Apologies to Cameron Camp for borrowing his blog hook, but it seemed too good not to recycle for a second article citing Imperva's just-released report on how automation can lead to a business' website being attacked up to seven times per second.
Cameron's article summarizes neatly the issues that Imperva has raised, but I was reminded of some further questions I was asked a few days ago.
Are these figures surprising? Well, they don't particularly surprise me.
I don't know how accurately Imperva's figures can be extrapolated across the entire internet or over a longer period, of course, but there's no denying that automated attacks are highly prevalent. In fact, automation is business-as-usual for the security business and for cybercriminals etc., and similar cyclic patterns have been observed for many years.
Still, I've also been asked whether this means that hacking (how ever you may perceive that term) is now more mainstream than it used to be.
Well, I can't say that it isn't, but I don't think these figures demonstrate that in themselves. They might simply be accounted for by increased technical sophistication. By definition, automation tends to suggest more “efficiency” in terms of higher potential volumes, but it doesn't prove that there are more cybercriminals.
I'd be surprised if the number of cybercrimes turned out not to be growing, but I don't see any proof here that their numbers are increasing except in proportion to the number of internet users as a whole.
Actually, I don't know that you could prove that the percentage of internet users engaging in criminal activity is increasing. Criminals don't provide us with statistics about their activities unless they're bragging about the number of account/password combinations they're going to release for use by the criminal fraternity.
Of course, we could indulge in some guesswork extrapolating from what we know of the internals of some botnets, for example (since the Imperva figures are to a large extent based on monitoring botnet-launched attacks), but ESET doesn't generally engage in that sort of speculation, as a matter of policy.
Let's be clear on this: Bot-driven attacks are criminal activity, and most cybercrime is about financial gain. Hacktivists and hobbyists might also be using automation as a means of expanding the range and volume of their attacks, but they probably won't be consistently putting the same effort and resources into automation.
So this report is interesting, if depressing reading, but it shouldn't cause panic attacks in the private or public sectors.
The fact that the volume of automated attacks may be rising doesn't suggest to me that there's a ready-made countermeasure that target organizations can deploy to counter that increase in volume. Wouldn't it be nice if we had some 100% solutions? Dream on...
On the other hand, if your security strategy and the range of defenses you have in place are sound, an increase in attack volume doesn't necessary increase your attack surface, even in terms of, for instance, distributed denial-of-service attacks.