Threat intelligence: the knowledge is there but is not shared.

Threat intelligence: the knowledge is there but is not shared.

27-03-2019 10:47:10


Not sharing knowledge on digital attacks and other problems is a missed opportunity, says Wido Potters of BIT. It would, after all, make all our lives a lot safer.

Organisations and parties whose services or products are related to the internet naturally have the most to do with the online problems. Therefore, they have access to a goldmine of information about those problems. Unfortunately, this knowledge is only shared with the world on a sporadic basis. And that’s a shame.

To make the internet cleaner and safer, organisations should definitely share such information. That way we can strengthen the threat intelligence – the fact based knowledge about existing or new threats – of internet organisations.

Countless examples

The number of organisations with knowledge of vulnerabilities or problems on the internet that also shares this knowledge is remarkably low.

Police and justice are doing daily research into phishing of online banking data. These organisations know a lot about the MO of criminals in the phishing business. If hosters can be kept informed about the indicators that point to phishing sites or when code snippets are being shared with them, the hosters can prevent phishing sites from being placed in their networks or being kept online. The banks that have suffered from such phishing practices should share their knowledge on specific spam runs previous to the phishing attempts with the email providers. That allows email providers to block such spam runs in their spam filters. 

There are businesses that map those websites. They sell these data for the purpose of business intelligence or to protect a trade mark right. Because of their extensive scans of the internet, they can see when large-scale defacing attacks are being executed. Imagine how useful it would be if they would inform the hoster of the defaced website about this.

Over the past years, a lot of work has been done to secure the email infrastructure by using techniques like SPF, DKIM and DMARC. That last one, DMARC, gives owners of email domains an overview of the IP addresses from which emails are being sent in name of their domain. There are companies that have made creating DMARC reports their core activity. If those companies would inform the networks from which faulty emails are being sent, many hacked email accounts and open mail relays can be addressed. 


It is understandable that many organisations do not share their threat intelligence. They are not even aware of the fact that others could do something useful with the information. Sharing such info does not contribute to the primary corporate processes and possibly does give them a bit of a headache. And there are, of course, organisations that are hesitant to report vulnerabilities and problems. It is almost always a matter of IP addresses and the AVG requires privacy impact analyses, processor agreements and privacy statements. Quite a lot of work for something that does not make any money and ‘only’ makes the internet a little cleaner and safer.

Simultaneously, there are solutions (being created) that are part of clearing the objections for sharing information. The GDI Foundation has acquired years of experience on informing large groups of internet users on vulnerabilities and problems in their infrastructure. GDI has received other datasets before and spread that information.

The foundation AbuseIO is working on open source software to automate the notification process with minimal effort. This software is set to be released by the end of 2019 and AbuseIO is open to collaborate with organisations to implement the software.

All in all, it is clearly time to come together as internet professionals. The social impact of the internet is still growing, the economic interests are huge. Vulnerabilities and abuse on the internet undermine the trust that is placed in the sector and can lead to undesired laws and regulations. This problems should and can be handled together. I really like to think about how to put this all into action.

By: Wido Potters