Microsoft Readying Real Time Hosted Threat Intelligence Feed

New York City – Microsoft has proven that it can take down huge, global botnets like Kelihos, Rustock and Waldec. Now the company is ready to start making the data it acquires in those busts available to governments, law enforcement and customers as a real time threat intelligence feed.

New York City – Microsoft has proven that it can take down huge, global botnets like Kelihos, Rustock and Waldec. Now the company is ready to start making the data it acquires in those busts available to governments, law enforcement and customers as a real time threat intelligence feed.

Representatives from the Redmond, Washington software maker told an audience at the International Conference on Cyber Security (ICCS) here that it was testing a new service to distribute threat data from captured botnets and other sources to partners, including foreign governments, Computer Emergency Response Teams (CERTs) and private corporations.

“We collect a tremendous amount of data from our global assets,” said T.J. Campana, a Senior Program Manager in Microsoft Digital Crimes Unit (DCU). Now the company is now working on a way to get slices of that information to its partners, including ISPs, CERTs, government agencies and private companies, based on their need, he said.

Microsoft is beta testing the system internally in recent months.  Campana described it as a 70-node cluster running the Apache Hadoop framework on top of Windows Server. It currently stores data culled from the Kelihos botnet in September, 2011 and other sources.

The data includes IP addresses of Kelihos infected systems complemented by other data such as the AS (autonomous system) number and reputation data provided by Microsoft’s Smart Data Network Services (SNDS). Personally identifiable informaiton (PII) would not be part of the threat feed, Campana said.

Microsoft collects the data by leveraging its huge Internet infrastructure, including a load-balanced, 80gb/second global network, to swallow botnets whole – pointing botnet infected hosts to addresses that Microsoft controls, capturing their activity and effectively taking them offline.

Microsoft has long been collecting data from its botnet takedowns, including the Waldec (March 2010) and Rustock (March, 2011) botnets, said Richard Domingues Boscovich, a senior attorney in the Microsoft DCU. “We’ve been doing this for three years, but its been a manual process, working with partners like CERT,” he said. Those partners requested a way to access the captured botnet data more quickly – ideally in real time. Now Microsoft thinks its close to providing that.

When fully deployed, Microsoft anticipates being able to offer three realtime feeds, which third parties could access using APIs (application program interfaces) provided, for free, by the company.

Companies could use the data to look for opportunistic malware infections that often accompany botnet infections, or correlate data on botnet hosts with data on click fraud and other scams, Campana told the crowd.

Partner organizations would provide Microsoft with information on their IT infrastructure, such as an IP address block that they own. Microsoft would then filter its threat feed by that information, supplying subscribers with data relevant to their infrastructure.

National or regional CERTs might be interested in threats that were pertinent to their area. Microsoft also hopes that its service will extend the capabilities of smaller organizations and governments to battle large, powerful global botnets – lowering the cost of monitoring and responding to botnet infections.

The company wouldn’t give a timeline for deploying its new real time threat feed, but said that it would consider opening the new feeds to the public after it was satisfied with the outcome of an internal beta test.

The ICCS Conference at Fordham University in New York City is in its third year and is jointly sponsored by Fordham and the FBI. It brings together local, state and federal law enforcement from around the globe to discuss issues related to cyber criminal investigations and protections. 

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.

Discussion

  • Anonymous on

    If it were IBM, they would turn this into a product.

    Google- use if for themselves in Chrome/DNS to suck in more users.

    MS- give it away...no wonder their stockholders aren't happy.

  • Anonymous on

    That is incredibly short sighted.  You need to change the way you think.  Ask yourself, "What is the right thing to do for everyone's safety."  This can have global impact and monitization would only create barriers.

    Ask yourself which company you trust because they do the 'right thing' - certainly not Google.

  • Anonymous on

    "What's right for everyone's safety?" - Fixing the fundamentally broken security model in Windows is the right thing to do. Oh, wait, it's much easier to provide a feed of threats pwning Windows machines..

  • Anonymous on

    I wrote a programme to defeat all windows spyware Cofee and windows 7 Spyware. M$ can kiss my arse
  • AnonGooberGeek on

     

    Users for the most part will one day understand that Microsoft is one of the few companies out there that actually respect's their customer's privacy and knows its obligation is to protect its customer’s data as well as their privacy...

