Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Making Intelligence Actionable: Part 2

Published: 2008-10-30
Last Updated: 2008-10-30 16:53:40 UTC
by Kevin Liston (Version: 1)
0 comment(s)

In addition to making malware and vulnerability intelligence actionable for the system administrator, there is also the problem of making intelligence actionable to victims and law enforcement. >

There are three different players in this scenario: the researcher, the victim, and the law enforcer.

 The researcher is the one who is monitoring the network, or analyzing the malware and eventually they will come upon somebody’s private information.
 The victim is the person or organization whose information has been stolen
 The law enforcer is the organization that has the power to apprehend and punish criminals.
 In its simplest form, the flow of information should go like this:
 
 1) The researcher identifies that Group A, used IP address B, during time-frame C.
 2) The victim group takes B, and C to identify a list of victims D and total impact of $E.
 3) The law enforcer is given A through E and if everything is accurate and E is large enough, they can pursue and prosecute Group A.

This is nice and simple, right? Except that there are limitations in how these three players are allowed to communicate and cooperate. Researchers can only talk to law enforcers on a “intelligence only” basis. Law enforcers can’t build cases without victims. Victims don’t always know that they’re victims or that their case, when added to others’ can actually have an impact.

I recently had the opportunity to sit in a room where all three players were represented. There was a tremendous amount of progress made in those few days. As one other attendee noted: “if we had this for a month, we could probably knock out all Internet crime.” I know that was hyperbole but I think that the group could have reduced 80% of it (citing the 80/20 rule.)
 
A light bulb went on inside my head when a presenter explained it this way. Intelligence is not evidence, we cannot have evidence without a crime, and we cannot have a crime without a victim.

There are a few forums that attempt to link these three groups.  They still need some development. 

If you’re a home-user or small business, consider reporting to the Internet Crime Complaint Center (http://www.ic3.gov.)   If you are a larger organization consider joining one of these information-sharing forums.

 

Kevin Liston
kliston at isc.sans.org

 

Keywords: intelligence
0 comment(s)
Diary Archives