Cyber Threat Index

What is the Cyber Threat Index?

The Cyber Threat Index is a monthly measurement and analysis of the global cyber threat landscape across data and applications.

The Cyber Threat Index provides an easy-to-understand score to track cyber threat level consistently over time, as well as observe trends. The data is (when applicable) also analyzed by industry and by country, to provide further analytics and insights.

The Cyber Threat Index is calculated using data gathered from all Imperva sensors across the world including over:

• Over 25 monthly PBs (Peta Bytes10¹⁵) of network traffic passed through our CDN
• 30 billions (10⁹) of monthly Web application attacks, across 1 trillion (10¹²) of HTTP requests analyzed by our Web Application Firewall service (Cloud WAF)
• Hundreds of monthly application and database vulnerabilities, as processed by our security intelligence aggregation from multiple sources

Viewers of the global Cyber Threat Index can dive deeper into the score & drill-down for individual industries and countries, and also view historic Index scores.

On a monthly basis, our security experts are analyzing the data, to create insights about events and trends in data & application security based on the data we see. When applicable, we may also suggest recommendations for enhancing the security posture against the threats we see.

How is the index calculated?

The index is based on a number of ingredients: network traffic, attack traffic and vulnerabilities.

We store attack data, as well as statistics about the network traffic we see from our Cloud WAF. This data is sent from our Cloud WAF proxies to our data warehouse, where it is enriched & aggregated.

On a daily basis, we run analytics on the data we collect, to calculate a daily risk score per site, per industry & per country.

Vulnerabilities

When calculating the vulnerabilities’ risk, our assessment is that:

• The more severe the vulnerability - the higher the risk (Impact can be larger, for example: taking over a server vs disclosing system information)
• The more recent the vulnerability - the higher the risk (The assumption is that patching of systems takes time, therefore there will be more vulnerable systems accessible)
• If there is a public exploit, the risk is higher as more attackers has the ability to exploit the vulnerability, and the more wide-spread it is the higher the risk.

DDoS Attacks

We store statistics on both network DDoS attacks and application DDoS attacks.

Network DDoS attack statistics include details about the duration of the attack, the volume of the attacks, number of sources and their proportion in the attack, different ports and methods (e.g. SYN flood, amplification etc.). These statistics are calculated and stored for attacks both in terms of packet per second and in terms of bytes per second.

Application DDoS (Layer 7 DDoS attacks) statistics include information about the duration of the attack, the volume of the attack, the tools that were used and the different countries it originated from in terms of requests per second.

We normalize all DDoS attacks statistics against the statistics we have about legitimate traffic, to prevent bias for increased/decreased amount of assets we protect (Globally or for a certain industry/country).

Application Security Attacks (As seen in the wild)

At first, instead of dealing with a huge amount of daily attacking requests, we aggregate them into attacks (Each attack can have a very large number of HTTP requests as part of it). For each attack, we check:

• The highest risk level of triggered rule within that attack (For example: an SQL Injection attack has more weight than an information disclosure attack).
• The higher the intensity of the attack, the higher the risk.
• The newer the mitigation, the riskier the attack (We constantly add mitigations to our cloud WAF, and the assumption is that newer attacks has more success ratio than older ones).

For the analytics and insights we provide, we also enrich the data, for example:

• Adding target industry classification for the applications being attacked.
• Adding source & target countries.
• Adding source network types (For example: public cloud, TOR, etc).

The risk is then calculated by removing the lowest-risk attacks, as they’re meaningless in terms of added risk, and determining the risk is done by normalizing attack traffic against normal traffic. The logic to this normalization is that we don’t want the index to be affected by increased/decreased traffic (For example: if we have 20% more traffic due to new customers in a certain month, we don’t want it to affect the risk index).