Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

7/31/2014
03:30 PM
Levi Gundert
Levi Gundert
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

InfoSec’s Holy Grail: Data Sharing & Collaboration

Despite all the best intentions, cooperation around Internet security is still a work in progress. Case in point: Microsoft's unilateral action against No-IP.

“We need more collaboration, we need more data sharing!” This obligatory refrain perenially echoes through cyber security conference halls, eliciting a rolling of the eyes and a grimace. Why? It’s a noble notion, but the concept can be unrealistic when perceived as a panacea for countering cyberthreats.

In practice, cooperation around Internet security is difficult, not least because trust is required, though the past decade is proof that trust building is worthwhile. When Internet security collaboration is done right, the results are overwhelmingly positive. But that’s not always the case.

In June, Microsoft’s Digital Crimes Unit (DCU) filed a civil complaint against Dynamic DNS (DDNS) provider No-IP, which resulted in a Nevada judge granting Microsoft control of 22 No-IP domains. Regardless of the merits of taking civil action in pursuit of botnet shutdowns and assuming control of another company’s infrastructure, the DCU shocked the Internet security community when it acted unilaterally. Historically, trust-based Internet security communities have internally crowd-sourced determinations about whether a company is deliberately rogue or short on resources for fighting malicious activities.

In this case, it appears that the DCU did not seek additional context or share data with relevant trust communities, nor did it communicate with No-IP, or any of the companies whose data it used as evidence in the civil complaint (specifically Cisco and OpenDNS). The result was unfortunate and easily avoidable. I know from experience that the No-IP founders are responsive to abuse complaints and consistently working to assist the good guys.

While the DCU believed it was acting in the best interest of its customers, ultimately acting alone was a detriment to the larger Internet. The Internet is an open and democratic ecosystem, but fraud and cybercrime continue to frustrate global stake holders. As an Internet community, how do we effectively deal with malicious activity, and preserve this open and democratic resource? We continue to collaborate and communicate in meaningful ways.

Geo-political realities aside (and acknowledging that there is more work to be done), Internet stakeholders have been most successful when they innovate around identity and trust solutions, with formal and informal communities encouraging dialogue related to the barriers that prevent progress in slowing and discouraging cybercrime.

Barriers and legitimate concerns
Barriers to collaboration include the possible loss of competitive advantage, perceived liability, and perhaps even job termination. These are just a few legitimate concerns that impede individuals and organizations from consistently sharing valuable data and insight that could neutralize a threat or protect wider swaths of the public. Those communities that do initiate and sustain dialogues are consistently defeating threats.

For example, the FS-ISAC (Financial Services – Information Sharing and Analysis Center) is a consortium of financial services organizations that share specific indicators of compromise and general threat intelligence, which is a net benefit to all of the member organizations that contribute and review content. Similarly, REN-ISAC (Research and Education Networking Information Sharing and Analysis Center) benefits academia in the same manner.

Law enforcement is utilizing Interpol to arrest and extradite cybercrime suspects as in the recent case of alleged carder Roman Seleznev. Global law enforcement officers are frequently attending conferences to build relationships with foreign law enforcement, technology companies, and academia to more efficiently fight cybercrime. Law enforcement is communicating more efficiently and leveraging the talents and skills of those who want to see the Internet as a safe and democratic neighborhood. A prime example is the National Cyber Forensics & Training Alliance (NCFTA), comprising companies, government, and academia working together to neutralize cybercrime. NCFTA has been instrumental in dismantling botnet infrastructure and in criminal attribution efforts leading to arrests and prosecutions.

In the quasi-government space, ICANN (Internet Corporation for Assigned Names and Numbers) is continually soliciting feedback on how it administers the global namespace (Top Level Domains -- TLDs) and methods for increasing effectiveness in identifying malicious domains, rogue registries/registrars, and improving the disciplinary and remediation process. Security professionals travel halfway across the world to provide quantitative data for ICANN’s review to effect change through existing regulatory channels.

Unsung heroes
Finally, security researchers and analysts (the “white hats”) tirelessly work to better detect threats and share information with other people to help locate the bad guys, disassemble their infrastructures, and educate the public. I am privileged to know many researchers who dedicate their free time to supporting a free and safe Internet. They spend their own time and money attending conferences, performing free training workshops, building tools, and working late into the night to dissect the latest threats and share the information in vetted communities. These security researchers are the unheralded heroes of the Internet, and their efforts have averted calamities on numerous occasions.

The list of wins is long, and the world will never know about many efforts that saved human lives. In 2007 the Internet security community responded to the Storm worm and more recently formed the Conficker Working Group to address a very specific threat. Other extended periods of collaboration between security researchers and law enforcement have led to the identification and arrest of numerous criminal groups, including the Mariposa botnet operators, the DNS Changer crew, and the GameoverZeus miscreants. Absent the hard work and altruism of global security researchers, many of these extremely positive results vanish.

The complete list of public- and private-sector cyber security partnerships is long. While new calls for information sharing may appear specious or self-serving, it’s only because the Internet security community has already created successful forums to facilitate collaboration. Relationships and trust are built over time, through online interactions and in-person meetings, through a pint or three at the pub, and through genuine assistance during crises. Relationships are costly because they require time and investment to sustain, but they are the bedrock of the information security community, without which the world would be a much scarier place.

Levi Gundert is the vice president of intelligence and risk at Recorded Future where he leads the continuous effort to measurably decrease operational risk for customers. Levi has spent the past 20 years in both government and the private sector, defending networks, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.