03/09/2015 Updated with the Akamai Attack Map
Big data analysis has become a very powerful weapon in the hands of security companies: the ability to process in real time a huge amount of information collected by a global network of sensors allows to build predictive models (in contrast to traditional static signature/blacklist-based approaches) and to distribute the countermeasures at an unprecedented speed.
This consolidated trend has also an additional side effect, the data collected with the telemetry lets the security companies to build fancy maps that aim to visualize, with stunning graphical effects, the activity of the cyber threats on a global scale.
Some time ago I wrote a post in which I listed a small compilation of these threat maps, however so much water has flown under the bridge since then: the threats have become more and more sophisticated, new security vendors have emerged and even the more established ones have developed new detection and (hopefully) prevention technologies, opening new visualization possibilities, with results that in several cases are really spectacular.
So, it’s time for an update of the original list, featuring new threat maps that have been released in the meantime (presented in rigorous alphabetical order). You will undoubtedly realize how much successful they are in their scope to represent the havoc spreading silently inside the cyber space underneath us, with a rich utilization of FX.
Despite I already inserted the Akamai map in the original article, a reader pointed me to this new one. The map follows the globe layout and the reader is able to select which information must be displayed (traffic, attacks and netsessions). In particular the traffic option allows to visualize the data (collected by Prolexic) in form of rays. The bottom line shows several statics in terms of attack threshold, attacks/hour and peak attacks.
The threat map proposed by Check Point Software Technologies has quite a “classical” format similar to the Honeynet Map Project. The continents are displayed on a flat plane and the threat data, represented as animated lines, comes directly from the Threat Cloud Threat Intelligence Service. The user can quickly visualize the number of attacks registered in the last two days and the top target and attacking countries.
Of course the list could not exclude the map proposed by Fire Eye, powered by the FireEye Labs. Even in this case the layout is a flat plane with a world map and a representation of the ongoing attacks that resembles the vintage Atari Missile Command arcade. The user can immediately see the top attacker countries in the last 30 days, and the top 5 reported industries.
Even the Fortinet Map, powered by the Fortiguard Labs, follows the flat layout inspired by the Honeynet Map Project. The attacks are presented as threatening bullets, whose color reflects the severity. The lower window (it can be toggled off) shows a real time scrolling list indicating the exploited vulnerability, the severity, and the attack location.
This is probably one of the most famous. It displays the top daily DDoS attacks worldwide, with multiple customization options in terms of size, type, etc. It is possible to identify the most active countries as source or destination, and to browse a not reassuring gallery of the notable DDoS attacks since 2013.
Here’s another example of a flat plane layout, the one characterizing the map created by Norse Corporation, which provides a rich set of details about the attack and spectacular wave effect when a virtual missile hits its destination. The maps has two possible layouts which present the user with four widgets displaying real time information about the attack origins, attack types, attack targets and live activity. The latter shows further parameters such as geo localization of attackers and targets, and the exploited services and ports.
A different flavor of the Norse Attack Map, is also offered by HP with its HP IPViking. Different layout, but same level of information.
This is probably the most spectacular. By default it uses a globe layout where the user can see real time statistics in terms of: on-access scans, on-demand scans, web anti-virus, mail anti-virus, intrusion detection scans, vulnerability scans and anti-spam. The user can interactively spin the globe and select a specific country where the data is represented in terms of colored beams. If you wait for a couple of minutes the camera will zoom on a specific infection point showing an incredible jaw-dropping Tron-style 3-D effect.
Guess what? This is my favorite one! ( 🙂 ). The OpenDNS Global Network (viewable only with Chrome) opens a real time window on the data collected by the global recursive DNS service provided by the company. The map shows a spinning Globe and the user has the ability to interactively select a specific country and see in real time a beam of animated rays representing the DNS queries (served to and sent from that specific country) processed by OpenDNS and broke down in Malware, Botnets and Phishing.
The update ends here (for the moment, since I believe other companies will soon join the group). Of course, if you are aware of other resources that you think can deserve a place mention, feel free to drop me a note and I will be glad to insert them.