Collective Intelligence Network Security
As our base of Sentinel IPS units has grown, we've come to realize that the attack data we gather has significant value, both to our own customers and to the community at large. Collective Intelligence Network Security (CINS, pronounced 'sins' ... get it?) is our attempt to use this information to significantly improve the security of our customers' networks and provide valuable information to the InfoSec community.
Our CINS system is constantly gathering attack data from each of our Sentinel units in the field. This data is used to calculate a CINS Score for every IP that is flagged by our system. Much like a FICO score is meant to show you at a glance the quality of your credit, the CINS Score is designed to show you the quality - the trustworthyness - of an IP address. In addition, the IP's WHOIS information, country of origin, and the nature, frequency, and breadth of its attacks across the Sentinel network are listed with the score. This level of detail is hard to replicate without an existing network like the Sentinels', and we believe this information adds tremendous value to our customers.
We don't only trust ourselves to produce these scores. There are many great resources out there with information about IP addresses. We tap in to some of the most popular and respected sources, and we believe that combining the information from these sources with our own attack data provides a more accurate overall assessment of an IP than a single source alone.
CINS Active Threat Intelligence
Through CINS, we can identify several classes of 'bad' IP addresses. For instance, IP addresses tend to have certain 'personalities' ... Perhaps one IP from China gains a reputation as a scanner, or maybe a certain Russian (or American) IP is prone to attacking remote desktop vulnerabilities. Of course, there are IPs all over the world that are flagged as command and control servers for malware botnets. All of these characteristics play a role in an IP's score.
We are constantly analyzing this data, and from our research we've identified certain groups of IPs - based on our specific score factors - that are malicious enough to be blocked immediately. These reputation-based rulesets generated by our CINS systems are continuously fed back out to our Sentinel network, giving each our our Sentinel customers bullet-proof protection from some of the baddest actors on the planet.
How can I access CINS Scores? Currently, CINS Scores are only available to Sentinel customers, through the Sentinel's web interface. That may change in the future as the CINS system matures, but for now we do offer the CI Army list ...
The CI Army List
We are joined together in our mutual belief that Internet security should be honored as a fundamental human right. We believe in your right to be connected, to be secure, and to use the Internet with freedom from malicious threats. No one should be allowed to take that away from you.
Based on these beliefs, we created the CI Army list. CI Army is a way for our company to give back to the community by sharing valuable threat intelligence harvested from our CINS system. The CI Army list is a subset of the CINS Active Threat Intelligence ruleset, and consists of IP addresses that meet two basic criteria: 1) The IP's recent Rogue Packet score factor is very poor, and 2) The InfoSec community has not yet identified the IP as malicious. We think this second factor is important: We don't want to waste peoples' time listing thousands of IPs that have already been placed on other reputation lists; our list is meant to supplement and enhance the InfoSec community's existing efforts by providing IPs that haven't been identified yet.
The CI Army list is here and at Emerging Threats (now part of Proofpoint) as part of their Open Source Community. The link below is provided as a simple text file, with which you can parse and use in any way you see fit. We assume Network Administrators will use the IP addresses from this file in their firewall blacklists and possibly in custom IDS and IPS signatures.
Download the CI Army list
Please Note: As of October 2013, we've expanded the reach of this list. What used to be a simple 'Top 100' offending IP addresses has now expanded to a list of IPs that meet the above criteria. The rationale for both lists is similar, so it should not impact the efficacy of the list. We just wanted everyone to be aware of the change.
We're hackers and coders, not copy writers. So, something not making sense? Want more information? Please don't hesitate to contact us at (972) 991-5005 or email@example.com.
On the list?
Did your IP make it on to our CINS Active Threat Intelligence lists or the CI Army list? False positives are very rare, but let us know and we'll work with you. Email is best: firstname.lastname@example.org
If this concept interests you at all, just give us an email address. Whether you want to help with the process, have any ideas, or just want to know when the CINS score database is made public in some substantial way, we'd love to hear from you. We won't sell your email address, or use it to pummel you with marketing and sales pitches (we honestly don't have time for that). We'll just keep you posted on our progress with the CINS project.