Collaboration: For Good and Bad Alike
As Marie and Pat have mentioned in previous posts, we are busy applying the final edits to the 2009 Cisco Midyear Security Report. Cisco will provide an overview of what Security Intelligence Operations analysts have observed during the first six months of 2009. In this forthcoming update, one theme has become evident: collaboration is a powerful force. Unfortunately, that force does not solely empower the virtuous.To date in 2009, we have seen examples of collaboration on both sides of the security equation. Our industry has rallied together to address challenges such as Conficker, and at the same time our adversaries have matured their operations and increased the potency of the threats they introduce into the wild.While our industry has certainly learned to respond, if we are going to change the security landscape in our favor it’s important that we evolve our ability to collaborate in order to move from transactional response to proactive defense.For Good…Let’s highlight a few positive instances of collaboration. In February we saw the creation of the Conficker Working Group (CWG). The CWG is an example of collaboration among industry and security community leaders to address a significant security threat. As a community, the CWG actively worked together to disrupt early versions of Conficker and disseminate vital information.Another example of collaboration that yielded positive results was the work to disconnect the ISP “McColo.” After McColo—an ISP largely reputed to house malicious servers and domains—was taken offline by its upstream Internet providers, the volume of spam on the Internet dropped dramatically. This marked decrease in spam lasted several months, with daily spam volumes only recently returning to their previous levels.There are also calls for more collaboration in the future. Recently the findings of the 60-day review of the nation’s online security were made public. Cisco’s Chief Security Officer, John Stewart, a contributor to the Center for Strategic and International Studies report for the Obama Administration, blogged about one of its key recommendations—a stronger, more collaborative public/private partnership. Further details are available at Cisco’s The Platform blog.Cisco has even taken the collaborative model beyond the sharing of thoughts or ideas between humans to the sharing of information among networked devices. Cisco SenderBase as well as the Global Correlation capabilities of our Intrusion Prevention Systems demonstrate this progression.…and Bad AlikeUnfortunately the power of collaboration does not only enable those looking to do good. Like other simple but powerful concepts that had nothing but good intentions, it is also clear that collaboration is an equal-opportunity enabler; there is no requirement that ideas shared or problems solved be for the greater good. In fact, technology can be very effective in hiding malicious activity, making it difficult to deter.One significant instance of collaboration for “the bad” is the maturing criminal ecosystem, with criminals increasingly looking to one another to not only consume services, but also to provide them. This may seem obvious on the surface; our analysis suggests that in 2009, the evolution of how criminals do business continues to progress. As an example, current trends indicate that a larger number of criminals are offering smaller, more directed services to their like-minded, nefarious customers. One of the largest security events to date in 2009 is Conficker, and while the CWG represents collaboration for good, Conficker is demonstrating collaboration for “the bad.” In April we saw Conficker distributing spam for trial software that included malware of the Waledac botnet. This seems to not only indicate the monetization of the Conficker botnet, but also a collaborative relationship between two botnets, Conficker and Waledac. It is also worth mentioning that the complexity of malware like Conficker and Waledac is substantial. That complexity is a good indicator that this software is the result of a team effort on the part of those who produce these attacks. I’d ask that you absorb the information contained in the Midyear Security Report with the mindset that many of the victims of these crimes are people who are consuming services that they have “trusted” for years, only in a different way. In fact, some may not even be aware that the underlying technology that is providing the information has changed. Collaboration is a powerful idea: bringing together a diverse set of people and perspectives to share ideas and solve problems can overcome almost any challenge. This blog is itself an example of collaboration; we hope it will not only provide you with a looking glass into the thoughts and perspectives of the global Cisco security community, but that it will also give you an opportunity to involve yourself in that community.As Marie aptly stated in her post, securing the network will take a village, but that village should not shift undue responsibility to the users of the services provided. As a security community we must collaborate to deliver transparent, high quality and secure services that just work. Join us by becoming part of the conversation.