TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Regional Threat Perspectives, Fall 2019: Canada

2019-12-02 · Read original ↗

ATT&CK techniques detected

11 predictions
T1071.001Web Protocols
99%
“. no unique countries are seen targeting canada. in fact, in the top 20 attacking countries, all were seen targeting other regions of the world. the most unique attacking ip addresses targeting canada were assigned in singapore and ireland. ip addresses assigned in these countrie…”
T1071.001Web Protocols
96%
“launching malicious traffic against targets in canada, august through october 2019 ip addresses assigned in france launched the most attack traffic against systems in canada ( see figure 2 ). with normalized data, france was followed closely by ip addresses assigned in russia and…”
T1046Network Service Discovery
88%
“17 asns that only targeted canadian and russian systems ( denoted with * * in figure 4 below ). the fact that the attack traffic patterns by asns in canada so closely mirror european and american patterns could be due to geopolitical reasons or the close alliances of these areas.…”
T1071.001Web Protocols
85%
“50 ip addresses attacking canadian targets, august through october 2019 ip addresses attacking canada compared to other regions we compared the volume of attack traffic canadian systems received per ip address to other regions of the world. attack traffic destined for canadian sy…”
T1071.001Web Protocols
79%
“in order to accurately compare attack data between regions and ensure that no one region is overrepresented in the total data analysis. top source traffic countries before we look at the “ top source traffic countries, ” it ’ s important to clarify that we ’ re talking about the …”
T1110Brute Force
78%
“, the three canadian ip addresses in the top attacking ip address list are responsible for 17 % of all attack traffic that targeted canadian systems. these ip addresses were conducting a variety of activities, but most were scanning or doing some sort of credential stuffing. out …”
T1046Network Service Discovery
64%
“towards rfb / vnc1 port 5900. - the number one source of attack traffic targeting canadian systems came from ip addresses assigned in france, however, russia in second place, followed closely. when looking at traffic coming from ip addresses in the top 20 attacking counties, 10. …”
T1046Network Service Discovery
47%
“seen launching credential stuffing and aggressive multi - port scanning focusing on rfb / vnc port 5900 ( hitting all regions of the world ). three of these ip addresses were seen sending attack traffic to every other region over the same period. - the top eight ports or services…”
T1071.001Web Protocols
41%
“; that is, they were launched from many ip addresses but had a low number of attacks per address. this type of activity is deliberate and takes more resources ( systems and manpower ) to pull off, and therefore is typically attributed to more sophisticated threat actors. figure 2…”
T1110.004Credential Stuffing
39%
“, the three canadian ip addresses in the top attacking ip address list are responsible for 17 % of all attack traffic that targeted canadian systems. these ip addresses were conducting a variety of activities, but most were scanning or doing some sort of credential stuffing. out …”
T1071.001Web Protocols
38%
“and gtech s. p. a. and digital ocean in fourth and fifth respectively. these asns were all seen attacking every region of the world, indicating widespread attacks on the ipv4 address space. ten percent of asns targeting canada are only seen targeting canada. traffic through these…”

Summary

The U.S. and Canada have 95% of top source traffic countries in common.