Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:50 AM
Connect Directly

On the Dark Side of ISP Nets

Arbor Networks's new Atlas service provides ISPs and enterprises with a global view of botnets, malware, and other threats

Arbor Networks is going to the dark side to track attackers -- the "darknet" side, that is. Arbor today announced the first phase of its new Active Threat Level Analysis System (ATLAS) Initiative, a free public portal with threat data for service providers and enterprises that gathers and correlates information from nearly 30 service providers worldwide.

Atlas uses a darknet network of sensors, basically Arbor devices sitting on ISPs' allocated but unused and unpublished IP address space, where the only packets landing there are likely to be malware. Unlike a honeypot, which aims to attract attackers, a darknet is a routable and "real" section of an ISP network that's not in use. Arbor's sensors collect data on botnets, malware, and phishing.

"We can see more than 80 percent of global [Internet] traffic -- there aren't many entities that get their hands on that much Internet traffic," says Sunil James, product manager for security services at Arbor. "This makes us the eyes and ears of the network."

Counse Broders, research director for network services at Current Analysis, says darknets haven't traditionally been used much by security companies because most focus on protecting client devices, which means focusing on actual sites and IP addresses. "This [darknet approach] can prove very useful for security analysis purposes, since it can give insights into malicious activities," Broders says. "So this should be a new pool of information that could be useful."

And darknets can catch malicious activity earlier in the game than a honeypot network. "Honeynets are good, but only after a criminal has determined to go after the honeypot. They can help a security analyst understand and zone off a threat without sacrificing important client assets," Broders says. "The darknet analysis is not usually specific to a customer, so it tends to catch criminal efforts earlier in their exploits, [when] they are searching for a vulnerable site and trying IP addresses more randomly."

Broders says other companies offering early warning services for their clients may be pressured to use darknets eventually as well. "It's a newer area, chiefly because it's not represented as a direct threat that needed high prioritization from security."

Cable & Wireless is one of Arbor's first Atlas customers. The service provider is about to deploy Atlas sensors in its darknet space, and it plans to use the live data feeds it provides, such as information on botnet activity from Europe to the U.S. Graham Smith, a security expert at Cable & Wireless, says the new service will provide the company a view of activity around the Net, not just on its portion.

"Every service provider in the world is trying to operate a honeypot network. The challenge has always been you can only collect data from your own space and you get a limited view of the world," he says. The other problem, he says, is most providers are afraid to share the data they gather from their own networks.

"We could see threats in our own network [with the honeypots] but you can't compare that with what's happening globally," Smith says.

C&W already runs Arbor's IPS systems to protect its network from distributed denial-of-service and other attacks, as well as to ensure its network "assurance," he says. Atlas enhances this, he says, and in the future, C&W could offer its own customers a portal view of Atlas as well.

The second phase of Arbor's Atlas service is a subscription service, available in April, that puts the intelligence into the customer's context or point of view, by region and by ISP or enterprise, for instance. Arbor will offer APIs that let ISPs and enterprises integrate Atlas into their own internal applications. ISPs could then provide managed security service offerings for their own customers, and enterprises could automate their threat response. The third phase of Atlas will incorporate the data it gathers into Arbor's Peakflow SP and X systems themselves, which sit on most ISP networks today. Pricing for the future Atlas services hasn't yet been set.

"This is what our customers would be very interested in," Cable & Wireless's Smith says. "The kind of stuff Atlas will pick up will let Peaklflow X spot traffic it would not be able to spot on its own."

Arbor in the future also plans to import and correlate data from other vendors' IDS, IPS, firewall, and antivirus products, for instance, and to launch a public Atlas forum that lets security researchers and security operations people share information and analysis.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc.
  • Cable & Wireless plc (NYSE: CWP) Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
    Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
    7 Powerful Cybersecurity Skills the Energy Sector Needs Most
    Pam Baker, Contributing Writer,  6/22/2021
    Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
    Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    The State of Cybersecurity Incident Response
    In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-06-23
    GetSimpleCMS <=3.3.15 has an open redirect in admin/changedata.php via the redirect function to the url parameter.
    PUBLISHED: 2021-06-23
    A cross site scripting (XSS) vulnerability in Catfish CMS 4.9.90 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "announcement_gonggao" parameter.
    PUBLISHED: 2021-06-23
    Cross Site Scripting (XSS) vulnerability in GetSimpleCMS <= 3.3.15 in admin/changedata.php via the redirect_url parameter and the headers_sent function.
    PUBLISHED: 2021-06-23
    Cross Site Scriptiong (XSS) vulnerability in GetSimpleCMS <=3.3.15 via the timezone parameter to settings.php.
    PUBLISHED: 2021-06-23
    Cross Site Scripting vulnerability in GetSimpleCMS <=3.3.15 via the (1) sitename, (2) username, and (3) email parameters to /admin/setup.php