03:30 PM
Levi Gundert
Levi Gundert
Connect Directly
E-Mail vvv

InfoSecs Holy Grail: Data Sharing & Collaboration

Despite all the best intentions, cooperation around Internet security is still a work in progress. Case in point: Microsoft's unilateral action against No-IP.

“We need more collaboration, we need more data sharing!” This obligatory refrain perenially echoes through cyber security conference halls, eliciting a rolling of the eyes and a grimace. Why? It’s a noble notion, but the concept can be unrealistic when perceived as a panacea for countering cyberthreats.

In practice, cooperation around Internet security is difficult, not least because trust is required, though the past decade is proof that trust building is worthwhile. When Internet security collaboration is done right, the results are overwhelmingly positive. But that’s not always the case.

In June, Microsoft’s Digital Crimes Unit (DCU) filed a civil complaint against Dynamic DNS (DDNS) provider No-IP, which resulted in a Nevada judge granting Microsoft control of 22 No-IP domains. Regardless of the merits of taking civil action in pursuit of botnet shutdowns and assuming control of another company’s infrastructure, the DCU shocked the Internet security community when it acted unilaterally. Historically, trust-based Internet security communities have internally crowd-sourced determinations about whether a company is deliberately rogue or short on resources for fighting malicious activities.

In this case, it appears that the DCU did not seek additional context or share data with relevant trust communities, nor did it communicate with No-IP, or any of the companies whose data it used as evidence in the civil complaint (specifically Cisco and OpenDNS). The result was unfortunate and easily avoidable. I know from experience that the No-IP founders are responsive to abuse complaints and consistently working to assist the good guys.

While the DCU believed it was acting in the best interest of its customers, ultimately acting alone was a detriment to the larger Internet. The Internet is an open and democratic ecosystem, but fraud and cybercrime continue to frustrate global stake holders. As an Internet community, how do we effectively deal with malicious activity, and preserve this open and democratic resource? We continue to collaborate and communicate in meaningful ways.

Geo-political realities aside (and acknowledging that there is more work to be done), Internet stakeholders have been most successful when they innovate around identity and trust solutions, with formal and informal communities encouraging dialogue related to the barriers that prevent progress in slowing and discouraging cybercrime.

Barriers and legitimate concerns
Barriers to collaboration include the possible loss of competitive advantage, perceived liability, and perhaps even job termination. These are just a few legitimate concerns that impede individuals and organizations from consistently sharing valuable data and insight that could neutralize a threat or protect wider swaths of the public. Those communities that do initiate and sustain dialogues are consistently defeating threats.

For example, the FS-ISAC (Financial Services – Information Sharing and Analysis Center) is a consortium of financial services organizations that share specific indicators of compromise and general threat intelligence, which is a net benefit to all of the member organizations that contribute and review content. Similarly, REN-ISAC (Research and Education Networking Information Sharing and Analysis Center) benefits academia in the same manner.

Law enforcement is utilizing Interpol to arrest and extradite cybercrime suspects as in the recent case of alleged carder Roman Seleznev. Global law enforcement officers are frequently attending conferences to build relationships with foreign law enforcement, technology companies, and academia to more efficiently fight cybercrime. Law enforcement is communicating more efficiently and leveraging the talents and skills of those who want to see the Internet as a safe and democratic neighborhood. A prime example is the National Cyber Forensics & Training Alliance (NCFTA), comprising companies, government, and academia working together to neutralize cybercrime. NCFTA has been instrumental in dismantling botnet infrastructure and in criminal attribution efforts leading to arrests and prosecutions.

In the quasi-government space, ICANN (Internet Corporation for Assigned Names and Numbers) is continually soliciting feedback on how it administers the global namespace (Top Level Domains -- TLDs) and methods for increasing effectiveness in identifying malicious domains, rogue registries/registrars, and improving the disciplinary and remediation process. Security professionals travel halfway across the world to provide quantitative data for ICANN’s review to effect change through existing regulatory channels.

Unsung heroes
Finally, security researchers and analysts (the “white hats”) tirelessly work to better detect threats and share information with other people to help locate the bad guys, disassemble their infrastructures, and educate the public. I am privileged to know many researchers who dedicate their free time to supporting a free and safe Internet. They spend their own time and money attending conferences, performing free training workshops, building tools, and working late into the night to dissect the latest threats and share the information in vetted communities. These security researchers are the unheralded heroes of the Internet, and their efforts have averted calamities on numerous occasions.

The list of wins is long, and the world will never know about many efforts that saved human lives. In 2007 the Internet security community responded to the Storm worm and more recently formed the Conficker Working Group to address a very specific threat. Other extended periods of collaboration between security researchers and law enforcement have led to the identification and arrest of numerous criminal groups, including the Mariposa botnet operators, the DNS Changer crew, and the GameoverZeus miscreants. Absent the hard work and altruism of global security researchers, many of these extremely positive results vanish.

The complete list of public- and private-sector cyber security partnerships is long. While new calls for information sharing may appear specious or self-serving, it’s only because the Internet security community has already created successful forums to facilitate collaboration. Relationships and trust are built over time, through online interactions and in-person meetings, through a pint or three at the pub, and through genuine assistance during crises. Relationships are costly because they require time and investment to sustain, but they are the bedrock of the information security community, without which the world would be a much scarier place.

Levi Gundert is an internationally recognized information security expert and risk management leader with over 15 years of experience. In his current role as vice president of threat intelligence at Recorded Future, Gundert leads the continuous development of strategic ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.