REDMOND, Wash.–The Microsoft Digital Crimes Unit has been spearheading botnet takedowns and other anti-cybercrime operations for many years, and it has had remarkable success. But the cybercrime problem isn’t going away anytime soon, so the DCU is in the process of building a new cybercrime center here, and soon will roll out a new threat intelligence service to help ISPs and CERT teams get better data about ongoing attacks. Dennis Fisher sat down with TJ Campana, director of security at the DCU to discuss the unit’s work and what threats could be next on the target list.
Threatpost: When you first started going out and doing the botnet takedowns, how much resistance did you see from people wondering why Microsoft was getting involved in this kind of thing?
Campana: Not much resistance at all, really. But we’re very careful about how we do this. We’re not just going out there shooting stuff. We walk in with a pile of legal documents. We’re asking for a judge to agree with what we found. We’ve tried really hard to be transparent with what we do. There are other groups out there that don’t have that same transparency. We’re an open book when it comes to the things we’re doing.
Threatpost: And this isn’t something that MIcrosoft does on its own. You’ve worked with other vendors on some of these actions. How important is that collaboration aspect of it?
Campana: Very important. We have a huge partnership program through our MAPP (Microsoft Active Protection Program) partners and that’s great. It’s bringing together people of a like mind. It’s been great to see that. I look forward to other companies doing this at some point.
Threatpost: Do you think that’s coming?
Campana: At the geek level, most of my counterparts in other companies want that to happen. We’re very lucky that we have tremendous support from the very top of the company on down for what we do. Without that top-down support, we wouldn’t be where we are. Folks at other organizations are working to get that. It’s necessary for this kind of work.
Threatpost: In the last few years the DCU has focused mainly on the botnet problem. Are there any other large threats looming out there that you’re looking at?
Campana: We’ve been working some on the problem of those phone scams where people call you up and tell you your PC is infected. That’s a huge problem. And we’ve done some work on scareware as well. But botnets are going to be the major issue for us to deal with I think. One thing that could become a bigger issue is mobile. It changes the way people are connected to the Internet. You’re connected to the Internet in a more permanent way. That’s the way computing is going, so the cybercrime would almost have to go that way, too. We’re also looking at some of the targeted attacks that are going after ad platforms. The problem of click fraud is a big one.
Threatpost: Once you do the takedown of a botnet and get through all of that, how much more is the DCU involved with what happens afterward?
Campana: It depends, but the idea is that we are working very hard behind the scenes before we go to the judge. We’re trying very hard to find the person who owns the servers we want to seize. When we go into a data center, that person isn’t there to defend himself, so we are working very hard to notify them that we took the servers. We want to find the person. We have to satisfy the judge that we did everything we could. We see a huge advantage in handing off a very nice package to law enforcement.
Threatpost: How is the Cyber Threat Intelligence Program you’re building going to work?
Campana: We’ve been testing it for about a year now. We’ve been sending emails once a week to the ISPs and CERTs we work with, and we looked at it and said, we’re a software company and a cloud provider, how can we marry those two to make this better. One of the huge assets for us is our scale. So we wanted to build something that scales. We’re signing up CERTs now for the new service. Right now the input for the service is only our MARS (Microsoft Active Response for Security) data. The second piece would be attack data from across the company. I want as much data as we can get.
Threatpost: How close it to being ready?
Campana: It works in the lab. But there’s a big difference between the lab and Internet scale. When you bring it into the real world, politics and other things get in the way.
Threatpost: One of the solutions to the botnet problem that people have talked about for years is having ISPs or security companies actively remove the malware from users’ machines. Is that a necessary step?
Campana: I want user consent. The user needs to take ownership of his own device. We have to balance what we could do and what we should do.
