5 Latin American Target Countries FullYear 2017 Top 5 European Target Countries FullYear 2017 Top 5 Globally Target Countries FullYear 2017 China Japan Korea India Taiwan United Kingdom Germany Russian Spain France Brazil Mexico Argentina Colombia Chile 12 Source: CenturyLink Threat Research Labs, Full Year 2017 China United Kingdom Brazil Germany United States
  • 13. A Review of DDoS IoT Botnets How IoT botnets work:Gafgyt and Mirai The exploitation of IoT devices to create botnets for volumetric DDoS attacks began in earnest within the last several years. As previously reported by the CenturyLink Threat Research Labs, Gafgyt, a precursor to Mirai, started using IoT devices as botnets for DDoS attacks in 2014. Gafgyt (which also goes by the names BASHLITE, Lizkebab and Torlus) is a form of malware architected to infect Linux systems for the purpose of launching DDoS attacks. Written in C, Gafgyt was designed to be easily cross-compiled for multiple architectures running Linux, making it especially effective in compromising IoT devices and other systems which often use open source operating systems to minimize cost. Gafgyt implements a standard client/server architecture modeled loosely on an internet relay chat (IRC). Mirai first appeared in the fall of 2016 and quickly proved to be an effective evolution in launching IoT based cyberattacks. Mirai is responsible for launching what was, until March 2018, the largest DDoS attack on record. In addition to attacking krebsonsecurity.com, its variants were responsible for the attack on Dyn, which brought traffic destined for numerous popular websites in Europe and North America to a halt. Since the Mirai source code was released in October 2016, CenturyLink has tracked various evolutions of Mirai, including Satori, Masuta, OMG and Okiru. We continue to work with research peers across the globe to isolate and identify new variants. Because these copycat derivatives are not substantively different to the original Mirai, they are categorized under the header of Mirai in our research. Scanning for vulnerable devices is the basis for both botnets. Once vulnerable devices are identified, they are instructed to connect to a download server to install the malware. They then may be instructed to port scan for vulnerable devices or use external scanners to find and harvest new potential bots. In some cases, actors utilize the C2 servers themselves to scan and infect. There is a variety of other infection methods, including brute forcing login credentials on secure shell (SSH) and telnet servers, as well as exploiting known security weaknesses in other services. How do bad actors decide which malware variant to use? Bad actors have many tools at their disposal when attacking their targets. These DDoS botnets are just a few of the tools they may utilize. We have seen the same operators move back and forth between Gafgyt and Mirai, sometimes attacking the same target. Mirai and Gafgyt have been tied to DDoS attacks against gaming servers and the botnet owner’s perceived rivals. Operators attempt to drive traffic to the gaming servers they control. According to Krebs on Security, a large, successful Minecraft server with more than a thousand players logging on each day can easily earn the server’s owners more than $50,000 per month. The revenues come mainly from players renting space on the server to build their Minecraft worlds and purchasing in-game items and special abilities. They can also operate under a DDoS-for-hire scenario in which they rent their website stressor services to anyone – under the guise that you, as a site owner, want to ‘test’ or stress your website’s connectivity to the internet. Of course, there is no confirmation that you are the owner of the organization’s website that you wish to ‘test’. 13
  • 14. It is important to note: with both of these families and their operators, targets tend to change frequently. Recently, we have identified several of these operators shifting to bitcoin mining utilizing the bots that they have cultivated to steal their processing resources rather than utilize them in attacks. Mirai and its variants have been the focus of numerous headlines and consistent news coverage, but CenturyLink Threat Research Labs has witnessed more Gafgyt attacks affecting more victims, with noticeably longer attack durations. This chart tracks the top active C2s for the Gafgyt and Mirai botnet families and the length of time they’ve been active. While CenturyLink cannot fully deactivate a C2 that is not within our sphere of control, we can stop it from accessing our network and resources. However, mitigating a C2 is always a last