Will Threat Intelligence Go Dark Under GDPR?
The GDPR’s enforcement date is finally upon us, and from today the entire security community will have to become accustomed to new and different ways of working to ensure that their organizations comply with the new legislation.
Much has been written, of course, about what IT security experts can do to help their organizations in their compliance efforts. However, it has never been clearly spelled out just how GDPR is likely to impact the work of the threat intelligence analysts responsible for identifying cyber threats and helping businesses to stay a step ahead of bad actors.
A Reliance on WHOIS Data
As part of their day-to-day research, threat intelligence analysts tend to rely on WHOIS data, which is widely used as a means of identifying registered users of domain names, blocks of IP addresses or autonomous systems.
While the information can be obtained via certain fee-based services, analysts often make use of a number of free WHOIS tools available on the Internet that allow anyone to look up the name, address, email and phone number of any registrant who hasn’t opted to mask their information.
Analysts have a long and successful history of going down the WHOIS “rabbit hole” to discover that careless potential criminals have registered domains for collecting ransomware payments using their own public email addresses, thereby unwittingly incriminating themselves. Indeed, the industry is rife with stories of how, in the days before operational security became a popular means of preventing the exploitation of critical information and before bad actors became highly skilled at covering their tracks, a single email address registered to a domain used for malware C&C (command and control) could lead analysts to learn more about the threat and those behind it.
Under GDPR, however, the reliance by analysts on WHOIS data may be all set to change.
ICANN (Internet Corporation for Assigned Names and Numbers), the nonprofit organization responsible for maintaining and coordinating the Internet, has agreements in place with thousands of domain registrars around the globe, such as GoDaddy, HostGator and Bluehost, which require these registrars to post WHOIS data—names, emails, and phone numbers—for everyone that has a domain registered with their service.
When the GDPR is enforced, however, companies—in Europe at least—will no longer be permitted to publish any information that could be used to identify an individual. The agreements between ICANN and the domain registrars will therefore be deemed illegal under the regulation.
GDPR is likely to present analysts with some interesting new challenges when it comes to identifying and assessing threats.
In fact, GoDaddy has already retracted the facility that allows users to conduct bulk searches of WHOIS contact details of its customers, and it won’t be much longer before other registrars do the same. On February 28, 2018, ICANN proposed an interim compliance model on how to deal with WHOIS data under GDPR. Representing a significant change to the current system, the new approach is described as offering “tiered/layered access to WHOIS data,” under which registries would no longer be able to make all personal data held in WHOIS directories available to the public.
In this latest model, for example, the public WHOIS data will no longer include details of a registrant’s name, their phone number, or any address details that could be used to specifically identify an individual. What’s more, rather than a registrant’s personal email address, the public WHOIS data would include an anonymized, privacy-protected address instead.
Removing the transparency offered by WHOIS data is likely to hinder the ability of threat intelligence analysts to pinpoint the real-life identities and personas that lie behind potential threats.
Business email compromise, for example, in which details of spoof domains and domain registrants are openly shared by various groups and organizations to prevent large financial losses, is just one of many intelligence sharing techniques used by analysts who depend on WHOIS data for bulk access to unique data points.
Other means of intelligence sharing that could be adversely affected by WHOIS data “going dark” under the new legislation include the tracking and monitoring of bulletproof hosting providers, who often bypass laws and contractual terms of service regarding Internet content and service use, and the ability to identify trends in advanced persistent threat activity, in which groups of bad actors register a set of domains for phishing purposes.
Tracking Will Be Harder
Consideration must also be given as to how social media platforms will operate under GDPR and the potential impact that any changes to their governance may have on the use of social media by analysts to monitor, identify or gather personally identifiable information (PII) on different businesses or institutions. Likewise, any change to rules around the posting of an individual’s PII or financial information on Internet forums is also likely to have an adverse effect on the work of the threat intelligence analyst community.
The remit of the GDPR isn’t at odds with that of the security community—both have the protection of information at heart, after all. Once implemented, however, the new legislation is likely to present analysts with some interesting new challenges when it comes to identifying and assessing threats.
ICANN is currently seeking comments on its proposed compliance model and, given its implications regarding the future of their processes for the discovery and analysis of information, it’s vital that the entire security community—and threat intelligence analysts in particular—participates in this feedback process.
Ultimately, the sharing of threat intelligence is a key part of protecting the information of an organization, its employees and its customers. It’s for this reason, therefore, that regardless of the impact that GDPR will have on their traditional methods, analysts will continue working to adapt to the challenges GDPR may bring in order to keep identifying and mitigating against the threats and risks that may arise from that information being exposed.
This article was previously published by ITProPortal.