About a week ago, I saw a tweet by @c_APT_ure referencing a new category in the established domain-tagging system at OpenDNS. They (OpenDNS) recently added both a malware and botnet category that can be submitted for review (official announcement here). For those who don’t know how the domain tagging works, it basically goes like this: 1.)Someone submits a domain for review, usually in a category chosen by the submitter. 2.) The domain is then reviewed for accuracy 3.) If verified beyond a certain level, it’s added to the tagged category. In this particular effort, OpenDNS required those wanting access to the malware and botnet categories to apply, which makes sense. These categories are probably going to result in blocked sites, and as such, you want people who know what they’re doing reviewing the sites.
Based upon mailing list emails, OpenDNS was happy with the number of requests that were received to conduct malware and botnet tag reviews. I requested any basic statistics (# applicants, # active, # reviews, etc.) and will update if or when I get them. I will say that based upon the amount of conversation in the mailing list, there is at least a strong core group of active reviewers for the categories. For me, the opportunity to conduct the reviews was an immediate draw. Ideally, it gives security researchers a potential point to find new malicious domains, capture some malware, and evaluate exploit packs. Like anything, there are learning experiences involved, and I think the effort will get much better as it evolves. Currently, the lack of a strong definition of a site that belongs in the malware category is muddy-ing the waters. While OpenDNS does have a definition that’s supposed to be used, not everyone agrees. I get the feeling that most of the reviewers are using the definition, but the trouble arises in the submission process. Due to some script-based reporting/tagging and some inconsistent uses of the definition, there are a large number of false-positive tags. Once these get worked out, I think the effort will continue to improve.
Once I got familiar with the structure and though about it some more, the OpenDNS effort got me thinking about other areas of potential crowdsourcing in InfoSec. OpenDNS has been doing it for a while, sites like VirusTotal have the opportunity with their community structure, and Twitter serves as de-facto crowdsourcing platform that has worked successfully for me in the past. However, there are other applications that I think could work, and some other non-traditional ones have emerged. One of the more interesting ones that I think could be extremely valuable is CrowdRE. CrowdStrike has developed a plugin for IDA Pro that allows reverse engineers to collaboratively reverse on a per function basis. This has any number of applications such as more quickly working on complex/large code, collaborating among remote team members, and training. Most importantly, it allows a diverse set of people with different areas of expertise to come together and provide input on one target. While I haven’t used CrowdRE, the opportunity and features seem immensely useful to me. I think the work can definitely be carried over to other areas in InfoSec.
For instance, how many people could benefit from a collaborative digital forensic platform that could make use of the entire community? I see a ton of benefits here. What’s one of the most difficult things in DF for a new investigator? A crowd DF platform allows students and new practitioners to work real cases alongside other experienced practitioners. It would also provide a method for established practitioners to see how others work through the same issues from a different view. Being able to share notes/markups, etc. would be great. I realize sourcing work may be difficult. Obviously nothing criminal could be placed on such a platform, and a large organization isn’t likely to use it either. How many SMBs are compromised? How many plan on seeing it through to prosecution? How many can afford to hire a DFIR pro to do the work? If the platform allowed for group analysis of HDD images, packet captures, logs, etc., I think it could achieve a reasonable case load.
There’s another, more sensitive, area that some feel a crowdsourcing approach would be useful. There are examples of sharing indicators and threat intel by groups and individuals alike (ForensicArtifacts, c_APT_ure, CIF, just to name a few). However, there is no truly community-oriented resource for collaborative deep threat intelligence & research. Yes, there are difficulties in forming this type of community, the largest of which is probably trust. However, I think a combination verification/referral-based system could work. The idea of such a community would be to make the information publicly available at some point anyway, so it would likely only be a concern during research or for those who wish to conceal their identity in the public eye. I’ve seen other express support for this type of community and I believe others have tried to get some started (not 100% sure). If so, I’d definitely be curious as to why they failed, or if they were only meant to be temporary in the first place (such as focusing on a single event or incident).
These examples only really encompass a small portion of InfoSec. I’m sure there are other interesting areas that would benefit from crowdsourcing efforts. Do any others come to mind for you? Are you particularly interested in any of the ones mentioned? Leave some comments and maybe some good people can get together and work on some good stuff.
*8/7 Update* – The folks over at OpenDNS were kind enough to provide me some basic stats about the success of the malware/botnet tagging program. Within a couple of weeks, 60 InfoSec professionals were approved for the program across 10 countries. As of a couple weeks ago, there were ~150 posts to the group mailing list discussing a number of aspects regarding the program and suggestions for improvement. Additionally, there are plans to improve the program in a number of ways. The first is to create a guest blog for members of the program to post interesting points/articles/notes about domains or exploits they come across while reviewing. There are also plans to incorporate the feedback received from the mailing list and to increase logging and note taking abilities for submitters and reviewers to assist others in the review process.