Cyber threats can be quite elusive and intangible: who are the people behind cyber attacks and where are they targeting their attacks?
With cyber attacks happening around the world and across the cyber connected world, threat intelligence, specifically threat maps, are a powerful way to make threats and attackers concrete.
Threat maps illustrate the millions of cyber threats happening every day. In addition to visualizing the attacks, cyber threat maps also provide a limited amount of context including the source and target countries, attack types, and historical and (near) real-time data about threats.
Cyber Threat Map Limitations
But we’ll be upfront about the faults of threat maps. Many of these maps may claim that they show data in real-time, but in reality, most show a playback of records of previous attacks. Also, threat maps show anonymized data, without any insights into the identity of the attackers or the victims.
Threat actors tend to forge their real locations, meaning that these are often displayed incorrectly on attack maps and their source may be incorrect.
As a result, some cybersecurity professionals question the real value of threat maps.
However, you can use a threat map as an addition to your threat intelligence sources as it provides valuable insight into your organization's threat posture.
How To Use Cyber Threat Maps
Not only are they fun to look at, to be completely human and honest, but threat maps can be valuable to help your security team make connections and predictions on future attacks where your company may fall into the mix. Threat maps provide that visual connection that turns information into intelligence.
There a few different types of threat maps. Some display comprehensive information, some show limited amounts of data to narrow its scope. Some threat maps use a different timeframe when illustrating attacks, near real-time or historical.
Below, we've collected some of the best maps you can use to expand your threat intelligence arsenal.
Note: One of the most popular solutions, Norse's threat map, is currently unavailable, so we've included an alternative instead. And another great source of emerging attack information? Check out the security bulletin.
The Kaspersky Cyberthreat Real-Time Map’s default view shows attacks around the globe with options to rotate and zoom on a specific country to see nation-specific threat data.
While it isn't clear how current the real-time the data is used in the threat map, Kaspersky uses multiple data sources – such as on-access scans, on-demand scans, botnet activity detection, and mail anti-virus – for the attacks.
If you head inside the "Statistics" tab, you can get useful insights from historical data sets, such as the top threat types and the most infected countries.
Fortinet's threat map solution is very similar to the now-defunct Norse threat map. Along with the visuals, the map shows a log of threat types, their severity, and their target locations.
With a click, you can display country-specific details in the form of a chart. If you are a Fortinet customer, you can have your own customized threat map.
3. Check Point Software
Check Point Software's ThreatCloud map displays historical data (refreshing every day at 12:00 am. PST) with simple but very clean visuals.
In addition to seeing attack playbacks, you can get access to more information if you click the arrow icon at the bottom of the page. The additional data includes the top targeted countries and industries as well as the most-used malware types and a chart with recent daily attacks.
Deteque features a threat map displaying near-live botnet threats. While Deteque may show a few promotional tabs on screen, the visuals show the Command & Control botnet server locations as well as the areas with the most intense bot activity.
You can find more stats on the bottom of the page, including the number of active bots in the last 24 hours, as well as the countries and ISPS with the worst botnet infections. Clicking on a red circle (bot activity areas) will also show additional information.
FireEye's threat map keeps things quite simple; thus, it lacks the details of the other solutions. According to the organization, the map uses "a subset of real attack data" that has been optimized for "better visual presentation."
While you can see the source and the target of new attacks in a log at the top, you can also see the total number of daily attacks and the top industries targeted by threat actors in other tabs.
Anti-virus maker Bitdefender has also created a threat map that features infections, attacks, and spam. Bitdefender claims that the threat map displays attacks in real-time.
In a dropdown menu at the bottom, you can see the time, category, and type of attacks as well as the source and target countries. You can also check the top locations in another list.
7. Arbor Networks
As part of Jigsaw (formerly Google Ideas), Arbor Network created a hybrid threat map that features DDoS attacks as well as a wealth of additional information and statistics.
The map is based on Arbor's ATLAS threat intelligence system with data sourced from over 300 ISP customers and 130 Tbps of global traffic.
Akamai's Real-Time Web Monitor isn't technically a threat map, but we've included it as it displays valuable data you can use for threat intelligence.
Claiming to be live data, Akamai's monitor shows the countries with the most cyber attacks, web traffic, and cities with the slowest web connections.
One interesting feature is the dark mode, which you can switch to in the top right corner of the Akamai monitor app.
Threat Maps Are Useful, But Only As An Additional Source.
In contrast to what some experts say, threat maps can be useful for your organization's threat intelligence as you can gather valuable insights to improve your organization’s cybersecurity posture.
However, you shouldn't base your whole threat intelligence efforts on threat maps. Instead, use them as an addition to other sources.
Or, if you are ready to jump on board, then be sure to check out RedLegg's threat intelligence service.