I have had a conversation with T.C Piits (The Common Person in itsec) over the last month or so.
T.C. approached me and said "We were eaten alive by a "very limited, targeted attack" we discovered
four weeks ago. Not only did we get eaten alive, it's now evident from public list posts that other
environments were also exploited. Within two days of discovering the security breach we had a
complete analysis finished. I can't share the results of our in-house reverse engineering and
forensics analysis, nor can I share the results of our managed security service providers reverse
engineering. I can share that forensics determined that the attack had successfully ocurred
6 weeks ago. And here it is, four weeks after analysis was completed, and there's still no detailed
public information available about what the attack accomplishes. I'm sure other networks were
penetrated. Got any thoughts?".
And I responded, "T.C, you have a conumdrum, and so does everyone in the itsec community.". "It's
clear that attackers, vendors, and other groups like ISAC's, share some information between
themselves and with their customers. However, its evident in this day of "very limited, targeted
attacks" that detailed "analysis" is usually under an NDA, with a few occasional exceptions. Knowing
the attack is difficult to detect, other itsec shops that have been subjected to this "very limited,
targeted attack" are out of luck in this situation.".
T.C. responded with "Do you have any suggestions to solve this conumdrum?".
And I said "It's evident that attacker and defender alike are following the "pay to play" business
model. Most people do not have any problems with that business model, getting paid for your
intellectual efforts is OK with me. However, the disclosure/sharing problem you're describing is
huge, if information concerning "very limited, targeted attacks" is not shared, everyone in itsec
and our organizations will suffer more as time goes on. As a suggestion, see if you can work
out an IR policy and procedure within your organization for sanitizing and releasing information you
think is important for others to know. You might also try to get a "responsible disclosure" policy
and procedure established with and at any ISAC you belong to. And don't forget you can work out a
"responsible disclosure" agreement with SANS ISC.".
T.C. then says "I have a related question, what about "responsible disclosure" for those itsec shops that
have to rely on MSSP's that NDA their paid for analysis information?".
I respond "Yes, a bigger conundrum. Well, I would hope that their MSSP's would fulfill their
responsibilities to their customers and also have an NDA policy and procedure with customers that
allows them to, directly, or through a trusted third party, publically release helpful "very
limited, targeted attack" analysis in a timely manner.".
So T.C says "Well, I'll bring these ideas up at work, it would help the effort if the ISC referenced
this problem though. Ideas from staff are generally ignored because they were "invented here" if you
know what I mean.".
And I respond "Will Do!.".
Jan 27th 2007
1 decade ago