=========================Introduction ========================================= In this section some statistics are presented about incidents handled by CIRCL from 2011 to 2017. In this time frame, the attacker evolved forcing CIRCL to adapt its internal procedures. Although the reporting to CIRCL is not mandatory, the reporting behavior of constituents changed. On the one hand, the reputation of CIRCL increased. On the other hand, CIRCL offers trainings such as Introduction to incident response, forensic analysis and many others. These training help local organisations to build their own incident response capacities and thus reducing the number of reported incidents. Hence, it is challenging to compare the statistics of successive years. Tickets are no indicators for the overall workload as there are some tickets that are very resource intensive whereas others are quickly solved. Nevertheless, the workload for the overall triage of the tickets is increasing. Informal: - Heartbleed activities are not reflected as they were encoded as a large number of investigations. A graph on the investigations over time might help. ========================= TO FIX ============================================== - In pie_categ_2017.png categories are assumed to be Institution, Others, Individual, Finance, Industry. However, the graph categ_overtime.png has the title "Categorized ticket overtime. Looking at the labels of the curves categories could be assumed to be Information Leak, Phishing, System Compromise,.... In the pie_categ_2017 could we not use topics such as it is suggested by RT? - In Categ_overtime there is a category Abuse Desk which neither be selected from the menu while incident editing nor in the public description [1]. ======================== pie_categ_2017.png =================================== The topics are almost equally distributed covering the private sector. It does not only show that CIRCL is well established in all topics but also that incidents are an universal happenings. CIRCL also supports individuals in computer incidents although this task is not in its primary objectives in its mandate. Informal - For the pie charts it would be god to upload the other pie charts as well such 2016,2015,2014,2013,2012,2011 We can then explain the evolution through the topics about the evolution of our services from industrial espionage cases to abused financial systems with Dridex or similar malware =============Categorized ticket over time (categ overtime) ==================== In this graph the categories of the various incidents are shown. The handling of information leaks is a recurrent task meaning that CIRCL continuously discovers information leaks since 2012 which is mainly due to the operation of pystemon software capable of fetching unstructured data including information leaks. However, the human triage of these potential leaks is is time consuming. SQL injections where frequently reported by people until 2012. People did not stop to report SQL injections but they reported less. XSS and other vulnerabilities are regularly reported but the volume is quite low. In 2013 a peak of system compromises can be explained due to the implementation on automated detection of compromised systems in information leaks. The volume of support for denial of service attacks is quite constant with a few exceptions. In 2013 CIRCL gave a lot of support in international CSIRT communities. In 2015 Attacker groups such as Armada Collective and DD4BC were active in Luxembourg by blackmailing their victims. Malware and system compromise are omnipresent during the last six years. In the time frame from 2011 to 205 CIRCL was mainly confronted with industrial espionage software. In 2015 compromises systems were analyzed by CIRCL leading to malware targeting enterprise banking solutions. Malware running on mobile phone are also regularly reported since December 2016. Spams and scams are constantly reported. In 2012 the first fake Microsoft callers were reported tricking their victims in providing them remote access to their machines and charging service fees. This scam reappears from time to time. Phishing campaigns are also regularly observed in Luxembourg targeting international organisations also observed in other countries and local ones since 2013. Informal: - Would it be possible to plot the cumulative distribution of each category? We could then better compare the category distributions - Hearbleed was in 2014 but it is not really visible - Would it be possible to put the CSV files to extract the exact values for verification [1] https://www.circl.lu/pub/taxonomy/ ==============ticket_year.png =================================================