resort and we aim to work with the broader internet community to resolve the risk first. After a C2 is identified, CenturyLink Threat Research Labs confirms it is a viable threat with intent to harm others and makes several attempts to notify the hosting and upstream service providers of the problem. Following these attempts, we mitigate the C2’s traffic over our global backbone so the cybercriminals cannot use our network resources to perpetrate attacks. In many cases, we even contact the top level domain (TLD) and registrar when required, in an attempt to have the domain deactivated – but this step yields varying results. Therefore, even though the chart below indicates some C2s have been active for up to four months, CenturyLink Threat Research Labs mitigated the traffic within days of identifying the threat, consistent with our desire to be a good steward of the internet. Top 10 active C2s for each family in 2017: network.bigbotpein.com ikbensupercool.nl snicker.ir cn.uvgczsuidrtg.com 185.188.206.99 upfiles.online cnc.linuxam.com internetpolice.ml serversrus.club neuvostoliitto.tk 83 60 60 57 54 53 51 39 39 36 Active Days Mirai C2 185.165.29.39 185.165.29.47 185.165.29.25 185.165.29.41 185.165.29.111 103.214.111.121 179.43.146.30 185.165.29.117 185.165.29.125 104.168.171.25 117 104 95 67 66 58 50 44 44 43 Active Days Gafgyt C2 C2 count by family – for activity tracked in 2017: 562 unique C2s tracked in 2017, minimum uptime - one day, maximum uptime - 117 days 339 unique C2s tracked in 2017, minimum uptime - one day, maximum uptime - 83 days Gafgyt Mirai 14 Source: CenturyLink Threat Research Labs, Full Year 2017
  • 15. The significant maximum uptime for both Gafgyt and Mirai C2s is often a result of bullet-proof hosting providers, as described above. The attraction of Mirai and Gafgyt deployments is that they offer bad actors a wide variety of customizable options to carry out their assaults. The determination of the specific attack type used is based on the capability of the software, the wishes of the malicious client, the target and the desired outcome. Each attack command may include a list of target IP addresses, target domains, ports, services and specified durations. The chart below reveals UDP and STD (descriptions below) as the leading attack type for Gafgyt based on our observations. 22,000 20,000 18,000 16,000 14,000 12,000 10,000 8,000 6,000 4,000 2,000 June July August September October November December Total Gafgyt Mirai 112,013 71,473 Attack Commands Issued Types and Volumes of Gafgyt Attack Commands Observed Total Per Month Total 12,000 11,000 10,000 9,000 8,000 7,000 6,000 5,000 4,000 3,000 2,000 1,000 June July August September October November December 10,248 47,877 8,281 45,607 udp std tcp http 2nd Half 2017 2nd Half 2017 15 Source: CenturyLink Threat Research Labs, 2nd half 2017
  • 16. HTTP flood and UDP (plain and flood) attacks are the three most commonly used attack types with Mirai, according to our observations. A Variety of Attack Types Associated with Gafgyt and Mirai UDP Flood [Mirai] and STD [Gafgyt] A User Datagram Protocol (UDP) flood attack is used to launch a barrage of packets toward a specific target. In a UDP flood attack, the destination port may be predefined or random. The source port is typically randomized and the source IP can be easily spoofed, protecting the attacker from receiving any responses from the remote targeted system.   Valve [Mirai] Valve Source Engine Query Flood is a UDP-based attack designed to send Source Engine Query requests, which create excessive resource demands against the target server when sent from multiple spoofed addresses at high volumes. The volume of requests inundates the server, resulting in a denial of service. Bad actors have used this type of attack on gaming servers because of their amplification possibility. When sending this type of query, the server responds back with information about the gaming server and is leveraged to cause game delay or outages for competitive advantage.   SYN Flood [Mirai] TCP [Gafgyt] A TCP SYN flood attack involves a bad actor sending successive synchronize (SYN) requests to overwhelm the victim’s servers, resulting in its inability to simultaneously respond to legitimate traffic requests.   ACK Flood [Mirai] TCP [Gafgyt] An acknowledge (ACK) flood attack is closely related to a SYN flood. A bad actor inundates a victim’s firewall with spoofed ACK packets in an attempt to overwhelm the server. Total 10,000 9,000 8,000 7,000 6,000 5,000 4,000 3,000 2,000 1,000 June July August September October November December ack_flood http_flood syn_flood udp_flood udp_plain valve 5,671 21,180 10,339 8,370 20,517 5,396 Types and Volumes of Mirai Attack Commands Observed 2nd Half 2017 16 Source: CenturyLink Threat Research Labs, 2nd half 2017
