Arctic Hub Product Sheet
Start leveling the playing field for the defenders against the adversaries
Arctic Security is a company based in Finland. Arctic Hub is our next generation product for organizations and authorities that process cyber threat information. It is a completely new product built on the foundation of its predecessor, the AbuseSA. You can use Arctic Hub to level the playing field for the defenders against the adversaries by becoming a hub of cyber threat intelligence in your Defense Cell, which includes your stakeholders. Arctic Hub collects and disseminates vital information that needs to be shared, from the ones who know, to the ones that need to know.
Key Features & Capabilities
Hub, Node and Defense Cell
Threat actors are organized so defenders should be organized as well. Efficient, automated and fast cyber threat information sharing between organizations is a key enabler for this activity. Arctic Security helps organizations achieve their role in information sharing either as a Hub or a Node, in what we have defined as a Defense Cell. In whichever Defense Cell you belong to, with Arctic Hub you can start leveling the playing field for the defenders against the adversaries.
We have built Arctic Hub based on years of experience operating in nation-wide and nation-to-nation information sharing. The mission of your Defense Cell is to defend your stakeholders against threat actors. Arctic Hub supports this mission by enabling automated intelligence sharing between the defenders. In practice, this means sharing information on network abuse, vulnerable services and Indicators of Compromise within the Defense Cell. A national CERT/CSIRT team would share intelligence with their stakeholders across the nation. A multinational ISP would work together with their international subsidiaries to strive for cleaner networks. An MSSP would leverage threat intelligence throughout their customer base to provide better service.
- collect threat data from a variety of threat indicator sources
- process the threat data into threat information
- analyze and match the information to the relevant stakeholders
- disseminate the threat intelligence to the stakeholders
Arctic Hub helps organize information sharing in a Defense Cell. It is a product which can be installed on your premises or on a dedicated cloud server, depending on your preference. When enabled, it will collect and process threat data from different information sources which can be commercial, open source or private. Arctic Hub allows you to share the collected intelligence with your stakeholders through fine-grained controls. Information will be stored in the system for later access either as detailed observations or over-time statistics. Our customers have, and will always have full control over their data including its storage and processing without any dependency on Arctic Security.
From Threat Data to Threat Information
The diversity of threat data makes automation difficult. Multiple parties are producing threat data in multiple forms. The data represents multiple topics: network abuse, vulnerable services, or Indicators of Compromise (IOCs) such as identifiers of threat actor infrastructure or host-based artifacts. Threat data becomes threat information once it has been harmonized into a common language. This is one of the defining features of the Arctic Hub. All data processed in the Arctic Hub is systematically brought to a simple and consistent model which can be easily utilized in automation, notifications, and analysis. The same model has been successfully used by CERTs and CSIRTs in automation for several years.
From Threat Information to Threat Intelligence
Arctic Hub enables national scale infrastructure mapping for Threat Information, turning it into real Threat Intelligence. Rules defined by the Hub Operator ensure that each recipient will get intelligence relevant to them. The rules are based on the recipient’s network assets and internet routing information. Intelligence is packaged into specifically crafted streams for each recipient and delivered through notifications or direct API access.
Share Actionable Intelligence with your Stakeholders
A Hub operator will define the stakeholders by listing their assets and contact information: their IP network blocks, autonomous system numbers, domain names and recipient contact information. Notification recipients can be alerted on anything that matches their assets. A continuous stream of intelligence can be shared through an API as well. A single instance of Arctic Hub can serve thousands of stakeholders. Once enabled, everything runs automatically. Threat actor asset related intelligence can be shared with many or all the stakeholders in a Defense Cell. Typically this will be IoCs, which can be used for threat monitoring and detection. The exact content shared with each stakeholder is fully customizable.
Help your Stakeholders increase their Readiness
Systematic sharing of dedicated and harmonized threat intelligence to your stakeholders will have positive effects over time. For example:
- Availability of a continuous and reliable source of IoCs will support the development of techniques for their detection and monitoring in the recipient’s SOC
- Automated notifications of network abuse in the recipient’s network will call for action in the Incident Response team
- Intelligence on vulnerable services in the recipient’s network will lead to better practices in system administration
We have seen these actions leading into the adoption of practices and procedures, which over time have resulted in increased capacity to remediate cyber threats. The increased
capacity of individual stakeholders will increase the overall performance of their Defense Cell.
Key Features & Capabilities
Arctic Node is a product aimed at large enterprises and critical infrastructure providers that belong to a Defense Cell. If you are running a SIEM or a SOC, if you have an in-house incident response team, and especially if your Defense Cell has an active Hub, Arctic Node can do great things for you. It will automate the use of actionable threat intelligence you receive from the Hub or any other reliable information source you have. With Arctic Node you can:
- connect to an Arctic Hub to receive threat intelligence from a trusted source
- convey observations of network abuse in your networks to your incident response tracking system
- make use of reliable IoCs for monitoring and detection in your SOC
- automatically notify your system administrators if any of your networks expose vulnerable services to the Internet
- support the collective operation of your Defense Cell by sharing back sightings related to actualized threats.
When connected to an Arctic Hub, Arctic Node will close the loop between threat intelligence and its productive use – effectively taking the opportunity away from the threat actor.