Walking around the exhibition halls of the RSA conference in San Francisco last week, I couldn’t help noticing the prevalence of real-time attack maps. You know, the colourful geographic maps showing digital attacks around the world in real time, like this one, or this one, or this one. The maps show for example, source country, destination country, source organisation and destination organisation, attack type and size, etc. Some resemble a control panel designed for Tom Cruise in a global domination game.
While visually impressive, the obvious question is what purpose do these real-time attack maps serve? The data is continuously changing, too quickly for it to have any meaning beyond visual stimulation. Is this information of any real value to anyone? Surely these attack maps fall into the category of simple threat hype in order to scare the ill-informed. Is anyone able to actually do something differently as a result of information from a real-time attack map? I doubt it.
The underlying data behind attack maps comes from data feeds and/or honeypots. As the maps require masses of data, some use feeds at the ISP level, others gather data from millions of endpoint devices. The maps reflect that data which may or may not be representative of the actual real world. This is the reason why different attack maps show different attack scenarios.
The maps may in fact be quite misleading, as they could not take proxies, botnets or compromised systems into account, thus falsely attributing source to an organisation or country. I think their usefulness is limited.
Indeed there is not much use of those maps. However the maps are for marketing and showoff purposes. We have one as well but we use it only for our users’ attacks and we try to make it more useful.
I disagree, as a security analyst attempting to show untechnical executives the “state of the world” when it comes to quantifying how much stuff we block on a daily basis, these maps can give a visual indicator of how active undesirables are.