Arbor Networks is going to the dark side to track attackers -- the "darknet" side, that is. Arbor today announced the first phase of its new Active Threat Level Analysis System (ATLAS) Initiative, a free public portal with threat data for service providers and enterprises that gathers and correlates information from nearly 30 service providers worldwide.
Atlas uses a darknet network of sensors, basically Arbor devices sitting on ISPs' allocated but unused and unpublished IP address space, where the only packets landing there are likely to be malware. Unlike a honeypot, which aims to attract attackers, a darknet is a routable and "real" section of an ISP network that's not in use. Arbor's sensors collect data on botnets, malware, and phishing.
"We can see more than 80 percent of global [Internet] traffic -- there aren't many entities that get their hands on that much Internet traffic," says Sunil James, product manager for security services at Arbor. "This makes us the eyes and ears of the network."
Counse Broders, research director for network services at Current Analysis, says darknets haven't traditionally been used much by security companies because most focus on protecting client devices, which means focusing on actual sites and IP addresses. "This [darknet approach] can prove very useful for security analysis purposes, since it can give insights into malicious activities," Broders says. "So this should be a new pool of information that could be useful."
And darknets can catch malicious activity earlier in the game than a honeypot network. "Honeynets are good, but only after a criminal has determined to go after the honeypot. They can help a security analyst understand and zone off a threat without sacrificing important client assets," Broders says. "The darknet analysis is not usually specific to a customer, so it tends to catch criminal efforts earlier in their exploits, [when] they are searching for a vulnerable site and trying IP addresses more randomly."
Broders says other companies offering early warning services for their clients may be pressured to use darknets eventually as well. "It's a newer area, chiefly because it's not represented as a direct threat that needed high prioritization from security."
Cable & Wireless is one of Arbor's first Atlas customers. The service provider is about to deploy Atlas sensors in its darknet space, and it plans to use the live data feeds it provides, such as information on botnet activity from Europe to the U.S. Graham Smith, a security expert at Cable & Wireless, says the new service will provide the company a view of activity around the Net, not just on its portion.
"Every service provider in the world is trying to operate a honeypot network. The challenge has always been you can only collect data from your own space and you get a limited view of the world," he says. The other problem, he says, is most providers are afraid to share the data they gather from their own networks.
"We could see threats in our own network [with the honeypots] but you can't compare that with what's happening globally," Smith says.
C&W already runs Arbor's IPS systems to protect its network from distributed denial-of-service and other attacks, as well as to ensure its network "assurance," he says. Atlas enhances this, he says, and in the future, C&W could offer its own customers a portal view of Atlas as well.
The second phase of Arbor's Atlas service is a subscription service, available in April, that puts the intelligence into the customer's context or point of view, by region and by ISP or enterprise, for instance. Arbor will offer APIs that let ISPs and enterprises integrate Atlas into their own internal applications. ISPs could then provide managed security service offerings for their own customers, and enterprises could automate their threat response. The third phase of Atlas will incorporate the data it gathers into Arbor's Peakflow SP and X systems themselves, which sit on most ISP networks today. Pricing for the future Atlas services hasn't yet been set.
"This is what our customers would be very interested in," Cable & Wireless's Smith says. "The kind of stuff Atlas will pick up will let Peaklflow X spot traffic it would not be able to spot on its own."
Arbor in the future also plans to import and correlate data from other vendors' IDS, IPS, firewall, and antivirus products, for instance, and to launch a public Atlas forum that lets security researchers and security operations people share information and analysis.
Kelly Jackson Higgins, Senior Editor, Dark Reading