Operations
7/31/2014
03:30 PM
Levi Gundert
Levi Gundert
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

InfoSec’s Holy Grail: Data Sharing & Collaboration

Despite all the best intentions, cooperation around Internet security is still a work in progress. Case in point: Microsoft's unilateral action against No-IP.

“We need more collaboration, we need more data sharing!” This obligatory refrain perenially echoes through cyber security conference halls, eliciting a rolling of the eyes and a grimace. Why? It’s a noble notion, but the concept can be unrealistic when perceived as a panacea for countering cyberthreats.

In practice, cooperation around Internet security is difficult, not least because trust is required, though the past decade is proof that trust building is worthwhile. When Internet security collaboration is done right, the results are overwhelmingly positive. But that’s not always the case.

In June, Microsoft’s Digital Crimes Unit (DCU) filed a civil complaint against Dynamic DNS (DDNS) provider No-IP, which resulted in a Nevada judge granting Microsoft control of 22 No-IP domains. Regardless of the merits of taking civil action in pursuit of botnet shutdowns and assuming control of another company’s infrastructure, the DCU shocked the Internet security community when it acted unilaterally. Historically, trust-based Internet security communities have internally crowd-sourced determinations about whether a company is deliberately rogue or short on resources for fighting malicious activities.

In this case, it appears that the DCU did not seek additional context or share data with relevant trust communities, nor did it communicate with No-IP, or any of the companies whose data it used as evidence in the civil complaint (specifically Cisco and OpenDNS). The result was unfortunate and easily avoidable. I know from experience that the No-IP founders are responsive to abuse complaints and consistently working to assist the good guys.

While the DCU believed it was acting in the best interest of its customers, ultimately acting alone was a detriment to the larger Internet. The Internet is an open and democratic ecosystem, but fraud and cybercrime continue to frustrate global stake holders. As an Internet community, how do we effectively deal with malicious activity, and preserve this open and democratic resource? We continue to collaborate and communicate in meaningful ways.

Geo-political realities aside (and acknowledging that there is more work to be done), Internet stakeholders have been most successful when they innovate around identity and trust solutions, with formal and informal communities encouraging dialogue related to the barriers that prevent progress in slowing and discouraging cybercrime.

Barriers and legitimate concerns
Barriers to collaboration include the possible loss of competitive advantage, perceived liability, and perhaps even job termination. These are just a few legitimate concerns that impede individuals and organizations from consistently sharing valuable data and insight that could neutralize a threat or protect wider swaths of the public. Those communities that do initiate and sustain dialogues are consistently defeating threats.

For example, the FS-ISAC (Financial Services – Information Sharing and Analysis Center) is a consortium of financial services organizations that share specific indicators of compromise and general threat intelligence, which is a net benefit to all of the member organizations that contribute and review content. Similarly, REN-ISAC (Research and Education Networking Information Sharing and Analysis Center) benefits academia in the same manner.

Law enforcement is utilizing Interpol to arrest and extradite cybercrime suspects as in the recent case of alleged carder Roman Seleznev. Global law enforcement officers are frequently attending conferences to build relationships with foreign law enforcement, technology companies, and academia to more efficiently fight cybercrime. Law enforcement is communicating more efficiently and leveraging the talents and skills of those who want to see the Internet as a safe and democratic neighborhood. A prime example is the National Cyber Forensics & Training Alliance (NCFTA), comprising companies, government, and academia working together to neutralize cybercrime. NCFTA has been instrumental in dismantling botnet infrastructure and in criminal attribution efforts leading to arrests and prosecutions.

In the quasi-government space, ICANN (Internet Corporation for Assigned Names and Numbers) is continually soliciting feedback on how it administers the global namespace (Top Level Domains -- TLDs) and methods for increasing effectiveness in identifying malicious domains, rogue registries/registrars, and improving the disciplinary and remediation process. Security professionals travel halfway across the world to provide quantitative data for ICANN’s review to effect change through existing regulatory channels.

Unsung heroes
Finally, security researchers and analysts (the “white hats”) tirelessly work to better detect threats and share information with other people to help locate the bad guys, disassemble their infrastructures, and educate the public. I am privileged to know many researchers who dedicate their free time to supporting a free and safe Internet. They spend their own time and money attending conferences, performing free training workshops, building tools, and working late into the night to dissect the latest threats and share the information in vetted communities. These security researchers are the unheralded heroes of the Internet, and their efforts have averted calamities on numerous occasions.

The list of wins is long, and the world will never know about many efforts that saved human lives. In 2007 the Internet security community responded to the Storm worm and more recently formed the Conficker Working Group to address a very specific threat. Other extended periods of collaboration between security researchers and law enforcement have led to the identification and arrest of numerous criminal groups, including the Mariposa botnet operators, the DNS Changer crew, and the GameoverZeus miscreants. Absent the hard work and altruism of global security researchers, many of these extremely positive results vanish.

The complete list of public- and private-sector cyber security partnerships is long. While new calls for information sharing may appear specious or self-serving, it’s only because the Internet security community has already created successful forums to facilitate collaboration. Relationships and trust are built over time, through online interactions and in-person meetings, through a pint or three at the pub, and through genuine assistance during crises. Relationships are costly because they require time and investment to sustain, but they are the bedrock of the information security community, without which the world would be a much scarier place.

Levi Gundert is an internationally recognized information security and risk management leader and a cybersecurity advisor to leading corporations.  In his role with TRAC, he identifies and analyzes threats and shares cybersecurity information with industry, government, ... View Full Bio
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.