Spotlight | Threat Visualizations

Cybersecurity threats are complex and global. A criminal in Ukraine can use one attack method to rob a bank in Singapore; a “hacktivist” in Australia can use another to bring down the servers of an oil company in England; and a cyber army in Syria can crash a news website in America if they don’t like what it’s reporting. But since those threats are highly technical and “invisible,” it can be difficult to articulate precisely what they are—or why the rest of us should care.

Recently, a number of cybersecurity firms have started producing threat maps that transform the world of threats from abstractions into things we can see. We took a look at five of the best of these threat visualization maps to summarize what they teach us, and how. Be afraid; be very afraid!


Kaspersky Cyberthreat Real-Time Map

Earlier this year, Moscow-based security software company Kaspersky Labs launched what is undoubtedly the most visually striking of all the threat visualization maps currently available. Upon arrival at the page, viewers are presented with an eerie vision: The earth spins in the darkness of space, while laser beams criss-cross the globe, shooting from country to country, as if some strange, secret war is taking place.

kaspersky threat 1

Kaspersky’s Cyberthreat Map presents a vision of the earth under attack (Source: Kaspersky)

And in fact, it is: Each of those laser beams represents a cyberthreat detected by Kaspersky’s international Kaspersky Security Network. The site promises that this is real-time information—as threats are detected and analyzed, they are quickly added to the map (and added to a “detections per second” ticker at the bottom of the page). Thus, the spinning globe presents us with a vision of a planet under perpetual siege from malicious actors.

kaspersky threat map 2

Users can zoom in on specific countries for more detailed threat data (Source: Kaspersky)

Scrolling with the mouse, you can spin the globe or zoom in and out on particular countries, to learn which nations have the greatest numbers of infected devices (as reported to Kaspersky’s database). At the time of writing, Russia was the number-one most-infected country, while Equatorial Guinea was the 174th and Antarctica was the least. (Any bank accounts those penguins may have are safe for now.)

Kaspersky also enables you to flatten the spinning globe into a regular map, as well as to reverse the negative, making the cosmos against which it spins light instead of dark. Extra data is provided on the page, including a list of the types of detections the company uses to identify threats, so you can see where the information is coming from.

These detections methods include: On Access Scans, which are triggered automatically when something suspicious occurs on a system; On Demand Scans, which are triggered intentionally by the user; intrusion detection system scans; and vulnerability system scans. The detection types are complemented by links to Kaspersky products that perform these functions.

Here’s the bad news: These are not all the threats in the world, but only the threats detected by Kaspersky. There are many, many more—but each vendor can only report what its systems have detected. So let’s take a look at some of the others, as visualized by other security vendors.

Digital Attack Map

Whereas the Kaspersky map shows us a world under constant attack from multiple vectors in real time, the Digital Attack Map—a joint project of Google Ideas and security vendor Arbor Networks—is updated hourly, and is exclusively focused on a specific type of cyberthreat: the Distributed Denial of Service (DDoS) attack.

Digital 1

DDoS attacks are visualized as volcanoes of data on the Digital Attack Map (Source: Google Ideas/Arbor Networks)

DDoS attacks occur when cybercriminals compromise other people’s computers, transforming them into “zombies” or “bots” that they can control remotely. Huge armies of zombies are known as “botnets,” and these can be harnessed to perform DDoS attacks—perhaps by flooding websites with bogus network or Web traffic, or shutting down a company’s operations through saturation of its network’s bandwidth and services.

The data represented on The Digital Attack Map is gathered and published by Arbor Networks’ ATLAS global threat intelligence system. However, unlike the other maps, this one shows us a world not in darkness, but in daylight. DDoS attacks are represented by streams of particles that leap from country to country—or, in some cases, that descend from the clouds to attack a single spot on the map.

At first, these attacks from the heavens seem confusing, but this map has a strong educational purpose: the makers of the map want to help more people understand the challenges DDoS attacks bring, and they state frankly that it is not always possible to tell where attacks come from. Thus, the best way to represent them is as the cyber-equivalent of a hurricane—a catastrophe that seems to come from out of nowhere.

The Digital Attack Map has lots of additional information for those wanting to know more about DDoS threats, including the type and duration of the attacks represented, which ports are subject to attack, total attack bandwidth and which countries suffer the highest levels of DDoS action. The site also keeps historical data about specific and notable attacks that occurred on specific days.

Digital history

The Digital Attack Map also provides rich historical data (Source: Google Ideas/Arbor Networks)

Of course, there are more threats in the world than are detected, and the map comes with a disclaimer: “The data may misidentify or exclude attack activity, and is intended to present high-level trends in significant attacks as they are observed by Arbor Networks.”

Indeed, in spite of all that terrifying activity we can see on the screen, the map shows less than 2 percent of reported attacks!

Akamai Real-Time Web Monitor

Unlike the previous three maps, which are exclusively dedicated to visualizing threats, the Akamai Real-Time Web Monitor reveals a broader range of data, including cities with the slowest Web connections and geographic areas with the most Web traffic. However, Akamai produces a range of Web security products under the Kona brand—so it, too, has access to threat data, and the visual emphasis on this map (from a security perspective) is on areas with the greatest attack traffic.

Of all the maps under scrutiny so far, this is perhaps the one with the simplest and cleanest interface. There are no laser beams or erupting neon threat volcanoes; there are just glowing, orange “hot spots” on a map of the world indicating those areas where network attacks are particularly severe. The worse the attack, the stronger the glow.

