What Threat Intelligence Data Can Tell Us: The Sad Story of WF

Wednesday, April 15, 2015

Mary Landesman


People differ in how they approach data analytics. One camp prefers to postulate a theory and find data that supports or negates that theory. Another camp prefers to let the data tell the story.

I’m in the latter camp – not simply because I like to avoid being biased by pre-formed opinion, but also largely because I like surprises and data is always full of those.

One of those surprises has come in the form of which countries had the highest saturation rates of malicious IP addresses. The Norse threat intelligence platform is extremely dynamic.

To gauge saturation, I took snapshots of Darklist data at regular intervals throughout December 2014.

The ppm (parts per million) and prevalence rate were calculated for each country for each interval, with the final results being the median ppm and median rate for each country overall.

(Big shout out to Kurt Stammberger who suggested ppm as a unit of measure – it turned out to be an excellent comparison methodology.)

Wallis and Futuna (WF), a small island collective located in the South Pacific Ocean, has a GDP ranking of 223/229 in the world. According to the CIA World Factbook, total population in 2014 was 15,561.

Total Internet population as of December 2013 was 1337 – an ironic match for leetspeak, the alternative English alphabet used on the Internet.

Ironic because – despite its tiny comparative size – Wallis and Futuna had the second highest global rate of malicious IP addresses in December 2014:

Globally, the median prevalence rate was 1:521 or 1921 ppm. The United States had a prevalence rate of 1:2864 or 349 ppm. The United Kingdom was 1:2293 or 436 ppm.  France (of which Wallis and Futuna is a collectivity) was 1:1377 or 726 ppm.

The following are the top ten lowest saturations in December 2014:

Of course, whether ranking higher or lower, the rates don’t imply these are deliberately malicious actors.

To illustrate this, we can look again at the island chain of Wallis and Futuna – all of the malicious traffic from that country resulted from bot-infected computers.

Of the entire top ten most saturated, only Wallis and Futuna and the island of Guam were the result of bot-infected computers and nothing else.

The intersection of Internet-emerging countries and Internet risks can present unique challenges. In the case of Wallis and Futuna, the CIA World Factbook reports the literacy rate of Wallis and Futuna is only 50% and 89% of the population speak only localized dialects.

Obviously, Wallis and Futuna’s high saturation rate has negligible impact on the rest of the world due to its tiny size, but the 1337 Internet-enabled residents there have already overcome significant adverse odds just to get online.

Having those herculean efforts rewarded by an epidemic bot infection is the sad story uncovered in our data.

This was cross-posted from the Dark Matters blog. 

Firewalls IDS/IDP Network Access Control Network->General SCADA
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.