Wednesday, September 19, 2012

Understanding Responsible Disclosure of Threat Intelligence

Imagine you're hiking in the woods one day. While stopping for a break you happen to find a mysterious package off to the side of the trail. You open the package and realize you've discovered a "dead drop," a clandestine method to exchange messages.

You notice the contents of the message appear to be encoded in some manner to defy casual inspection. You decide to take pictures of the package and its contents with your phone, then return the items to the place you found them.

Returning home you eagerly examine your photographs. Because you're clever you eventually decode the messages captured in your pictures. Apparently a foreign intelligence service (FIS) is using the dead drop to communicate with spies in your area! You're able to determine the identities of several Americans working for the FIS, as well as the identities of their FIS handlers. You can't believe it. What should you do?

You decide to take this information to the world via your blog. You found the messages on your own, and you did the work to understand what they mean. If the press reads about your discovery, they'll likely take it farther.

You consider going to the press first, but you decide that it won't hurt to drive traffic to your own blog first. You might even be able to launch that small private investigator practice you've always wanted!

After publishing your post, the press indeed notices, and publishes an expose featuring an interview with you. Several US intelligence agencies also notice. They had been monitoring the dead drop themselves for a year, and had been working a complex joint case against all of the parties you identified. Now all of that work is ruined.

Before the intelligence agencies can react to your disclosure, the targets of their investigation disappear. They will likely be replaced by other agents quickly enough, using other modes of communication unknown to the US agencies. The FIS will alter their operation to account for the disclosure, but it will continue in some form.

That is the problem with irresponsible disclosure. To apply the situation to the digital security world, make the following changes.

  • Substitute "command and control server" for "dead drop."
  • Substitute "tools, exploits, and other digital artifacts" for "messages."
  • When the adversary learns of the disclosure, they move to other C2 infrastructure and develop or adopt new tools, tactics, and procedures (TTPs).

What should the hypothetical "security researcher" have done in this case?

It's fairly obvious he should have approached the FBI himself. They would have realized that he had stumbled upon an active investigation, and counseled him to stay quiet for the sake of national security.

What should "security researchers" in the digital world do?

This has been an active topic in a private mailing list in which I participate. We've been frustrated by what many of us consider to be "irresponsible disclosures." We agree that sharing threat intelligence is valuable, but we prefer to keep the information within channels among peers trusted to not alert the adversary to our knowledge of intruder TTPs.

Granted, this is a difficult line to walk, as I Tweeted yesterday:

Responsible security intel teams walk a fine line between sharing for the benefit of peers and risking disclosure to the detriment of all.

The best I can say at this point is to keep this story in mind the next time you stumble upon a package in the woods. The adversary is watching.

8 comments:

Thierry Zoller said...

Richard,
I respect your views, usually, in this case your thesis makes sense in world that would consist solely of the USA and the FBI.

That however is not the case, some of us are very unlikely to expose such intel to the FBI and would rather choose a more local or European Institution. In that case it is unlikely to lead to the outcome you portray regardless if the FBI is on their tail or not. Likely one would not know about the actions of the other.

Unless there is a central and single agency across the world your thesis is flawed.

Of course in general publishing intel will always make those targeted notice and hide/change - we agree.

The question is whether you want to run the risk of more companies/users being compromised by keeping this information in closed circles or whether it should be shared within a closed groups of those that basically choose themselves.

Richard Bejtlich said...

Thanks for your comment Thierry. However, the thesis still holds because you could report to your version of the FBI. I imagine 90% of the world's security researches live someplace that has a decent org like that. It's not perfect but it's better than what I'm seeing happen now.

Richard Perez said...

So the problem with exposing FIS information to the world is the problem with them moving and changing. Ideally one would provide the internal group (as you say) and the information would be used to protect. A huge percentage of those companies that are targeted will be provided this information and react. I agree with Richard in that the person that releases that important information just wants to be recognized and or start his own company. Who can't do analysis? Anyone could but not everyone has access to the actual TTP. That is so valuable that just giving it to everyone is just a waste of time and money. Remember those companies getting pwned will continue to get pwned because now they are coming from some where different. Having them in front of us would make the security work a little easier.

Richard Perez said...

So the problem with exposing FIS information to the world is the problem with them moving and changing. Ideally one would provide the internal group (as you say) and the information would be used to protect. A huge percentage of those companies that are targeted will be provided this information and react. I agree with Richard in that the person that releases that important information just wants to be recognized and or start his own company. Who can't do analysis? Anyone could but not everyone has access to the actual TTP. That is so valuable that just giving it to everyone is just a waste of time and money. Remember those companies getting pwned will continue to get pwned because now they are coming from some where different. Having them in front of us would make the security work a little easier.

Paul Vixie said...

the security industry is optimized for shareholder value not public safety.

see also this 2004 article.

Nick Selby said...

Richard,
You raise a truly important concept and I'm glad you did. Another thing I'm afraid of here is the presumption that the FBI is a) the sole place to report such activity (as if other agencies couldn't possibly be aware of it) and b) the presumption of both willingness to explore even its own organization for a match, let alone to explore with other agencies whether the activity you have observed is part of an operation. A deconfliction process only works when willing participants, with integrity in their processes, engage in honest participation. Information and intelligence sharing works when there is a culture - not just a technical mechanism - of sharing. Sharing is a two-way street.

Kevin Stevens said...

+1 to what Paul said

Scott Herbert said...

Richard,
Just some quick off the cuff thoughts.
You take this dead drop information to the FBI you get a "Thank you very much, we'll deal with it". A week later walking you favour trail, you see another package in the same dead drop, what do you do?
Are the FBI watching and tracking the FIS? Did the FBI think that you’re tin foil hat had fallen off? Did the FBI think “it’s not worth the man power to fix”? Sadly you’ve no way of telling which is more likely so what do you do? Risk our national security and not point this out to the press/ post it on your blog or risk national security by pointing this out / posting it on your blog.
And if you happen to live in the UK and you notice the dead drop on US soil??? As you say there are no easy answers (but when are their).