At Rapid7, we’re using tools like Project Sonar to investigate the threat landscape across the Internet as a whole. In this talk, we’ll show how we use tools to identify stable, macro-level attack trends invisible on the scale of individual IP addresses that might be found in threat intel feeds. In particular, we demonstrate that a small subset of autonomous systems (ASes) have hosted a disproportionate amount of phishing activity--across the entire IPv4 space--in the past decade. We'll show that smaller ASes are becoming more ubiquitous, and will detail the cost structure involved in setting up IP blocks in malicious ASes. Last, we'll detail the size, composition, and fragmentation of malicious ASes, and present examples of network and system characteristics that are common among particularly malicious ASes. This research represents an example of how Internet-scale data science help defenders respond more efficiently to attacks that conform to larger threat patterns. We'll also provide examples of how individual researchers and data science teams within organizations can use Rapid7's massive, open cyber data resources to "Try This at Home" and gain better insight into attackers playbooks.