CyberCommand to share attack sigs

In SANS NewsBites last week (vol 13 #14), Alan Paller reported that US Cyber Command will test a program sharing classified attack signatures with private industry.

I guess my black helicopter merit badge has expired because I didn’t immediately think of the dark possibilities.   I thought it sounded good.   I’m frustrated when I hear security intel from end users in the government rather than from the government itself.   The government cares enough to FISMA me, shouldn’t they care enough to share intel?  

Securology has a darker take.   He posits that this will take the form of IPS signatures.   Naturally you’ll just add their feed in because who has time to review signatures before deploying.   I imagine they would be compiled signatures to make it (slightly) more difficult to reverse what is being monitored.   Do you really trust the government enough to control your pipes?   Securology posits a day when they silently drop Wikileaks packets (for example).

I wonder about the efficacy of these signatures anyway versus what is available through the private sector.      Will this just help us detect yesterday’s attack?

One Comment

  1. If the signature is classified, it cannot be placed on an unclassified device. PERIOD. That generally precludes direct use of a classified signature for I*P*S efforts.

    Conceivably you could attach a certified one-way optical tap to an unclassified network, and then feed the unclassified network stream to a classified box that holds the signatures. This gives you I*D*S functionality. Alert, Sense, and warning. That’s it. Nothing too terribly nefarious.

    Now… when they start asking to plug in their own black boxes on your network, smile, and say “trust us” that is when I will get concerned.

Comments are closed.