     

    You know... those things that google and facebook don't provide.

     

    Long term, I'd rather lose a few bucks now, and when the general public finally realizes that vendors are making millions off of knowing every single little thing they do online or offline, having the customer come back and recoup those losses because I did what was right the first time, in the first place....

     

    Believe it or not, Microsoft actually cares about its customers and while that was not always the case, in the past several years, they have been and do listen to their customers and do protect privacy and continue to enhance security to protect their customers. Not many other tech entities are in that business any longer, and one day, those entities that thrive by selling customer data and trends will wish they had of been…

     

    If the general public had a clue.. any clue what giants such as facebook and goggle were doing with customer data, there would be a mass exodus from those vendors services….

     

    Ever wonder why you can send an email to someone like friend@ bank . com and all of a sudden get bank (targeted) ads in your gmail inbox that have bypassed spam filtering services?

     

    Hmmmmmmmmm….

     Just a geek blog

     

     

     

     

  • Anonymous on

    Re: "What's right for everyone's safety?" - Fixing the fundamentally broken security model in Windows is the right thing to do. Oh, wait, it's much easier to provide a feed of threats pwning Windows machines..

     

    *Troll*  :)  Get a new line.  As a linux/Mac user, I am ashamed how stupid you make us look by suggesting Windows fundamentally broken in regards to security.  All systems are broken, if you moved windows users to OS X or another linux deviation you would end up with just as many issues now coming from your "supposed unbreakable" platforms.

     

    There is no silver bullet in security, if someone says there is they are selling you something or delusional.

    I applaud a company offering this data and supporting initiatives to improve our ability to both capture, understand and stop threats.

  • Anonymous on

    you guys are all retarded. I am SENIOR SECURITY SPECIALIST and all of you sound like prepubescent girls that got a  mac from there parents and learned how to use other ppls scripts.... just saying

  • Anonymous on

    I don't beilive Microsoft give these informations free...where's the link of source? its just talking about it tho, no sign of action.

  • Paul Moriarty on

    This is fantastic news.  The threat intelligence market today is fractured and data quality varies wildly.  If anybody has the resources and the wherewithal to go after botnets on a global scale, it's Microsoft.

  • Paul Moriarty on

    This is fantastic news.  The threat intelligence market today is fractured and data quality varies wildly.  If anybody has the resources and the wherewithal to go after botnets on a global scale, it's Microsoft.

  • Anonymous on

    "you guys are all retarded. I am SENIOR SECURITY SPECIALIST and all of you sound like prepubescent girls that got a  mac from there parents and learned how to use other ppls scripts.... just saying"

    Err ... sure you are. All SENIOR SECURITY SPECIALISTS I know talk exactly like this.

  • E.B. on

    While it's true that maybe Google or IBM would've created a product or service to charge, Microsoft isn't doing this just for the better world. Microsoft (Windows) is known for suffering of viruses and zombie PCs, while Apple and others were lucky so far (due to their market share of not being a target). That's why Microsoft is trying to change perception. That's worth by far more than any value they could charge for that service. And as soon as Apple is suffering they same way as MS does, who do you think will be more advanced (due to experience) in defeating this? Shareholder value is not just about selling products.

  • Anonymous on

    Is Microsoft going to provide to the ordinary end-users such information or they'll be left in the dark again? Providing such information to ISP's who have the ability to cut off a user internet to save their own bandwidth and blacklisting of IP addresses wouldn't they have the liberty to do so? Now think about some of the issues that may arise.

    Aside all that why not operate on a secured operating system than a feed? How is the information being collected? Wouldn't that breach an end-users right to privacy? They always say personal information isn't included but you wait till you start seeing an advert of that shoe you looked at on Ebay popping up on your desktop. One solution will create that many more threat.

    Now wait to see how LE abuse this system. Afterall they have the API to code some rootkit for your PC. "We are collecting such information to help protect your PC from botnet".

    Why not go after the botnet as they did by collaborating with other agencies, companies, etc? We haven't solved the issue with botnet tracking and shutting down now we're creating a whole new attack vector.

    Just another geek post.

     

  • .[d]. on

    Never under-estimate the power of Micr0s0ft!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.