Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

Using Darknets to See the Light

Created: 09 Aug 2007 07:00:00 GMT • Updated: 23 Jan 2014 18:47:13 GMT
Michael  Smith's picture
0 0 Votes
Login to vote

Firewalls, intrusion detection and prevention systems, antivirus – they’re all old tricks of the trade that IT has traditionally deployed to maintain the security of large and complex networks.

But are they enough? Threat volume is rising, propagation speed is increasing, and attacks are becoming more advanced and elusive. Luckily, there are innovative new ways to complement the traditional approach. And security’s bright side may be on the ‘dark’ side.

A growing number of organizations are leveraging darknets to increase their security intelligence and, in turn, enhance their security posture. A darknet is an area of routed IP address space in which no active services reside.

IT is increasingly using this ‘dark’ network as a powerful security tool. Because no legitimate packets should be sent to or from a darknet, the majority are likely sent by malware that scans for vulnerable devices with open ports in order to download, launch, and propagate malicious code.

Security administrators can use darknets to spot scanning activity without using complicated analysis technology. Organizations can benefit from darknets by participating in any number of public darknet projects, or by implementing their own private darknet.

Participation in a public darknet project can allow organizations to identify known threats on the Internet and take actions to defend against these threats as necessary. The creation of a private darknet can be used to identify potentially malicious behavior on internal systems.

Any organization considering a private darknet should first have a proven test environment. IT can then distribute simulated known bad traffic to ensure it reaches the darknet test environment. Once the test period is complete, the organization can then identify the unused network space for the darknet, monitor it for a period of time to ensure it is not being used, and implement network changes to ensure no legitimate traffic is routed to that space.

A collector must also be set up within the darknet that captures any traffic that enters. Organizations may also choose to write scripts that automatically respond to certain conditions – such as sending an SMS message to the security administrator should a known worm appear.

Darknets can provide advanced security intelligence with minimal effort and maximum impact.