Microsoft has had a great deal of success taking down botnets in recent years. A fringe benefit of those takedowns is that Microsoft gets to collect oodles of very valuable data. Now, Microsoft is preparing to offer that threat intelligence as a real-time feed that partners can use to evaluate threats and develop better defenses.
A post on the Kaspersky Labs Threat Post blog explains, “Microsoft collects the data by leveraging its huge Internet infrastructure, including a load-balanced, 80gb/second global network, to swallow botnets whole -- pointing botnet infected hosts to addresses that Microsoft controls, capturing their activity and effectively taking them offline.”
Microsoft is reportedly conducting internal beta tests using data gathered from the Kelihos botnet. Microsoft is able to collect IP addresses of infected nodes, as well as Autonomous System (AS) number and reputation data from Microsoft’s Smart Network Data Services (SNDS), and share that information with third parties such as ISPs, CERTs, government agencies, and private organizations.
Paul Henry, security and forensic analyst for Lumension, doesn’t believe a Microsoft real-time threat feed will lead to a decrease in attacks. He does, however, feel that the data shared by Microsoft will help the information security community respond to threats more quickly, and limit the fallout from cyber attacks.
The information security industry needs more collaborative efforts, and more sharing of valuable data like this. Organizations in general are too secretive about security issues. There is an air of vulnerability that leads IT admins and executives to believe that if they share details of attacks it will reveal information that might be used in future attacks.
Henry notes, “The age old argument about protecting users from copy-cat attacks because the information exposed a weakness does not hold water... the bad guys are already sharing information on new attack vectors in real-time. So it only makes sense for defenders to do the same.”
There is some concern that the collected data may pose a privacy risk. T.J. Campana, a senior program manager in the Microsoft Digital Crimes Unit (DCU), told an audience at the International Conference on Cyber Security (ICCS) that personally identifiable information will be scrubbed from the threat feed.
Lumension’s Henry is comfortable that privacy will not be an issue. “The information can easily be sanitized to address any privacy concerns. This is nothing new and SANS has addressed the issue in their feed -- I don't see privacy as being an issue at all for this.”
Microsoft hasn't shared any specific timeline for officially launching the threat feed. It would be nice if more organizations would follow Microsoft's lead. Better collaboration and sharing of threat data would be a huge step in the right direction to minimize the impact of malware and cyber attacks.
Sign up for Computerworld eNewsletters.