Akamai 1

Information about areas highlighted on the Akamai threat monitor appears below the map (Source: Akamai)

Viewers who want to learn more can click on a rectangular window on the map, and move it around to reveal statistics and facts about the areas under attack. To prevent things becoming really cluttered, the information appears in a separate, rectangular box below the map. At time of writing, I could see that attack traffic was occurring at a rate 31.75 percent higher than normal; that the strongest attacks were happening in the U.S., Brazil, Venezuela, western Europe and China; and that a strong attack was underway in a mysterious, unnamed spot almost exactly midway between Moscow and Russia’s far east.

Akamai 2

A close-up of a mysterious attack in Russia (Source: Akamai)

As I moved the rectangle around, I also learned that wealthy and technologically advanced California had received the most attacks in the last 24 hours: a total of 265. Meanwhile, that mysterious, unidentified spot in Russia had suffered 81 attacks in 24 hours. Clearly, there was something out there in the tundra that either a criminal wanted to steal, or a hacktivist wanted to sabotage…

Deutsche Telekom Attack Meter

The name for this map from German communications provider Deutsche Telekom is “Sicherheitstacho”; translated into English, this means “Security Meter,” and it provides a visual guide to current cyberattacks around the world. The good news is that it comes in both English and German versions (although, when you hold your cursor over the map’s hot spots, you will need to know that the word “angriffe” is the plural of “angriff,” meaning “attack”).

This map is much less dense than most of the others, and its visuals are actually calm and soothing. Gone are the laser beams in darkness and “Hunt for Red October”-style graphics: Instead, the viewer sees the world of threats laid out in an elegant, minimal global map, in colors that will be familiar to U.S. visitors as those of T-Mobile: white, pink and purple.

But do not be fooled: The map displays threats detected by Deutsche Telekom’s early-warning system, which collects and collates data from 180 sensors located around the world. Those countries under heavier assault from the “bad guys” are colored in with progressively darker shades of purple.

Telekom 1

The Security Meter has a clean, orderly, information-rich interface (Source: Deutsche Telekom)

As in some of the other maps, the “Security Meter” maintains a live-ticker at the bottom of the page. This measures attacks as they occur (by the second), and reveals the source of the attack, the target and the type. A flood of information like that can be difficult to place in context, however dramatic it may seem when visualized. And so, to help visitors understand what they are looking at and place the information in historical context, the site also offers a lot of historical data for comparison.

Thus, you can use the map to look at attacks from months past—and you can see pretty quickly that there are not too many countries in the big leagues, either as a source of attacks or as a destination. Taking the data for August, Russia was the top source of attacks, with 2,543,544; China comes in second with 1,801,025, followed by the U.S. at 1,700,364. It’s a precipitous drop after that point to fourth place (Germany, at 881,366), while Turkey occupies the last listed position (15th), with 43,205 attacks.

The Deutsche Telekom map seems to visually imply that the world is not spinning out of control (yet). Also very interesting in this regard is the little table at the bottom-right of the screen, which details the primary targets of attackers over the preceding two minutes: At the time of writing, network services were on top, with 4,230 attacks; next, websites, with 700; console/shell with 594; and smartphones received a mere 146 attacks, which would seem to bely a lot of the hype about the new emerging threats to mobile devices.

This historical data is then collected and presented on a chart showing the attacks over the course of months, enabling the viewer to put that instant data—which can be confusing and overwhelming on some of the other maps—in context.

Telekom 2

Historical data enables the viewer to compare attack trends over time (Source: Deutsche Telekom)

Trend Micro Global Spam Map

Until recently, Trend Micro had a global botnet map, but it has disappeared from the firm’s website—leading us to wonder whether, having seen the challenge laid out by Kaspersky and the other vendors listed here, they are plotting to unleash something new and amazing. In the meantime, the firm still provides a global spam map, offering visitors insights into that truly global nuisance. Indeed, while the other maps here may visualize threats that many people struggle to understand, spam is something even the most basic Internet user knows all too well.

Visually, the map is easy to read and understand; as in the Deustche Telekom map, the darker the country, the more severe its problems (in this instance, the volume of spam Internet users receive). Trend Micro computes the “spam rate” measured on the map via the email messages that pass through its anti-spam tools. Illustrating just how pervasive a problem spam can be, Trend Micro counts spam volume by the billions.

Spam 1

The global spam map tracks spam volume each month by the billions (Source: Trend Micro)

Interactivity is simple and informative: in order to access more information from the map, viewers can move the cursor over any given country, and a balloon will appear revealing the latest spam statistics. You can also filter the spam volume trends by clicking “Week,” “Month” or “Year.”

A slider to the left enables users to zoom in or out of the map for a closer look. Clicking on the “home” icon restores the map to its original size, while the map and corresponding information can be moved by clicking and dragging.

Spam 2

The darker the red, the higher the volume of spam the country endures (Source: Trend Micro)

As for the information the map provides, here it is possible to learn some fascinating nuggets. We in the U.S. may think spam is a problem, but in fact, our spam rate is only 42 percent. In a closed country such as Turkmenistan in central Asia, where hardly anybody has access to the Internet, those who do have to endure a spam rate of 95 percent. Stupendously high rates are not limited to developing countries, either: Poland, safely ensconced in the EU, has a rate as high as 86 percent, while in Spain the rate is even higher (88 percent).

If there’s one thing that all of these threat visualization maps makes clear, it is that cybercrime is a relentless phenomenon, and that the digital world abounds with risk. And so, while it is entertaining and informative to look at these maps, each of them underscores an important fact: As the world turns, we all need to take security seriously. And if we do, then we just might be able to avoid some of those laser beams.


Share This:

Twitter LinkedIn Google Plus Facebook