Yesterday, I gave my opinion on the how I think we are missing an opportunity. Before it even went live Monday (I wrote it Sunday, and I’m writing this Monday night), a conversation happened. The main point is that Attackers are working together so why are the defenders all playing the Lone Ranger / Zorro by going it alone?
I also had quick twitter conversations with Ch3ryl B1sw4s and Timeless Prototype. One was related to yesterday’s post, one wasn’t. But here are some thoughts to try and up the game on the defense side. I’m not an expert, I’m just some guy working on a Master’s on Cybersecurity to go with my BS in Information Assurance.
- Have a way for people who work in SOCs, on CIRT teams, Security, regardless of team size, even the guy who has to do it all at the small companies to have a group of peers who can be contacted and discuss things with.
- Keep the adversarial attackers out, but allow pen-testers and others access too if they want to join.
- Provide enough information to be helpful to each other without putting our companies at risk.
Step 1. Create a Security Operations based Web of Trust
We need a way to validate people. So lets say I’m on a CIRT, I can vouch for all my CIRT members. But if I have been interviewed by another CIRT I can vouch for the members that interviewed me there. That means, I can get those two groups talking and at some point, like a con they can meet.
Step 2. Secure communication channels.
Different options for communication. Out of band forums, chat (IRC), OTR IM, or whatever people think would be the best way.
This is multi-fold.
One it gives us a neutral ground to talk, and putting a layer between our conversations and our employers. For protection, obfuscation is not security but having a group invites attackers. Keep the company names out, and makes it harder to attack them because of our associations. It’s not to hide things from the company.
Two, this way if we have to contact another team with “Hey I’m seeing a lot Viagra ads coming from your domain”, I don’t have to worry about intercept because the mail server or mail dns is compromised.
Step 3. Share sanitized knowledge.
Note I said sanitized. This should make the stake holders at our employers a little more relaxed. They know we are sharing Indicators of Compromise, or hey I noticed this strange thing anyone else seeing it?
It would also be nice if someone finds malware aimed at another company to share that, instead of saying yep, not my company, without having to say all they did to find it. Just say “Hey I found this going after X, anyone else see it on their network. How about X, do you know your a target?
I’m sure this could be fleshed out more. I’m sure there are things I’m missing. I know it’s partly re-inventing the wheel, but really twitter is faster than Infragard on attacks, but with twitter both sides see them a the same time, while things get lost in the noise. I know HTCIA is a thing, but is it’s mission the same?