Thoughts on Security Intelligence (McColo Corp alleged spam/malware host knocked offline)

Published: 2008-11-12
Last Updated: 2008-11-12 20:19:49 UTC
by John Bambenek (Version: 1)
1 comment(s)

Based on the investigative research of the Washington Post's Brian Krebs, US-based McColo has been taken offline by their various upstream providers.  This has once again led to discussion on the merits of knocking the "bad guys" offline compared to doing security intelligence and mitigating the threats they pose. First, some details.

The McColo network not only was a large source of spam in the US (check your spam counts, you'll see a noticeable drop), but also trafficked in child pornography and malware. Skipping past allegations of whether or not McColo is culpable, the badness certainly was on their network and it wasn't been addressed.  It has been known that McColo was home to some of this stuff that was sitting in a San Jose, California data center.

Herein lies the problem.  When security researchers discover where "bad behavior" is coming from, do they take it offline or do they do research to try to mitigate the threats posed.  In the case of child porn, the answer should be obvious, but the question is more about malware / spam operations.  At first glance, it is tempting to simply glean information from these people while they are unaware of us watching, but I argue this is a poor long-term strategy.

Intelligence is not an end-product, it is a tool. You do *something* with intelligence, you don't gather it for the sake of gathering it.  Creating signatures for AV/AM, IDS/IPS and spam filters is great, but the statistics show that the "bad guys" are adapting just as fast as we churn out signatures. In short, waiting for them to adapt and then creating counter-measures only ensures that they get the first win (or what I call the First Win Principle).  We only can react after they've already stolen information.  This is a "bad thing" <tm>.

That isn't to say we should chuck AV/AM and reactive security overboard, far from it.  But to truly achieve results in securing cyberspace, we need to be proactive.  You don't win an "information war" solely by playing defense.  Spam, malware, electronic crime and the like keep working and keep proliferating for two reasons:

1) It is very cheap
2) It is very profitable

The "costs" from prosecution and the "costs" from being shut down are negligible so the "bad guys" can use their finite resources to keep developing their techniques and technologies to get around our countermeasures.  And they are winning.  The key to fighting spam and malware is to make them "more costly" and "less profitable".  Sure, knocking these people offline only causes them to go elsewhere, but it imposes costs on them to move their operations, costs to increase their own security and defensive posture and gives us time to breathe.  From a purely economic standpoint, as long as the costs are low and the gains are high, "bad behavior" will continue to increase and evolve to the point where our current strategies will simply no longer work.

There is a place for security intelligence and research.  When we find these nests of badness we should glean all we can from them, but then we need to shut it down.  Knowing where the bad guys are doesn't help the people who get their identities stolen.  The only long-term solution is increased prosecution and imposing increased costs on the "bad guys".

Thoughts?  Use our contact form and let us know what you think.

--
John Bambenek
bambenek /at/ gmail \dot\ com

1 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives