CIRCL Operational Statistics
The operational statistics cover the activities related to the incident response activities of CIRCL especially in regards to the reporting (e.g. incident reports, request for analysis or support during computer security incident) and notifications (e.g. take-down notification, notification about vulnerability) from/to third parties. The statistics exclude automatic structured notifications and information exchange happening via threat intelligence platforms such as the CIRCL MISP information sharing platform or any other automatic exchange setup with partners.
In this section some statistics are presented about incidents handled by CIRCL between 2016 and 2024. During this time frame the attackers evolved, forcing CIRCL to adapt its internal procedures. Although the reporting to CIRCL is not mandatory, the reporting behaviour of constituents has changed. On one hand, the reputation of CIRCL increased, thereby increasing the amount of reporting to CIRCL. On the other hand, due to the trainings such as Introduction to incident response, forensic analysis and many others offered by CIRCL, have helped local organisations build up their own incident response capacities thereby reducing the number of reported incidents. This makes comparing the statistics of successive years challenging. Tickets are no indicators for the overall workload as there are some tickets that are very resource intensive whereas others are quickly solved. Nevertheless, the workload for the overall triage of the tickets is increasing and showing an increase in diversity when it comes to attacker practices.
Ticketing System Statistics
Tickets can contain one or more incidents and only represent the reporting or notification which was performed by CIRCL analysts.
Small precision regarding the charts:
- - Manual Ticket: Ticket that has to be handled and classified manually by an analyst.
- - Automatic Ticket: Ticket that was created in an automated fashion. Could be report from third parties or self generated report from our constituency. Tickets from not fully trusted sources involve a manual validation by a human CIRCL operator.
- - Services offered by CIRCL: CIRCL offers multiple services such as MISP, PassiveDNS, PassiveSSL, AILFramework and many more to organisations. Tickets for services are usually questions or request for access.
Information Leaks Affecting Luxembourg
An information leak is the publication (or trusted announcement of possession) of stolen or otherwise acquired digital information like user profiles, credentials or other digital assets.
The heatmap belows compiles the data from the CIRCL TR-46 document to give a better overview.
Usage of MISP offered as a service by CIRCL (misppriv.circl.lu)
CIRCL operates a MISP instance called MISPPriv (misppriv.circl.lu) mainly targeting private organizations, companies, financial organizations or IT security companies. CIRCL operates this sharing community for the benefit of the security community at large.
Use of the operational statistics
CIRCL operational statistics can be freely reused according to the distribution rules described below. We also recommend to reference this page if you use the statistics for a publication or a report.
Evolution of data collection
- The 20th February 2019, a new collection processing has been introduced to ensure that common operators hosting phishing content (e.g. to have continuous contacts with operators worldwide to act global and protect locally) get notified for all verified phishing reports. This resulted in a significant increase of the phishing investigations. This should be taken into consideration if trending analysis are performed.
Distribution
TLP:WHITE information may be distributed without restrictions. The document and the Open Data mentioned are licensed under an international CC-BY 4.0.
Revision
- version 2.0 January 11th 2022, improved statistics collection and representation
- version 1.9 January 7th 2022, explained peaks for 2019 and 2020 of number of tickets per year
- Version 1.8 November 17th 2021, Added months for 2021
- Version 1.7 January 13, 2021 - 2020 completed
- Version 1.6 March 05, 2020 - 2020 Jan + Feb added
- Version 1.5 January 15th, 2020 - 2019 completed
- Version 1.4 May 8th, 2019 - 2019 Q1 generated + graph links updated
- Version 1.3 January 14th, 2019 - 2018 full generation + clarification to the JSON format
- Version 1.2 August 17th, 2018 - partial 2018 statistics generated - monthly statistics added
- Version 1.1 January 3rd, 2018 - 2017 statistics generated
- Version 1.0 October 10th, 2017 Initial version TLP:WHITE.