  • 17.    UDP Plain [Mirai] UDP [Gafgyt] The UDP Plain Attack is essentially the UDP Flood attack type, only optimized for speed. Spoofing is not possible with this attack type.   HTTP [Gafgyt] HTTP Flood [Mirai] The HTTP attack type is instigated as a layer 7 attack. It creates a valid connection with randomized data and HTTP headers are populated based on HTTP response. Assailants can use both GET and POST request types to execute their attack. 17
  • 18. Making Sense of the Data Businesses and government agencies need intelligence that offers the ability to maintain the confidentiality, integrity and availability of data, network resources and other assets. CenturyLink Threat Research Labs culls its data from one of the world’s largest internet backbones, giving us tremendous depth to our field of vision when it comes to emerging and evolving cyber threats. As one of the leading security research teams in the industry for tracking and reporting on botnets, and due to our unique view of the internet, CenturyLink contributes to several leading media outlets to inform the wider technology community about threats that may impact them, including Ars Technica, CSO, MIT Technology Review, PC Mag, Wall Street Journal, WIRED and many others. CenturyLink collects 114 billion NetFlow records each day, allowing us to capture over 1.3 billion security events daily and to monitor for 5,000 known C2 servers on an ongoing basis. CenturyLink also collaborates with other leading global threat intelligence teams to share critical insights with the goal of creating a safer internet. Unlike other security research entities, CenturyLink Threat Research Labs doesn’t just passively monitor malicious traffic flowing through the network; the team works to actively prevent bad actors from using CenturyLink network resources to conduct criminal activities. The team identifies dozens of new C2s monthly and works with the upstream service providers to disable their services. If they are unable or unwilling to take action, then CenturyLink steps in and takes measures to protect our network and our customers – nearly 40 C2s per month receive this enhanced treatment. 18 The CenturyLinkThreat Research Labs difference:
  • 19. To stay abreast of an enemy that is constantly evolving, businesses and governments need to understand the entirety of the threat landscape as it applies to their network. At the same time, threat intelligence without the appropriate filters and customizations can easily result in a flood of information leading ultimately to analysis paralysis. With the sheer volume and variety of threat types – even within the subset of IoT DDoS attacks – it is easy to lose sight of the most dangerous threats. We see this when news headlines seek to reveal the motives, techniques and sources of threats, yet miss important developments. This is demonstrated by the disproportionate attention paid to Mirai, with its notably shorter dwell time and lower victim count by volume, over that paid to Gafgyt, which has so far shown itself to be a more persistent threat. As organizations continue to realize operational benefits from greater adoption of cloud-based services, the security perimeter continues to wander and, in some cases, dissolve. Meanwhile, security spend is growing exponentially. By taking a holistic approach to security, one that is informed by actionable threat intelligence, businesses and government agencies can bridge the protection gap. The scope and depth of CenturyLink Threat Research Labs’ intelligence is derived from one of the world’s largest IP backbones, critical infrastructure supporting CenturyLink’s global operations and those relationships formed with our customers and industry peers. CenturyLink takes a proactive approach to securing the internet: when we see something, we stop it. We believe the internet is a village and each of us must do our part to protect it. This document is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. CenturyLink does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. This document represents CenturyLink’s products and offerings as of the date of issue. Services not available everywhere. Business customers only. CenturyLink may change or cancel products and services or substitute similar products and services at its sole discretion without notice. ©2018 CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product names are the property of CenturyLink. All other marks are the property of their respective owners. 19