Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Thoughts on Security Intelligence (McColo Corp alleged spam/malware host knocked offline)

Published: 2008-11-12
Last Updated: 2008-11-12 20:19:49 UTC
by John Bambenek (Version: 1)
1 comment(s)

Based on the investigative research of the Washington Post's Brian Krebs, US-based McColo has been taken offline by their various upstream providers.  This has once again led to discussion on the merits of knocking the "bad guys" offline compared to doing security intelligence and mitigating the threats they pose. First, some details.

The McColo network not only was a large source of spam in the US (check your spam counts, you'll see a noticeable drop), but also trafficked in child pornography and malware. Skipping past allegations of whether or not McColo is culpable, the badness certainly was on their network and it wasn't been addressed.  It has been known that McColo was home to some of this stuff that was sitting in a San Jose, California data center.

Herein lies the problem.  When security researchers discover where "bad behavior" is coming from, do they take it offline or do they do research to try to mitigate the threats posed.  In the case of child porn, the answer should be obvious, but the question is more about malware / spam operations.  At first glance, it is tempting to simply glean information from these people while they are unaware of us watching, but I argue this is a poor long-term strategy.

Intelligence is not an end-product, it is a tool. You do *something* with intelligence, you don't gather it for the sake of gathering it.  Creating signatures for AV/AM, IDS/IPS and spam filters is great, but the statistics show that the "bad guys" are adapting just as fast as we churn out signatures. In short, waiting for them to adapt and then creating counter-measures only ensures that they get the first win (or what I call the First Win Principle).  We only can react after they've already stolen information.  This is a "bad thing" <tm>.

That isn't to say we should chuck AV/AM and reactive security overboard, far from it.  But to truly achieve results in securing cyberspace, we need to be proactive.  You don't win an "information war" solely by playing defense.  Spam, malware, electronic crime and the like keep working and keep proliferating for two reasons:

1) It is very cheap
2) It is very profitable

The "costs" from prosecution and the "costs" from being shut down are negligible so the "bad guys" can use their finite resources to keep developing their techniques and technologies to get around our countermeasures.  And they are winning.  The key to fighting spam and malware is to make them "more costly" and "less profitable".  Sure, knocking these people offline only causes them to go elsewhere, but it imposes costs on them to move their operations, costs to increase their own security and defensive posture and gives us time to breathe.  From a purely economic standpoint, as long as the costs are low and the gains are high, "bad behavior" will continue to increase and evolve to the point where our current strategies will simply no longer work.

There is a place for security intelligence and research.  When we find these nests of badness we should glean all we can from them, but then we need to shut it down.  Knowing where the bad guys are doesn't help the people who get their identities stolen.  The only long-term solution is increased prosecution and imposing increased costs on the "bad guys".

Thoughts?  Use our contact form and let us know what you think.

--
John Bambenek
bambenek /at/ gmail \dot\ com

1 comment(s)
Diary Archives