{"id":4842,"date":"2012-06-06T16:00:20","date_gmt":"2012-06-06T23:00:20","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=4842"},"modified":"2016-02-12T10:20:19","modified_gmt":"2016-02-12T18:20:19","slug":"flame-education-part-2","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/flame-education-part-2\/","title":{"rendered":"Flame Education, Part 2"},"content":{"rendered":"

\"\"<\/a>
\nLast week we discussed<\/a> some of the techniques that could have helped detect Flame in its earliest stages: Layered defense and generic detection. This week, we\u2019ll discuss something without which the security industry would be much less effective: Sample and information sharing.<\/p>\n

Most people assume that security companies operate like any other business, in that any information going to competitors is strictly forbidden. But in fact, security companies are something like a combination between a regular business and a police force. We share samples, research, and certain data as needed to ensure we\u2019re all protecting the public as best as possible.<\/p>\n

Security software companies all have a research department that goes hunting for malware, vulnerabilities, spam, phish, or whatever other nasties are their specialty. But for many companies, anti-malware in particular, the bulk of the samples they receive are from people or businesses whose systems have been affected. In an era where targeted attacks are becoming more prevalent and more sophisticated, we need these legions of extra pairs of eyes in the field to make sure that we have all the information to protect everyone. If we\u2019re not the target, we would never be able to access to this data otherwise.<\/p>\n

Once the nasties have been found, researchers take them back and tear them apart so that we can find ways to protect against them. And at the end of the day, we share information about the threats with a variety of different organizations. Most security companies report particularly notable threats on blogs or in cybersecurity groups. We send information to law enforcement agencies when there is the possibility of prosecuting the offenders, or ISPs and Domain Name Registrars when there is an opportunity to shut down a cybercrime operation.<\/p>\n

This last instance is another instance where reports from customers are essential. Part of the process of proving a crime that has been committed is bad enough to warrant arresting someone or shutting down a web address, is assessing monetary damage. Security companies can\u2019t know this information because it isn\u2019t our machines that are being damaged; it\u2019s customers\u2019 machines.<\/p>\n

How does this pertain to Flame?<\/strong><\/p>\n

Now that I\u2019ve gone through this whole long pre-amble, you may be wondering: What does this have to do with the Flame situation?<\/p>\n

So, we know that Flame was a targeted attack. Likely state-sponsored. It was quite sneaky, and the target they were going after was very limited, both geographically and by industry. It wasn\u2019t exactly ninja-quality stealth, as samples of some components were sent to the security industry years ago. But nevertheless, it was pretty far under the radar.<\/p>\n

As no one in the security industry had a complete sample until several days ago, we didn\u2019t have a good idea of what we were looking at. The vast majority of samples come to security companies piecemeal, with little to no information. It\u2019s a little like trying to identify an elephant from a picture of its toenails. We might be able to tell you it\u2019s probably an elephant, but we won\u2019t have enough context to tell you whether it\u2019s Asian or African, whether it\u2019s male or female, how old it is, etc.<\/p>\n

The thing that really turned the tide with Flame is the cooperation of Iranian CERT<\/a> . Most countries have some sort of CERT, or Computer Emergency Readiness (or Response) Team. Most of those teams have some sort of relationship with security software companies to report incidents so that we can make sure the public is maximally protected. Because of the current international political situation, this has been very difficult with Iran. But they provided security vendors with enough information to get us all started on analyzing this threat in earnest.<\/p>\n

What does this have to do with me?<\/strong><\/p>\n

This is really what it all comes down to. Iranian CERT would not have had information to share if the affected companies had kept information about the Flame attacks to themselves. It\u2019s vitally important for all of us, not just government agencies or big businesses, to report cybercrime.<\/p>\n

There are not yet a lot of countries that have centralized cybercrime reporting, but here is a list of a few countries and their reporting instructions:<\/p>\n