Threat Research Blog

A Threatening Threat Map

FireEye recently released a ThreatMap to visualize some of our Threat Intelligence Data.

The ThreatMap data is a sample of real data collected from our two-way sharing customers for the past 30 days. The data represented in the map is malware communication to command and control (C2) servers, where the "Attackers” represent the location of the C2 servers and "Targets" represent customers.

To mask customer identity, locations are represented as the center of the country in which they reside. There is nothing in the data that can be used to identify a customer or their origin city. The "attacks today" counter is not a real time. Rather, we take a real, observed attack rate and then calculate attacks for the day based on local time.

One of the biggest challenges with the ThreatMap was how to display this information in a consumable way. If all attacks were shown at the rate they occur, the map would be incomprehensible and full of lines. To solve this, we decided to randomly select which lines to display from our dataset at a rate that results in the best viewing experience. The random selection will help to allow a user to see which areas are targeted more and see which APT families target specific regions.

So how does FireEye use this information? We use it to understand patterns and further our threat intelligence. It lets us see trends over time as well as by malware family or threat actor.

For instance, it lets us examine whether a particular threat actor – say APT1 – is using a particular set of IP addresses, domain names, URLs to launch their attacks. Based on the type of malware being used it also lets us attribute the malware and hence, the source of these attacks, to particular threat actors. It allows us to combine the strategic threat intelligence we have gained from 10+ years of responding to the largest breaches with the tactical indicators of compromise we see in the millions every day from our virtual machine based sensors deployed across the globe. Connecting these dots allows us to create the eye-catching graphic but, more importantly, it also lets us take the fight to the attacker by understanding and uncovering their tactics, techniques and procedures which ultimately lets us serve our mission of better protecting our customers.