Incident & Information Sharing conundrum
Last Updated: 2007-01-27 23:36:35 UTC
by Patrick Nolan (Version: 7)
I have had a conversation with T.C Piits (The Common Person in itsec) over the last month or so. T.C. approached me and said "We were eaten alive by a "very limited, targeted attack" we discovered four weeks ago. Not only did we get eaten alive, it's now evident from public list posts that other environments were also exploited. Within two days of discovering the security breach we had a complete analysis finished. I can't share the results of our in-house reverse engineering and forensics analysis, nor can I share the results of our managed security service providers reverse engineering analysis. I can share that forensics determined that the attack had successfully ocurred 6 weeks ago. And here it is, four weeks after analysis was completed, and there's still no detailed public information available about what the attack accomplishes. I'm sure other networks were penetrated. Got any thoughts?".
And I responded, "T.C, you have a conumdrum, and so does everyone in the itsec community.". "It's clear that attackers, vendors, and other groups like ISAC's, share some information between themselves and with their customers. However, its evident in this day of "very limited, targeted attacks" that detailed "analysis" is usually under an NDA, with a few occasional exceptions. Knowing the attack is difficult to detect, other itsec shops that have been subjected to this "very limited, targeted attack" are out of luck in this situation.".
T.C responded with "Do you have any suggestions to solve this conumdrum?".
And I said "It's evident that attacker and defender alike are following the "pay to play" business model. Most people do not have any problems with that business model, getting paid for your intellectual efforts is OK with me. However, the disclosure/sharing problem you're describing is huge, if information concerning "very limited, targeted attacks" is not shared, everyone in itsec and our organizations are going to suffer more as time goes on. As a suggestion, see if you can work out an IR policy and procedure within your organization for sanitizing and releasing information you think is important for others to know. You might also try to get a "responsible disclosure" policy and procedure established with and at any ISAC you belong to. And don't forget you can work out a "responsible disclosure" agreement with SANS ISC.".
TC says "I have a related question, what about "responsible disclosure" for those itsec shops that have to rely on MSSP's that NDA their paid for analysis information?".
I respond "Yes, a bigger conundrum. Well, I would hope that the MSSP's would fulfill their responsibilities to their customers and also have an NDA policy and procedure with customers that allows them to, directly, or through a trusted third party, publically release helpful "very limited, targeted attack" analysis in a timely manner.".
So T.C says "Well, I'll bring these ideas up at work, it would help the effort if the ISC referenced this problem though. Ideas from staff are generally ignored because they were "invented here" if you know what I mean.".
And I respond "Will Do!.". ..