Visualizing

cyber security
threats
Contents
Visualizing cyber data 3
Visualizing cyber threats as graphs and timelines 4
Incident forensics and log analysis 4
Impact analysis 8
Advanced graph analysis 10
Visualizing cyber threat intelligence 11
Finding anomalies and patterns 13
Root cause analysis 15
Understanding data breaches 17
Our data visualization toolkits 19

2
Visualizing cyber data
Cyber security is a big data challenge. Organizations collate and
process terabytes of disparate information every day to uncover
activity that could indicate cyber risks or threats.
These processes and systems create billions of alerts every day, and someone has to decide quickly
what action to take next. They can’t do that reliably without seeing the full picture first. That’s why data
visualization is critical.

In this white paper, we’ll share some of the ways our data visualization technologies make complex
cyber security data easier for analysts to understand, powering faster and better decision-making.

Introducing timeline and graph visualization

Connections are key to understanding cyber security data. Whenever an event occurs - two devices
connect, a user logs into a system, or a piece of malware gets propagated around a network - it creates
a digital footprint.

Whether you’re proactively securing your systems from malicious activity, combating an ongoing attack,
or running post-attack forensics, you need to understand those connected footprints.
Our toolkits provide two versatile ways to do that.

Graph visualization is the process of visually representing complex connected data as

interactive node-link diagrams. It’s an intuitive and flexible way to ‘join the dots’ and get a deep
understanding of individual data points, and the relationships between them.

Timeline visualization is a technique for visualizing sequences of events, how they unfold
and how they link together. It gives cyber analysts a clear picture of the chronology of events,
highlighting unusual patterns.

3
Visualizing cyber threats as
graphs and timelines
Incident forensics and log analysis
Analysts need to understand the sequence and nature of complex, high-velocity events that happen
during a cyber attack so they can prevent them from happening again. To start their investigation,
analysts explore network data and examine communications and connections between different devices.

Graph and timeline visualization gives an intuitive view of this kind of information, so it’s easier to
make sense of dense log data. For example, here’s 15-seconds of a laptop’s IP data recorded using the
Wireshark protocol analyzer.

Root cause analysis methodology: what happens when a user visits a website

We’ve combined timeline visualization (left) with graph visualization (right) for a comprehensive view of
which events took place and when.

The timeline’s lens view holds a virtual magnifying glass over key items to reveal details as the user
scrolls through their data. It means they can investigate details in the context of the entire chart.

4
To dig deeper, we zoom in on the timeline and the graph view adapts to show only the devices and
network activity in our time range.

Zooming into individual events of interest

If you’re analyzing events in a relentless stream of time-stamped data, a powerful way to see them in
context is with time series charts.

Above the timeline, we’ve overlaid continuous CPU and memory data from the laptop, which updates
every time you interact with the charts.

Continuous data with useful tooltips complement individual events

Aggregation to avoid overload

As log data gets more complex, it’s helpful
to simplify the representation by grouping
events, nodes and links.
In our previous timeline examples, we
represented dense bursts of activity as
event summary bands - shown as wider
yellow events - to reduce clutter.

5
In the visualization of a fictitious global IT network below, each subnetwork is combined and represented
by a ‘combo’ node. Alerts, shown as red glyphs on links, flag detected issues such as traffic sent to
blacklisted addresses, or downtime inside the network.

Opening combo nodes to investigate network alerts at a user-driven pace

Combos provide detail on demand. Once they’re open, analysts get a clear view of alerts at a granular
level.

Opening combo nodes to investigate network alerts at a user-driven pace

Choose the best combo style for your cyber data. Rectangular combos give you the option to use a slick
grid formation and save space in busy charts.

6
Arrange IT networks to simplify complexity

To bring network diagrams to life, you can add an image backdrop that makes sense to your users.
Here we’ve overlaid a fictional organization’s IT infrastructure on a floorplan, with two physical sites
connected to a central server via a VPN.

A map of the New York site shows which terminals and factory machines communicate with each other,
and alerts us to potential threats.

An image backdrop makes data more meaningful to users

7
Impact analysis
Once an analyst detects a vulnerability, they need to see which dependent devices, processes, data or
software could be impacted. We use automated graph layouts to highlight relationships between child
and parent nodes.

A simplified example of log data, showing dependent processes

The sequential layout (above) is designed specifically for tiered data. It presents nodes as hierarchies,
placing them at clear and uncluttered levels for easier analysis.

An organic layout (above) and an extract of the same IT network data in a sequential layout (next page)

8
9
Impact analysis reveals which nodes would have the greatest effect on a network if they failed. It’s
important to reveal these quickly, especially when you’re dealing with big, dense, complex cyber logs.

Interactive graph and timeline visualization brings them down to a user-friendly scale so they’re easier to
explore and understand without getting overwhelmed.

Reveal dependencies in an IT network for effective contingency planning

Advanced graph analysis

Automatic graph layout is just one of the powerful algorithms cyber analysts rely on. KeyLines and
ReGraph, our graph visualization toolkits, feature advanced social network analysis techniques.

These uncover the most important, influential and well-connected nodes in your systems, essential for
contingency planning, identifying potential vulnerabilities and safeguarding against cyber threats.

10
 Visualizing cyber threat
intelligence
Businesses must evolve their security practices continuously if they
want to stay ahead of highly-organized cyber criminals.
They need to know what potential risks they face, which means analyzing
the cyber landscape to understand threats experienced by similar
organizations.

