Microsoft has had a great deal of success taking down botnets in recent years. A fringe benefit of those takedowns is that Microsoft gets to collect oodles of very valuable data. Now, Microsoft is preparing to offer that threat intelligence as a real-time feed that partners can use to evaluate threats and develop better defenses.
A post on the Kaspersky Labs Threat Post blog explains, “Microsoft collects the data by leveraging its huge Internet infrastructure, including a load-balanced, 80gb/second global network, to swallow botnets whole -- pointing botnet infected hosts to addresses that Microsoft controls, capturing their activity and effectively taking them offline.”
Microsoft is reportedly conducting internal beta tests using data gathered from the Kelihos botnet. Microsoft is able to collect IP addresses of infected nodes, as well as Autonomous System (AS) number and reputation data from Microsoft’s Smart Network Data Services (SNDS), and share that information with third parties such as ISPs, CERTs, government agencies, and private organizations.
Paul Henry, security and forensic analyst for Lumension, doesn’t believe a Microsoft real-time threat feed will lead to a decrease in attacks. He does, however, feel that the data shared by Microsoft will help the information security community respond to threats more quickly, and limit the fallout from cyber attacks.
The information security industry needs more collaborative efforts, and more sharing of valuable data like this. Organizations in general are too secretive about security issues. There is an air of vulnerability that leads IT admins and executives to believe that if they share details of attacks it will reveal information that might be used in future attacks.
Henry notes, “The age old argument about protecting users from copy-cat attacks because the information exposed a weakness does not hold water... the bad guys are already sharing information on new attack vectors in real-time. So it only makes sense for defenders to do the same.”
There is some concern that the collected data may pose a privacy risk. T.J. Campana, a senior program manager in the Microsoft Digital Crimes Unit (DCU), told an audience at the International Conference on Cyber Security (ICCS) that personally identifiable information will be scrubbed from the threat feed.
Lumension’s Henry is comfortable that privacy will not be an issue. “The information can easily be sanitized to address any privacy concerns. This is nothing new and SANS has addressed the issue in their feed -- I don't see privacy as being an issue at all for this.”
Microsoft hasn't shared any specific timeline for officially launching the threat feed. It would be nice if more organizations would follow Microsoft's lead. Better collaboration and sharing of threat data would be a huge step in the right direction to minimize the impact of malware and cyber attacks.
[Update: A Microsoft spokesperson responded to a request for comment with the following details about the Microsoft real-time threat data feed:
“As part of our botnet takedowns within Microsoft’s Project MARS, we commonly observe malware-infected IP addresses of computers attempting to check into a botnet even after the command and control structure has been deactivated. These videos give a glimpse into that data as well as the footprint that these botnets have had globally. We learn more about the threat landscape from each of our botnet takedown operations. We take the knowledge and threat intelligence gained in each operation and explore ways it can be used to further protect the community.
For example, as has been stated publicly to date, we regularly work with ISPs and CERTs around the world in helping clean up and undo the damage the botnet caused, including providing them the information necessary to take proactive steps to inform affected PC owners and help them clean their systems. Over the past three years, this process has shown success as we have been able to reduce the infection rates of Waledac and Rustock dramatically, but the process has also been a relatively manual one.
As such, we also continue to explore ways to make the information learned from our takedowns more readily available to others who can take action to address infections in a more systemic and ongoing manner, as was discussed at this week’s conference. Our goal with the new system we’re building is to enable Microsoft to share threat intelligence securely and get timely information and tools into the hands of those that can help protect Microsoft customers. That effort is still a work in progress, but stay tuned – we will provide updates when we have more information to share.”]