A Prototype for Active Defense
Having recently been steered to the DNSChanger Working Group website, www.dcwg.org, we thought this was a pretty interesting approach to deal with the identification and clean-up of the massive malware attack, DNSChanger. This malware was used to manipulate Internet-based advertising to purport a sophisticated international fraud ring as a traditional business in order to illegally generate fees.
The DNSChanger Working Group was created as a campaign to clean up the DNSChanger infection of 4 million computers in 100 countries. The Working Group includes participants such as Georgia Tech, Mandiant, and Trend Micro, as well as support from national / international CSIRTs (Computer Security Incident Response Team) and Internet Service Providers (e.gs. AT&T, Verizon, Comcast). The Working Group was publically acknowledged as being instrumental to the FBI in the ultimate arrest of the cyber thieves and maintains an “are you infected” website for users.
Based on this apparent success, we speculate whether this is a prototype that could be proliferated by the U.S. Government and applied for persistent cyber attacks.
|Cross-functional Working Group allows for “best of” solutions (i.e. industry, academia, etc.)||Does the Working Group scale to classified environments?|
|Remote “are you infected” scan is easy and efficient for users||Can this cloud SaaS model work automatically without manual scanning (perhaps with an opt-in function to avoid privacy concerns)?|
|Public listing of infected signatures allows for broad distribution||Can this model apply to zero-day environments?|
There are many facets of this prototype that need to be thought out…. particularly the business model question of addressing the cost to keep up with software and hardware in light of the current fiscal environment. However, we see this as a good initial start, given the U.S. Government is the only entity with the authority to address Nation State attacks.