To describe cyber attacks using common language, analysts and

researchers rely on established models such as the MITRE ATT&CK
framework.

This knowledge base represents the tactics and techniques used by cyber
criminals, with each column describing the phase of an attack.

The MITRE ATT&CK framework as an interactive graph visualization

In this example, we’ll use the language of the MITRE ATT&CK framework to analyze how the Emotet
Trojan attacks and traverses wi-fi networks.

11
Cyber threat intelligence in the Mitre ATT&CK framework: the Emotet trojan

The threat is broken down into constituent parts, defined by the ATT&CK framework, showing analysts
how it fits into the wider threat landscape.

A detailed view of the same Emotet trojan visualization

Visualizing cyber threat intelligence gives analysts a clear view more quickly and deeply than
interrogating the data alone. It also makes intelligence easier to interpret and communicate, ensuring a
shared understanding of the threats they face.

12
Finding anomalies and patterns
As well as acting on automatic alerts and cyber threat intelligence,
cyber analysts must constantly scan for anomalous network
activity.
Graph visualization is an effective tool for identifying and exploring outliers and unusual patterns that
automated, rule-based tools can easily overlook.

This large, complex dataset contains the source and distribution of ransomware attacks over a 4-month
period. The visualization reveals hundreds of worldwide IP addresses linked to malware hosts.

Customize every aspect of your visualization

Our graph visualization toolkits offer almost infinite flexibility and customization options. You control how
the chart looks and behaves, with rich node customization and interactivity options.

This is important for cyber analysts dealing with highly-connected networks and IT infrastructure.
Choose the right colors and sizing for different switches, hosts and services, and enrich labels to make
clear their relationship and position in the flow of information.

13
To reduce clutter and spot patterns more easily, we combine the countries from which the attacks
originated, revealing that the USA has the highest number of malware hosts.

Now we’ll combine nodes by the number of attacks by the ransomware responsible - TeslaCrypt,
CryptoWall or Locky. We also use the time bar to show when peaks of ransomware activity occurred.

The red activity lines in the time bar show us that TeslaCrypt was the most frequent ransomware attack
hosted in the USA. This technique means analysts can rapidly scan huge volumes of data and pick out
specific anomalies for further investigation.

14
It’s possible to take time-based analysis to the next level with timeline visualization. Daily or weekly
patterns of online activity amongst employees gives us a clear view of who was accessing a corporate
network outside core working hours.

Revealing usual - and unusual - patterns of network activity by users

If a malware threat was detected by your alert system, overlaying this information would give immediate
insight into who was accessing which systems and when.

Root cause analysis

Organizations worldwide use our advanced data visualization technology to power their root cause
analysis tools.

When you combine graph visualization with KronoGraph, our timeline visualization tool, you get two
powerful views of the same data.

This hybrid approach to visualization helps cyber analysts to understand incidents and identify threat
sources swiftly and effectively.

15
16
Understanding data breaches
Graph visualization allows us to see beyond individual data points
to understand data in its full connected context, leading to better
and faster data analysis.
This example shows a dataset from the Verizon Data Breach report, as curated by the Veris Project. It
shows the relationships between groups of attackers (large ‘donut’ nodes), their attack vectors (color-
coded links) and their victims (smaller white nodes).

The time bar gives an overview of the trends in the dataset over time, comparing vectors. For example,
email (light pink links) is a lesser-used attack vector, and basic technology (orange links) – defined as
breaches using means such as phone or LAN access – is more widely used, but decreasing.

In particular, it’s the most common approach in breaches involving end-users or employees (the large
orange cluster to the right of the chart).

17
‘Advanced tech’ – defined here as web applications, remote access, backdoor, C2, command shell, VPN
– is the most widely used and is particularly favored by the Activist Group included in the dataset (the
large central red cluster at the top).

We’ve sized nodes by degree - in this case, the number of outbound links - to help reveal particularly
unlucky nodes.

For example, Chase Bank has been more unlucky than most in this dataset.

This is a simple example that demonstrates the advantage of a visual, graph-based approach to cyber
data analysis.

In a single chart, we can combine multiple facets of a complex dataset: attackers, attacks, victims,
vectors and times.

This allows us to easily compare and contrast patterns, and see specific incidents in their wider
contextual environment. The result is a faster route to data insight, and more advanced analysis.

18
Request a free trial
At Cambridge Intelligence, we build data visualization tools that make the world a
safer place.
From law enforcement to cyber security and fraud detection, we work with
organizations around the globe. Every day, thousands of analysts rely on our software
to ‘join the dots’ in data and uncover hidden threats.
With our help, it’s quick and easy to build game-changing data visualizations and
deploy them anywhere, to anyone.
To learn more, or to register for a free trial, visit: cambridge-intelligence.com/try/

KeyLines ReGraph KronoGraph

is a graph visualization toolkit for is a graph visualization toolkit for is a toolkit for building timelines
JavaScript developers React developers that drive investigations.

Add graph visualizations to your ReGraph’s data-driven API makes With KronoGraph it’s easy to build
applications that work anywhere, it quick and easy to add graph interactive, scalable timelines to
as part of any stack. visualizations to your React explore evolving relationships and
applications. unfolding events.

cambridge-intelligence.com USA +1 (775) 842-6665 UK +44 (0)1223 362 000

Cambridge Intelligence Ltd, 6-8 Hills Road, Cambridge, CB2 1JP
19