Scaling the good guys for the new year
by Jose NazarioIt’s custom - and a good habit - to look at major events like new years and such and review your path and direction. 2007 saw “Team Good” (the global group of Internet security pros and such) swamped with work fighting off a lot of attacks. Anticipating that 2008 wont be any better, I ask myself this set of questions:
- What did we do well in 2007?
- What do we need to improve in 2008?
- What good things do we need to strength and nurture in 2008?
I think there’s more to this than tools, and any answers shouldn’t be based solely on technology.
Looking back to 2007, one of the biggest things We did as a group of people was communicate more, and more quickly. One shining example was the dissection of a Microsoft “patch” Trojan a couple of months ago. A team of people worked together to analyze it in a matter of a few hours, and we had detailed analysis completed. This happens from time to time, but it’s more the exception than the norm. But overall in 2007, bright, highly motivated people came together in various forums from all over the world to share tools and techniques to fight online crime and threats, and I think everyone benefited from it.
The biggest thing we can do strengthen our practices from 2007 would be to continue building human relationships. As the recent challenges with contacting NIC.RU show during the Storm worm, crossing geographic and operational boundaries is still one of the toughest things to do. The more friends you have the more you benefit when it comes to problem remediation.
Data has quickly been approaching a commodity, and 2007 saw some movements towards that. Data sharing - systematic, large volume data sharing - is slowly increasing, and in doing so we improve everyone’s visibility to begin dealing with a problem. The flipside of this is that gathering data is no longer the challenge, it’s acting on it and managing it.
In 2007 we had some real weaknesses though, so for 2008 I think we should focus on some of the following things. First, we saw a lot of uneven coverage of threats, a problem that can be addressed in part through a division of labor. Pushdo, for example, had been seen for months before SecureWorks posted their analysis, very few people had the inclination to do the follow through, including many AV companies. In contrast, many people and teams were focused on the Storm worm, often duplicating efforts.
With a decentralized group of people under no single umbrella, it’s hard to enforce a division of labor. However, if enough people share knowledge openly (in trusted circles free of bad guys, usually) and accept that there’s enough badness out there to keep us all in business as good guys, then all people have to do is to start to tackle the wide open plains as opposed to crowded areas.
Another big issue we failed to address well in 2007 - and need to for 2008 - is knowledge capture. There’s a handful of people sufficiently plugged in to everything and can remember it all, but they’re few and far between. Storing all of this accumulated knowledge goes beyond big disks and large inbox spools. You need to have it accessible, cataloged, and cross referenced, preferably automatically. That’s a tall order, but it’s a technical challenge.
These are the sorts of questions that are rolling around in my head, and the solutions I am working towards this year to solving the problems we face on the Internet.
testing … are comments fixed?