Threat Maps

We use a variety of threat maps to assess the general vulnerability of countries and regions within a country, and recent trends in types of threat.

Threat maps are maintained by major cybersecurity companies to promote their own products, and as a side effect they provide hackers of all types with the specific intrusions hackers are focusing on. A summary of the two most popular and most useful threat maps is given below.

There are many less detailed threat maps which seem to display a lot of sizzle without any steak. Many have gone out of business in the past year. It is pointless to see statistics on threat types without accompanying detail which would be of help to cybersecurity professionals.

Click the links below to pop up the relevant screenshots. You can remove a screenshot by clicking the remove button beneath the image, or by clicking another link; only one screenshot may appear at a time. A link is also provided to view each full cybersecurity website in a separate tab or page in your browser. (Your browser provides a setting to determine whether a link opens in a new tab or a new page.)

One of the most popular threat maps is maintained by Kaspersky. It has two views of the data. The globe view shows a rotating Earth. The small circles show the endpoints of the threat's origin and destination. The color of the lines connecting the circles correspond to the abbreviations in the horizontal bar below the globe. You can see the definitions of the abbreviations by clicking the DATA SOURCES main menu item found on every page.

On the left side of the page is the country panel. There is a dropdown menu of all the countries monitored by Kaspersky. It shows the number of threats of each type detected since midnight GMT. The country list can be configured as stationary or as a rotating display. The panel can be removed by clicking the X.

At the extreme right is a vertical menu of buttons which toggle the view type, toggle the map color, zoom in, zoom out, and toggle demo mode.

The flat view is what we get when click the toggle view type button of the previous image. It is a bit more revealing than the globe view, and can be zoomed in almost down to a street view.

Here is a zoomed flat view in which the country panel has been closed. You can see a lot of activity going in and out of Russia (no surpise).

By clicking STATISTICS from the main menu, a lot of interesting statistics become available. First is a real-time graph of detections per second of each type of threat.

If you'd like to know the five countries with the most infected web sites each day, you need not go further than this report. Russia and the United States consistently make the top five.

For per-country per-threat worldwide data, this table can be configured to display data from just the past week or the past month. The screenshot shows Mail Anti Virus, but that is really a dropdown list containing all of the threat types represented by the abbreviations shown in the first screenshot.

For each of the threat types displayed in the previous screenshot, there is a corresponding list of the actual known intrusion programs used to conduct the scan. For example, the previous screen showed data for Mail Anti Virus. Below that on the same page will be a graph of the number of mail attacks of all known types worldwide over the past week, and a listing of those types with links to a Kaspersky page describing the details of each program.

We can get a list of known attack programs broken down by country and by scan type, for the past week or the past month. The screenshot shows Afghanistan and Vulnerability Scan, but both of these are dropdown lists; any country and scan type may be selected.

Kaspersky maintains an enormous treasure trove of technical data on every known malicious intrusion program. At Aggressive Hacking we use this data to continually improve our threat assessment and exploit services.

Visit the Kaspersky website.

Another very thorough and visually striking threat map is maintained by Radware, a full service cybersecurity company.

The main Radware screen shows a flattened globe projection with real-time flashing country-wide colors indicating different types of attacks, with lines connecting source and destinations of those attacks. The panel on the left shows the color coding for each of five types of attacks. In the screenshot, all are checked, so you are seeing everything. You can view fewer types by unchecking some types.

The globe can be rotated by dragging with the mouse. If you hover the mouse over a country, the country name will pop up. The entire screen can be enlarged for easier viewing.

At the bottom of the screen are real-time graphs showing the intensity of each type of attack. The screenshot shows that DDoS (distributed denial of service) attacks are very intense.

The right panel shows various statistics whose interval you can set to one hour, 24 hours, or one month. The graphs and the right panel may be collapsed to show a larger area of the globe.

Of particular interest to White Hat hackers is some data which is missing from the Kaspersky maps: the top-scanned udp and tcp ports. You can see this by scrolling the right panel down, as shown in the screenshot. The size of the box is relative to the percentage of the entire attack attributed to each port type; if you hover the mouse over the box, the exact percentage pops up. This tells us where the Black Hats believe there is the most vulnerability. In the screenshot we have collapsed the graphs and rotated the globe a little.

Visit the Radware website.