Visual representation is based on real information

Oct 22, 2014 11:43 GMT  ·  By

Thousands of cyber-attacks occur on a daily basis originating from various parts of the world and targeting a wide range of victims; visualizing them creates a better picture of the current threat landscape.

For this purpose and for keeping an eye on the changes in the behavior of a malicious actor, security researchers from FireEye created ThreatMap, a representation of the communication between command and control (C&C) servers and the victims’ computers.

Visual created based on real attack information

The map does not show real-time attacks and it definitely does not display all incidents, otherwise the information would become useless, since no clear connection between an attacker and their victim would be visible.

To make the entire threat scene comprehensible, the researchers included samples of real information collected from their intelligence database.

“The ThreatMap data is a sample of real data collected from our two-way sharing customers for the past 30 days. The data represented in the map is malware communication to command and control (C2) servers,” says FireEye threat researcher Ali Mesdaq.

The identity of the attacker and of the target is not provided, and neither is their location; instead, only information about the country is offered.

In order to preserve an accurate view of the incidents and the actors involved, FireEye relies on information collected by its systems and calculates the attacks displayed on the map based on their observed frequency.

A better picture of malicious patterns and changes

ThreatMap is useful for understanding patterns of malware families and threat actors. This is what the researchers need, as such details contribute to expanding their knowledge-base and make the necessary connections for identifying a malicious party.

“For instance, it lets us examine whether a particular threat actor – say APT1 – is using a particular set of IP addresses, domain names, URLs to launch their attacks. Based on the type of malware being used it also lets us attribute the malware and hence, the source of these attacks, to particular threat actors,” Mesdaq says.

Top five of most targeted sectors

Apart from an eye-catching view of the attacks, the map also offers a list with the most affected industries from the past 30 days.

At the moment, most of the cybercriminal attention seems to be directed towards organizations in the services and consulting sector, followed at a great distance by educational institutions and the energy and utilities sectors.

Oddly enough, financial services are last in the top five targeted sectors, behind the high-tech industry.

From our observations, the United States records most activity, both as an attacker and as a victim. We also noticed several APT (advanced persistent threat) groups being hit in Korea, the US, and Canada. In such cases, FireEye also gives information on the type of malware used by the threat actors.

Photo Gallery (3 Images)

Shots fired to and from the United States
Threat Map shows the most targeted five industriesAPT attacks are also represented on the map
Open gallery