Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:30 PM
Levi Gundert
Levi Gundert
Connect Directly
E-Mail vvv

InfoSec’s Holy Grail: Data Sharing & Collaboration

Despite all the best intentions, cooperation around Internet security is still a work in progress. Case in point: Microsoft's unilateral action against No-IP.

“We need more collaboration, we need more data sharing!” This obligatory refrain perenially echoes through cyber security conference halls, eliciting a rolling of the eyes and a grimace. Why? It’s a noble notion, but the concept can be unrealistic when perceived as a panacea for countering cyberthreats.

In practice, cooperation around Internet security is difficult, not least because trust is required, though the past decade is proof that trust building is worthwhile. When Internet security collaboration is done right, the results are overwhelmingly positive. But that’s not always the case.

In June, Microsoft’s Digital Crimes Unit (DCU) filed a civil complaint against Dynamic DNS (DDNS) provider No-IP, which resulted in a Nevada judge granting Microsoft control of 22 No-IP domains. Regardless of the merits of taking civil action in pursuit of botnet shutdowns and assuming control of another company’s infrastructure, the DCU shocked the Internet security community when it acted unilaterally. Historically, trust-based Internet security communities have internally crowd-sourced determinations about whether a company is deliberately rogue or short on resources for fighting malicious activities.

In this case, it appears that the DCU did not seek additional context or share data with relevant trust communities, nor did it communicate with No-IP, or any of the companies whose data it used as evidence in the civil complaint (specifically Cisco and OpenDNS). The result was unfortunate and easily avoidable. I know from experience that the No-IP founders are responsive to abuse complaints and consistently working to assist the good guys.

While the DCU believed it was acting in the best interest of its customers, ultimately acting alone was a detriment to the larger Internet. The Internet is an open and democratic ecosystem, but fraud and cybercrime continue to frustrate global stake holders. As an Internet community, how do we effectively deal with malicious activity, and preserve this open and democratic resource? We continue to collaborate and communicate in meaningful ways.

Geo-political realities aside (and acknowledging that there is more work to be done), Internet stakeholders have been most successful when they innovate around identity and trust solutions, with formal and informal communities encouraging dialogue related to the barriers that prevent progress in slowing and discouraging cybercrime.

Barriers and legitimate concerns
Barriers to collaboration include the possible loss of competitive advantage, perceived liability, and perhaps even job termination. These are just a few legitimate concerns that impede individuals and organizations from consistently sharing valuable data and insight that could neutralize a threat or protect wider swaths of the public. Those communities that do initiate and sustain dialogues are consistently defeating threats.

For example, the FS-ISAC (Financial Services – Information Sharing and Analysis Center) is a consortium of financial services organizations that share specific indicators of compromise and general threat intelligence, which is a net benefit to all of the member organizations that contribute and review content. Similarly, REN-ISAC (Research and Education Networking Information Sharing and Analysis Center) benefits academia in the same manner.

Law enforcement is utilizing Interpol to arrest and extradite cybercrime suspects as in the recent case of alleged carder Roman Seleznev. Global law enforcement officers are frequently attending conferences to build relationships with foreign law enforcement, technology companies, and academia to more efficiently fight cybercrime. Law enforcement is communicating more efficiently and leveraging the talents and skills of those who want to see the Internet as a safe and democratic neighborhood. A prime example is the National Cyber Forensics & Training Alliance (NCFTA), comprising companies, government, and academia working together to neutralize cybercrime. NCFTA has been instrumental in dismantling botnet infrastructure and in criminal attribution efforts leading to arrests and prosecutions.

In the quasi-government space, ICANN (Internet Corporation for Assigned Names and Numbers) is continually soliciting feedback on how it administers the global namespace (Top Level Domains -- TLDs) and methods for increasing effectiveness in identifying malicious domains, rogue registries/registrars, and improving the disciplinary and remediation process. Security professionals travel halfway across the world to provide quantitative data for ICANN’s review to effect change through existing regulatory channels.

Unsung heroes
Finally, security researchers and analysts (the “white hats”) tirelessly work to better detect threats and share information with other people to help locate the bad guys, disassemble their infrastructures, and educate the public. I am privileged to know many researchers who dedicate their free time to supporting a free and safe Internet. They spend their own time and money attending conferences, performing free training workshops, building tools, and working late into the night to dissect the latest threats and share the information in vetted communities. These security researchers are the unheralded heroes of the Internet, and their efforts have averted calamities on numerous occasions.

The list of wins is long, and the world will never know about many efforts that saved human lives. In 2007 the Internet security community responded to the Storm worm and more recently formed the Conficker Working Group to address a very specific threat. Other extended periods of collaboration between security researchers and law enforcement have led to the identification and arrest of numerous criminal groups, including the Mariposa botnet operators, the DNS Changer crew, and the GameoverZeus miscreants. Absent the hard work and altruism of global security researchers, many of these extremely positive results vanish.

The complete list of public- and private-sector cyber security partnerships is long. While new calls for information sharing may appear specious or self-serving, it’s only because the Internet security community has already created successful forums to facilitate collaboration. Relationships and trust are built over time, through online interactions and in-person meetings, through a pint or three at the pub, and through genuine assistance during crises. Relationships are costly because they require time and investment to sustain, but they are the bedrock of the information security community, without which the world would be a much scarier place.

Levi Gundert is the vice president of intelligence and risk at Recorded Future where he leads the continuous effort to measurably decrease operational risk for customers. Levi has spent the past 20 years in both government and the private sector, defending networks, ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Huawei LTE USB Dongle products have an improper permission assignment vulnerability. An attacker can locally access and log in to a PC to induce a user to install a specially crafted application. After successfully exploiting this vulnerability, the attacker can perform unauthenticated operations. A...
PUBLISHED: 2021-06-22
There is an out-of-bounds read vulnerability in eCNS280_TD V100R005C10 and eSE620X vESS V100R001C10SPC200, V100R001C20SPC200, V200R001C00SPC300. The vulnerability is due to a message-handling function that contains an out-of-bounds read vulnerability. An attacker can exploit this vulnerability by se...
PUBLISHED: 2021-06-22
There is an information leak vulnerability in Huawei products. A module does not deal with specific input sufficiently. High privilege attackers can exploit this vulnerability by performing some operations. This can lead to information leak. Affected product versions include: IPS Module versions V50...
PUBLISHED: 2021-06-22
There is a resource management error vulnerability in eCNS280_TD V100R005C10SPC650. An attacker needs to perform specific operations to exploit the vulnerability on the affected device. Due to improper resource management of the function, the vulnerability can be exploited to cause service abnormal ...
PUBLISHED: 2021-06-22
There is a command injection vulnerability in S12700 V200R019C00SPC500, S2700 V200R019C00SPC500, S5700 V200R019C00SPC500, S6700 V200R019C00SPC500 and S7700 V200R019C00SPC500. A module does not verify specific input sufficiently. Attackers can exploit this vulnerability by sending malicious parameter...