Last week we discussed some of the techniques that could have helped detect Flame in its earliest stages: Layered defense and generic detection. This week, we’ll discuss something without which the security industry would be much less effective: Sample and information sharing.
Most people assume that security companies operate like any other business, in that any information going to competitors is strictly forbidden. But in fact, security companies are something like a combination between a regular business and a police force. We share samples, research, and certain data as needed to ensure we’re all protecting the public as best as possible.
Security software companies all have a research department that goes hunting for malware, vulnerabilities, spam, phish, or whatever other nasties are their specialty. But for many companies, anti-malware in particular, the bulk of the samples they receive are from people or businesses whose systems have been affected. In an era where targeted attacks are becoming more prevalent and more sophisticated, we need these legions of extra pairs of eyes in the field to make sure that we have all the information to protect everyone. If we’re not the target, we would never be able to access to this data otherwise.
Once the nasties have been found, researchers take them back and tear them apart so that we can find ways to protect against them. And at the end of the day, we share information about the threats with a variety of different organizations. Most security companies report particularly notable threats on blogs or in cybersecurity groups. We send information to law enforcement agencies when there is the possibility of prosecuting the offenders, or ISPs and Domain Name Registrars when there is an opportunity to shut down a cybercrime operation.
This last instance is another instance where reports from customers are essential. Part of the process of proving a crime that has been committed is bad enough to warrant arresting someone or shutting down a web address, is assessing monetary damage. Security companies can’t know this information because it isn’t our machines that are being damaged; it’s customers’ machines.
How does this pertain to Flame?
Now that I’ve gone through this whole long pre-amble, you may be wondering: What does this have to do with the Flame situation?
So, we know that Flame was a targeted attack. Likely state-sponsored. It was quite sneaky, and the target they were going after was very limited, both geographically and by industry. It wasn’t exactly ninja-quality stealth, as samples of some components were sent to the security industry years ago. But nevertheless, it was pretty far under the radar.
As no one in the security industry had a complete sample until several days ago, we didn’t have a good idea of what we were looking at. The vast majority of samples come to security companies piecemeal, with little to no information. It’s a little like trying to identify an elephant from a picture of its toenails. We might be able to tell you it’s probably an elephant, but we won’t have enough context to tell you whether it’s Asian or African, whether it’s male or female, how old it is, etc.
The thing that really turned the tide with Flame is the cooperation of Iranian CERT . Most countries have some sort of CERT, or Computer Emergency Readiness (or Response) Team. Most of those teams have some sort of relationship with security software companies to report incidents so that we can make sure the public is maximally protected. Because of the current international political situation, this has been very difficult with Iran. But they provided security vendors with enough information to get us all started on analyzing this threat in earnest.
What does this have to do with me?
This is really what it all comes down to. Iranian CERT would not have had information to share if the affected companies had kept information about the Flame attacks to themselves. It’s vitally important for all of us, not just government agencies or big businesses, to report cybercrime.
There are not yet a lot of countries that have centralized cybercrime reporting, but here is a list of a few countries and their reporting instructions:
You can also send samples of malware to your anti-malware vendors. Our sample-submission address is firstname.lastname@example.org
Any details you can include about how you think the sample came to you (website, email, instant message, thumb drive, etc.) is greatly appreciated. It’s best to send the sample in a password-protected ZIP file (password – infected). But it’s better to send us a sample however you can rather than not to report it at all. If we require more information, we can work with you to help you gather the appropriate information. It’s easy, and it helps us all be better protected.