Operations
7/31/2014
03:30 PM
Levi Gundert
Levi Gundert
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

InfoSec’s Holy Grail: Data Sharing & Collaboration

Despite all the best intentions, cooperation around Internet security is still a work in progress. Case in point: Microsoft's unilateral action against No-IP.

“We need more collaboration, we need more data sharing!” This obligatory refrain perenially echoes through cyber security conference halls, eliciting a rolling of the eyes and a grimace. Why? It’s a noble notion, but the concept can be unrealistic when perceived as a panacea for countering cyberthreats.

In practice, cooperation around Internet security is difficult, not least because trust is required, though the past decade is proof that trust building is worthwhile. When Internet security collaboration is done right, the results are overwhelmingly positive. But that’s not always the case.

In June, Microsoft’s Digital Crimes Unit (DCU) filed a civil complaint against Dynamic DNS (DDNS) provider No-IP, which resulted in a Nevada judge granting Microsoft control of 22 No-IP domains. Regardless of the merits of taking civil action in pursuit of botnet shutdowns and assuming control of another company’s infrastructure, the DCU shocked the Internet security community when it acted unilaterally. Historically, trust-based Internet security communities have internally crowd-sourced determinations about whether a company is deliberately rogue or short on resources for fighting malicious activities.

In this case, it appears that the DCU did not seek additional context or share data with relevant trust communities, nor did it communicate with No-IP, or any of the companies whose data it used as evidence in the civil complaint (specifically Cisco and OpenDNS). The result was unfortunate and easily avoidable. I know from experience that the No-IP founders are responsive to abuse complaints and consistently working to assist the good guys.

While the DCU believed it was acting in the best interest of its customers, ultimately acting alone was a detriment to the larger Internet. The Internet is an open and democratic ecosystem, but fraud and cybercrime continue to frustrate global stake holders. As an Internet community, how do we effectively deal with malicious activity, and preserve this open and democratic resource? We continue to collaborate and communicate in meaningful ways.

Geo-political realities aside (and acknowledging that there is more work to be done), Internet stakeholders have been most successful when they innovate around identity and trust solutions, with formal and informal communities encouraging dialogue related to the barriers that prevent progress in slowing and discouraging cybercrime.

Barriers and legitimate concerns
Barriers to collaboration include the possible loss of competitive advantage, perceived liability, and perhaps even job termination. These are just a few legitimate concerns that impede individuals and organizations from consistently sharing valuable data and insight that could neutralize a threat or protect wider swaths of the public. Those communities that do initiate and sustain dialogues are consistently defeating threats.

For example, the FS-ISAC (Financial Services – Information Sharing and Analysis Center) is a consortium of financial services organizations that share specific indicators of compromise and general threat intelligence, which is a net benefit to all of the member organizations that contribute and review content. Similarly, REN-ISAC (Research and Education Networking Information Sharing and Analysis Center) benefits academia in the same manner.

Law enforcement is utilizing Interpol to arrest and extradite cybercrime suspects as in the recent case of alleged carder Roman Seleznev. Global law enforcement officers are frequently attending conferences to build relationships with foreign law enforcement, technology companies, and academia to more efficiently fight cybercrime. Law enforcement is communicating more efficiently and leveraging the talents and skills of those who want to see the Internet as a safe and democratic neighborhood. A prime example is the National Cyber Forensics & Training Alliance (NCFTA), comprising companies, government, and academia working together to neutralize cybercrime. NCFTA has been instrumental in dismantling botnet infrastructure and in criminal attribution efforts leading to arrests and prosecutions.

In the quasi-government space, ICANN (Internet Corporation for Assigned Names and Numbers) is continually soliciting feedback on how it administers the global namespace (Top Level Domains -- TLDs) and methods for increasing effectiveness in identifying malicious domains, rogue registries/registrars, and improving the disciplinary and remediation process. Security professionals travel halfway across the world to provide quantitative data for ICANN’s review to effect change through existing regulatory channels.

Unsung heroes
Finally, security researchers and analysts (the “white hats”) tirelessly work to better detect threats and share information with other people to help locate the bad guys, disassemble their infrastructures, and educate the public. I am privileged to know many researchers who dedicate their free time to supporting a free and safe Internet. They spend their own time and money attending conferences, performing free training workshops, building tools, and working late into the night to dissect the latest threats and share the information in vetted communities. These security researchers are the unheralded heroes of the Internet, and their efforts have averted calamities on numerous occasions.

The list of wins is long, and the world will never know about many efforts that saved human lives. In 2007 the Internet security community responded to the Storm worm and more recently formed the Conficker Working Group to address a very specific threat. Other extended periods of collaboration between security researchers and law enforcement have led to the identification and arrest of numerous criminal groups, including the Mariposa botnet operators, the DNS Changer crew, and the GameoverZeus miscreants. Absent the hard work and altruism of global security researchers, many of these extremely positive results vanish.

The complete list of public- and private-sector cyber security partnerships is long. While new calls for information sharing may appear specious or self-serving, it’s only because the Internet security community has already created successful forums to facilitate collaboration. Relationships and trust are built over time, through online interactions and in-person meetings, through a pint or three at the pub, and through genuine assistance during crises. Relationships are costly because they require time and investment to sustain, but they are the bedrock of the information security community, without which the world would be a much scarier place.

Levi Gundert is an internationally recognized information security and risk management leader and a cybersecurity advisor to leading corporations.  In his role with TRAC, he identifies and analyzes threats and shares cybersecurity information with industry, government, ... View Full Bio
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.