Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:50 AM
Connect Directly

On the Dark Side of ISP Nets

Arbor Networks's new Atlas service provides ISPs and enterprises with a global view of botnets, malware, and other threats

Arbor Networks is going to the dark side to track attackers -- the "darknet" side, that is. Arbor today announced the first phase of its new Active Threat Level Analysis System (ATLAS) Initiative, a free public portal with threat data for service providers and enterprises that gathers and correlates information from nearly 30 service providers worldwide.

Atlas uses a darknet network of sensors, basically Arbor devices sitting on ISPs' allocated but unused and unpublished IP address space, where the only packets landing there are likely to be malware. Unlike a honeypot, which aims to attract attackers, a darknet is a routable and "real" section of an ISP network that's not in use. Arbor's sensors collect data on botnets, malware, and phishing.

"We can see more than 80 percent of global [Internet] traffic -- there aren't many entities that get their hands on that much Internet traffic," says Sunil James, product manager for security services at Arbor. "This makes us the eyes and ears of the network."

Counse Broders, research director for network services at Current Analysis, says darknets haven't traditionally been used much by security companies because most focus on protecting client devices, which means focusing on actual sites and IP addresses. "This [darknet approach] can prove very useful for security analysis purposes, since it can give insights into malicious activities," Broders says. "So this should be a new pool of information that could be useful."

And darknets can catch malicious activity earlier in the game than a honeypot network. "Honeynets are good, but only after a criminal has determined to go after the honeypot. They can help a security analyst understand and zone off a threat without sacrificing important client assets," Broders says. "The darknet analysis is not usually specific to a customer, so it tends to catch criminal efforts earlier in their exploits, [when] they are searching for a vulnerable site and trying IP addresses more randomly."

Broders says other companies offering early warning services for their clients may be pressured to use darknets eventually as well. "It's a newer area, chiefly because it's not represented as a direct threat that needed high prioritization from security."

Cable & Wireless is one of Arbor's first Atlas customers. The service provider is about to deploy Atlas sensors in its darknet space, and it plans to use the live data feeds it provides, such as information on botnet activity from Europe to the U.S. Graham Smith, a security expert at Cable & Wireless, says the new service will provide the company a view of activity around the Net, not just on its portion.

"Every service provider in the world is trying to operate a honeypot network. The challenge has always been you can only collect data from your own space and you get a limited view of the world," he says. The other problem, he says, is most providers are afraid to share the data they gather from their own networks.

"We could see threats in our own network [with the honeypots] but you can't compare that with what's happening globally," Smith says.

C&W already runs Arbor's IPS systems to protect its network from distributed denial-of-service and other attacks, as well as to ensure its network "assurance," he says. Atlas enhances this, he says, and in the future, C&W could offer its own customers a portal view of Atlas as well.

The second phase of Arbor's Atlas service is a subscription service, available in April, that puts the intelligence into the customer's context or point of view, by region and by ISP or enterprise, for instance. Arbor will offer APIs that let ISPs and enterprises integrate Atlas into their own internal applications. ISPs could then provide managed security service offerings for their own customers, and enterprises could automate their threat response. The third phase of Atlas will incorporate the data it gathers into Arbor's Peakflow SP and X systems themselves, which sit on most ISP networks today. Pricing for the future Atlas services hasn't yet been set.

"This is what our customers would be very interested in," Cable & Wireless's Smith says. "The kind of stuff Atlas will pick up will let Peaklflow X spot traffic it would not be able to spot on its own."

Arbor in the future also plans to import and correlate data from other vendors' IDS, IPS, firewall, and antivirus products, for instance, and to launch a public Atlas forum that lets security researchers and security operations people share information and analysis.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc.
  • Cable & Wireless plc (NYSE: CWP) Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    A Realistic Threat Model for the Masses
    Lysa Myers, Security Researcher, ESET,  10/9/2019
    USB Drive Security Still Lags
    Dark Reading Staff 10/9/2019
    Virginia a Hot Spot For Cybersecurity Jobs
    Jai Vijayan, Contributing Writer,  10/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-15
    An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
    PUBLISHED: 2019-10-15
    qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
    PUBLISHED: 2019-10-15
    In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
    PUBLISHED: 2019-10-15
    An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
    PUBLISHED: 2019-10-15
    In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.