CIRCL operational statistics
The operational statistics cover the activities related to the incident response activities of CIRCL especially in regards to the reporting (e.g. incident reports, request for analysis or support during computer security incident) and notifications (e.g. take-down notification, notification about vulnerability) from/to third parties. The statistics exclude automatic structured notifications and information exchange happening via threat intelligence platforms such as the CIRCL MISP information sharing platform or any other automatic exchange setup with partners.
In this section some statistics are presented about incidents handled by CIRCL between 2011 and 2017. During this time frame the attackers evolved, forcing CIRCL to adapt its internal procedures. Although the reporting to CIRCL is not mandatory, the reporting behaviour of constituents has changed. On one hand, the reputation of CIRCL increased, thereby increasing the amount of reporting to CIRCL. On the other hand, due to the trainings such as Introduction to incident response, forensic analysis and many others offered by CIRCL, have helped local organisations build up their own incident response capacities thereby reducing the number of reported incidents. This makes comparing the statistics of successive years challenging. Tickets are no indicators for the overall workload as there are some tickets that are very resource intensive whereas others are quickly solved. Nevertheless, the workload for the overall triage of the tickets is increasing and showing an increase in diversity when it comes to attacker practices.
Tickets can contain one or more incidents and only represent the reporting or notification which was performed by CIRCL analysts.
Number of tickets per year
Number of tickets per month
State of tickets per year
Categories of tickets
In the above graph the categories of the various incidents are shown. The handling of information leaks is a recurrent task, meaning that CIRCL has been continuously discovering information leaks since 2012 which is mainly due to the operation of data-mining and leak monitoring software capable of fetching unstructured data, including information leaks (e.g. CIRCL develops a software to discover information leaks called AIL). However, the human triage of these potential leaks is time consuming. SQL injections where frequently reported by people up until 2012 and whilst people in general did not stop reporting SQL injections but they reported less. XSS and other vulnerabilities are regularly reported but the activity is quite irregular. In 2013, a peak in system compromises can be explained by the implementation of automated detection of compromised systems in information leaks. The volume of support for denial of service attacks has been quite constant with a few exceptions. In 2013 CIRCL gave a lot of support to international CSIRT communities. In 2015, attacker groups such as Armada Collective and DD4BC were active in Luxembourg by blackmailing their victims. Malware and system compromises have been omnipresent during the last six years. In the time frame of 2011 to 2015 CIRCL was mainly confronted with industrial espionage software. In 2015 compromised systems were analyzed by CIRCL containing malware often targeting enterprise banking solutions. Malware running on mobile phones have also been regularly reported since December 2016. Spam and scams are constantly reported. In 2012 the first fake Microsoft callers were reported tricking their victims into providing them with remote access to their machines and charging service fees, a recurring scam reappearing from time to time. Phishing campaigns are also regularly observed in Luxembourg, targeting international organisations, attacks which were also observed in other countries since 2013. The malware category includes all malicious binaries that CIRCL gathers via reporting (it doesn’t include automatic collection of malware samples).
2018 Details of Ticket Categories
Sector of activities
The topics are almost equally distributed, covering the private sector. It not only shows that CIRCL is well established in all relevant areas but also that the above mentioned types of incidents are global occurance. CIRCL also supports individuals in computer incidents although this task is not in its mandate’s primary objectives. The classification of the sector of activity is broad to avoid the disclosure of specific victims.
The operational statistics are also available in JSON format if you want to process it for further analysis or data mining.
The raw data is generated every month. The ticket number is converted using a HMAC value with a unique random key generated at each run. This allows to do correlation without leaking the ticket number associated.
Use of the operational statistics
CIRCL operational statistics can be freely reused according to the distribution rules described below. We also recommend to reference this page if you use the statistics for a publication or a report.
- Version 1.2 August 17th, 2018 - partial 2018 statistics generated - monthly statistics added
- Version 1.1 January 3rd, 2018 - 2017 statistics generated
- Version 1.0 October 10th, 2017 Initial version TLP:WHITE.