While most sports fans followed World Cup matches and results anxiously, some of us number geeks decided to add another dimension of analytics to this beautiful game. We wanted to have some fun with the data that we gather during the World Cup from our crowd-sourced threat intelligence service, called Community Defense, and map that data to matches.
Let The Games Begin
The first thing we did was collect World Cup data. So while most fans were cheering for their favorite team and drinking their favorite beer, I was cheering for our system to crunch numbers. At first we needed to map the games dates and times to GMT, looking at every game from Quarter Finals to Finals.
In order to look at a soccer match as a complete event we measured an hour prior to the game, the game itself (which mostly lasted around two hours), and an hour post game. As a precursor step, we built a baseline average of attacks and attack campaigns during that time window throughout June/July on matching days (mostly weekends) when games weren’t on. This serves as a baseline.
We figured that the frequency of attacks that we see during comparable timeslots is ~2125.5 attacks per hour, and ~441 attack campaigns per hour.
One thing to take into account is that the Final game was played on a sunday, which should have some impact on the shown figures.
Mapping Attack Data
Next, we gathered the data from our system and mapped the data to the timeslot of the matches. We then normalized the data to fit in one-hour slots.
By mapping the web attacks that occur during the matches, and comparing to a non-World Cup average, we learned some neat things:
- Hackers like soccer so much, that they put their weapons down during the Finals. Attacks during the Finals were only 2% in volume compared to the rest of the games.
- During the rest of the World Cup matches, Attacks actually increased, in some cases they went as much as X2.83 times more than on non-match comparable events.
I guess the only logical thing to do now is to congratulate Germany on winning the World Cup, and make sure that CIO’s are adding more resources to their security operation centers. They need to ensure that their staff can still monitor security events while the World Cup or other popular events are happening. Seems that Hackers are leveraging this time window.