Computer Crime Research Center

Riptech Internet Security Threat Report
(Report Reveals Elite Hacker Profile, Warns of "Smoke Screen" Code Red Attacks)

Alexandria, Virginia, July 8, 2002 - Riptech, Inc., the premier provider of scalable, real-time managed security services, today released volume II of its Internet Security Threat Report, showing that Internet attacks grew at an annualized rate of 64 percent in the period, January-June 2002. The expanded scope of the Report provides the first insight into U.S. designated terrorist states' cyber-attack volume and patterns. Riptech notes that attacks originating from these geographies exhibit different scan patterns than those from other nations. This is a critical tool for detecting cyber-terrorist activities and Riptech continues to monitor any deviations in attack patterns from these regions.

The Internet Security Threat Report cuts through the massive volume of low-impact malicious activities to reveal a highly focused, small demographic of elite hackers. Comprising less than one percent of all cyber assailants, these dangerous predators' behaviors are marked by a high number of attack signatures, extended attack duration, and their focus on a small number of select targets.

Providing a new twist on the known Code Red worm, the Report points to new evidence of smoke screen attacks. It notes a small percent of Code Red attacks originated from UNIX systems, which is technically impossible. This finding raises concern about known attack complacency and the potential vulnerability posed by emerging smoke screen attack strategies.

Derived from a sample set of more than 400 companies in over 30 countries throughout the world, the Riptech Internet Security Threat Report is based on the world's largest repository of cyber-attack data. Based on the empirical analysis of actual cyber attacks detected against a global sample of security devices, the Report provides the most detailed analysis of attack trends that affect the entire Internet, specific industries, and individual corporations. It quantifies the intensity, severity, and geographic sources of cyber attacks. Following up on the first Internet Security Threat Report that Riptech released in January 2002, this volume II Report focuses on Internet attack activity in the period from January-June 2002. Key metrics from the Report, include:

Internet attacks have increased at a 64 percent annualized rate in the six-month period ? U.S. designated terrorist states with the most cyber-attack activity included: Iran, Pakistan, Egypt, Kuwait, and Indonesia Highly aggressive attacks were 26 times more likely to result in a severe attack than moderately aggressive attacks A small percent of systems launching Code Red attacks were UNIX systems, suggesting that some attackers are using Code Red to disguise their attacks 70 percent of power and energy companies suffered a severe attack; as opposed to 57 percent in the prior six-month period

Public companies were twice as likely to experience at least one severe attack and twice as likely to suffer a highly aggressive attack than private, nonprofit, and government entities combined 80 percent of all attacks originated from only 10 countries, up from 70 percent during the prior six-month period - United States, Germany, South Korea, China, France, Canada, Italy, Taiwan, Great Britain, and Japan 99.9 percent of attack scans are focused on only 20 services, suggesting that the vast majority of attacker reconnaissance is focused on a relatively few amount of entry points "A critical global infrastructure, the Internet is crucial to U.S. and international commerce," said Amit Yoran, president and CEO of Riptech. "Volume II of the Internet Security Threat Report represents the most detailed analysis of cyber security trend activity ever performed and released to the public. This unique perspective is only made possible by our monitoring technology and managed security services. The Report underscores Riptech's commitment to provide our customers with the industry's most proactive security protection." Prior to the development of Riptech's Internet Security Threat Report, other attempts to summarize network attack trends have relied on survey data and conjecture. The accuracy of these other reports is limited by inconsistent attack detection capabilities and the inherent problems of self-reporting security data. The Internet Security Threat Report is based on precise data mining and expert analysis of more than 11 billion firewall logs and intrusion detection systems (IDS) alerts discreet data points. From these data points, Riptech isolated more than one million possible attacks and more than 180,000 confirmed attacks, which were analyzed for this Report.

Trends presented in this Report are made possible by Riptech's security monitoring service. Riptech provides management, monitoring, analysis, and response against suspicious activities detected across firewalls, VPNs, and IDS. By correlating and analyzing vast amounts of security data through its proprietary Caltarian technology platform, Riptech's Security Operations Center (SOC) analysts quickly identify and defend organizations against potential intrusions or other malicious activity. Volume II of the Internet Security Threat Report is available on Riptech's Web site at


Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright Computer Crime Research Center 2001, 2002 All Rights Reserved.
Contact the CCRC Office at 380-612-735-907