Real-Time Botnet Threat Intelligence Data Feed Offered By Microsoft

Microsoft is planning to make the data it collected as part of its botnet takedown operations available as a real-time threat intelligence feed.

The company would distribute threat data obtained from captured botnets and other sources to foreign governments, law enforcement, Computer Emergency Response Teams and private corporations, two members of the Microsoft Digital Crimes Unit told attendees at the International Conference on Cyber-Security at Fordham University.

Partners would be able to access the information using application program interfaces (APIs) that would be provided free by Microsoft.

Joining up the bots

When the real-time threat intelligence data service goes live, Microsoft plans to offer three different feeds. These would enable partners to look for malware infections that often are part of botnet activity, or correlate host data with information on various Internet scams, such as click fraud, to connect the dots between them, according to T J Campana, a senior programme manager in the Microsoft Digital Crimes Unit. Microsoft declined to say when the new real-time feed would go live.

Sharing threat intelligence data was an oft-recurring theme at ICCS. Better co-ordination and information-sharing between law enforcement, security researchers and private organisations is essential in the battle against cyber-criminals, Barry Green, the president of the Internet Systems Consortium, told attendees on the first day of the conference. While public-private partnerships are essential, there needs to be more data-sharing and private-private collaboration within the industry, according to Green. RSA Netwitness already offers a real-time data feed of network threat intelligence data collected from multiple sources.

“We collect a tremendous amount of data from our global assets,” said Campana.

Microsoft has been collecting botnet data from a number of sources. The company’s vast Internet infrastructure, which includes a global load-balanced, 80Gbps network, can take over whole botnets and point the infected hosts to servers that Microsoft controls, according to Campana. This way, Microsoft is able to capture the botnet activity for its data collection purposes while effectively stopping the malicious traffic.

Data obtained during the recent operations that helped shut down the Kelihos, Rustock and Waledec botnets in the United States would also be included in the service. The takedowns, such as the operation for Rustock in March 2011 and the Waledec campaign in 2010, were a significant source of data, according to Richard Domingues Boscovich, a senior attorney in the Microsoft DCU who spoke during the same session as Campana. Microsoft has been collecting the data for three years, using a manual process and working with various partners such as CERT, according to Boscovich.

The data harvested from the Kelihos botnet back in September is already stored in the system, which includes IP addresses of infected systems, Autonomous System (AS) numbers as assigned by regional Internet registries (RIR) and reputation data provided by Microsoft’s Smart Data Network Services, Campana said. Microsoft will not include the personally identifiable information that had been collected by the botnet in the threat intelligence feed, according to Campana.

Botnet library services

Microsoft partners wanted a way to access the botnet data Microsoft had accumulated in a faster and more efficient manner, which provided the impetus for the data service. Once live, the service would segment the data, and only the relevant pieces of data will be shared with the partner. For example, national or regional CERTS would be more likely to prefer seeing threat intelligence related to their geographic area. The service will also give small organisations the security intelligence necessary to battle large global botnets without having to invest in complex analysis and forensics or engaging the professionals capable of using those tools.

Microsoft has been beta-testing the system internally, according to Campana. The system appears to be a 70-node cluster running Apache’s Hadoop software framework on top of Windows Server, Campana said. The open-source Hadoop software allows organisations to work with petabytes of data and thousands of nodes.

The third annual International Conference on Cyber Security: A White Hat Summit was a joint effort between the Federal Bureau of Investigation and Fordham University. Leaders from law enforcement, industry and academia discussed cyber-crime and real-life operations during the conference, which ran from 9-12 January at the Fordham University campus in New York.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Share
Published by
Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

10 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

11 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

12 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

14 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

17 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

17 hours ago