Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:50 AM
Connect Directly

On the Dark Side of ISP Nets

Arbor Networks's new Atlas service provides ISPs and enterprises with a global view of botnets, malware, and other threats

Arbor Networks is going to the dark side to track attackers -- the "darknet" side, that is. Arbor today announced the first phase of its new Active Threat Level Analysis System (ATLAS) Initiative, a free public portal with threat data for service providers and enterprises that gathers and correlates information from nearly 30 service providers worldwide.

Atlas uses a darknet network of sensors, basically Arbor devices sitting on ISPs' allocated but unused and unpublished IP address space, where the only packets landing there are likely to be malware. Unlike a honeypot, which aims to attract attackers, a darknet is a routable and "real" section of an ISP network that's not in use. Arbor's sensors collect data on botnets, malware, and phishing.

"We can see more than 80 percent of global [Internet] traffic -- there aren't many entities that get their hands on that much Internet traffic," says Sunil James, product manager for security services at Arbor. "This makes us the eyes and ears of the network."

Counse Broders, research director for network services at Current Analysis, says darknets haven't traditionally been used much by security companies because most focus on protecting client devices, which means focusing on actual sites and IP addresses. "This [darknet approach] can prove very useful for security analysis purposes, since it can give insights into malicious activities," Broders says. "So this should be a new pool of information that could be useful."

And darknets can catch malicious activity earlier in the game than a honeypot network. "Honeynets are good, but only after a criminal has determined to go after the honeypot. They can help a security analyst understand and zone off a threat without sacrificing important client assets," Broders says. "The darknet analysis is not usually specific to a customer, so it tends to catch criminal efforts earlier in their exploits, [when] they are searching for a vulnerable site and trying IP addresses more randomly."

Broders says other companies offering early warning services for their clients may be pressured to use darknets eventually as well. "It's a newer area, chiefly because it's not represented as a direct threat that needed high prioritization from security."

Cable & Wireless is one of Arbor's first Atlas customers. The service provider is about to deploy Atlas sensors in its darknet space, and it plans to use the live data feeds it provides, such as information on botnet activity from Europe to the U.S. Graham Smith, a security expert at Cable & Wireless, says the new service will provide the company a view of activity around the Net, not just on its portion.

"Every service provider in the world is trying to operate a honeypot network. The challenge has always been you can only collect data from your own space and you get a limited view of the world," he says. The other problem, he says, is most providers are afraid to share the data they gather from their own networks.

"We could see threats in our own network [with the honeypots] but you can't compare that with what's happening globally," Smith says.

C&W already runs Arbor's IPS systems to protect its network from distributed denial-of-service and other attacks, as well as to ensure its network "assurance," he says. Atlas enhances this, he says, and in the future, C&W could offer its own customers a portal view of Atlas as well.

The second phase of Arbor's Atlas service is a subscription service, available in April, that puts the intelligence into the customer's context or point of view, by region and by ISP or enterprise, for instance. Arbor will offer APIs that let ISPs and enterprises integrate Atlas into their own internal applications. ISPs could then provide managed security service offerings for their own customers, and enterprises could automate their threat response. The third phase of Atlas will incorporate the data it gathers into Arbor's Peakflow SP and X systems themselves, which sit on most ISP networks today. Pricing for the future Atlas services hasn't yet been set.

"This is what our customers would be very interested in," Cable & Wireless's Smith says. "The kind of stuff Atlas will pick up will let Peaklflow X spot traffic it would not be able to spot on its own."

Arbor in the future also plans to import and correlate data from other vendors' IDS, IPS, firewall, and antivirus products, for instance, and to launch a public Atlas forum that lets security researchers and security operations people share information and analysis.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc.
  • Cable & Wireless plc (NYSE: CWP) Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 6/5/2020
    How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
    Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
    Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: What? IT said I needed virus protection!
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-06-07
    HESK before 3.1.10 allows reflected XSS.
    PUBLISHED: 2020-06-07
    handler/upload_handler.jsp in DEXT5 Editor through 3.5.1402961 allows an attacker to download arbitrary files via the savefilepath field.
    PUBLISHED: 2020-06-07
    Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module before 0.32 for Perl fails to verify correct ECDSA signatures when r and s are small and when s = 1. This happens when using the curve secp256r1 (prime256v1). This could conceivably have a security-relevant impact if an attacker wishes...
    PUBLISHED: 2020-06-06
    The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an Add Task Input operation in a dashboard.
    PUBLISHED: 2020-06-06
    showAlert() in the administration panel in Bludit 3.12.0 allows XSS.