B-C-METOYX

InfoSec Challenge: When To Be Quiet, When To Go Public

Blog Post created by B-C-METOYX Employee on Feb 5, 2015

I've seen way too many security advisories over the years to count. The more critical the issue, the more publishable it was. But that was my perspective as a journalist working for news organizations. In the current role, I'm seeing things from the beginning of the internal vetting process. There's a lot we want to make public, but there's a lot we have to keep to ourselves.

 

There are a variety of reasons for this. Some threats can't be shared with the public because it would put our customers at greater risk of attack. Others can't be shared because a plan of action hasn't been worked out. Many discussions and email threads are had between the time a problem is discovered and a public advisory goes out. Sometimes a finding never goes public. We simply help the customer mitigate the issue and move on. For someone trained to publish as much news as possible, it's been a challenging education.

 

But not an impossible one. We communicate our procedures and decisions based on the Traffic Light Protocol -- a voluntary standard adopted by the United States Department of Homeland Security applied when an organization shares threat intelligence and attack information with other organizations. What follows comes from our own internal wiki, shared with the hope customers and the general public will get a better understanding of how we do things.

 

We hope it helps!

 

Inside Akamai, we primarily see two types of information:

 

--Information shared with Akamai from an external source or information created by Akamai for internal use only. In this scenario, the TLP usage standards relate to how the information is shared within Akamai. For instance, information about a group of attackers that is derived from intelligence activities . In the case of data from an external source, the information is classified by the creator and cannot be modified by Akamai.

 

--Information generated by Akamai and shared with customers and other top-level incident response teams and coordination centers. For instance, threat advisories generated by the Akamai CSIRT that are written to be releasable to specific verticals/industries and geographies or to a list of affected customers.

 


Classification
What It Contains

Red

Data breach of or attack on a specific customer or prospect listed by name.

Blocking rules, the disclosure of which would severely impact our ability to protect our customers.

Example attack code.

Information derived from classified or government sources.

Information that would let attackers know that they are under surveillance.

Data which could expose the aformentioned information types through a simple google search.

Amber

Tactics, techniques, and procedures for a specific threat actors or group thereof. Blocking rules such as IP blacklists or custom WAF rules.

Green

General trends.

High-level blocking rules such as standard WAF rules.

General Akamai platform capabilities normally releasable under NDA.

Information that would not impact customers

White

Marketing materials.

News articles.

Blog posts.

 

Handling Instructions


External Sources or For Internal Use Only

If information is received from external sources, the external source determines the TLP classification.  The TLP classification applies directly to the Akamai receiver of the information.

If information is generated by Akamai but is not designed to be customer-facing, the TLP classification applies directly to the Akamai receiver of the information.

 

ClassificationWhat You Can Do With It

Red

Optional Marking: "Akamai Internal Use Only"                

Do not share, even internally to Akamai. Do not discuss this information outside of the initial distribution list, meeting or phone call.

Amber

Optional Marking: "Akamai Internal Use Only"

Share with incident responders inside Akamai.  This information is not to be shared verbatim with customers.
Green

Share freely inside Akamai.  Share with customers' incident response, InfoSec, security operations, etc. for customers in the relevant industries and geographies.

White

Share with any and all customers.


Customer-Facing or Releasable to Customers

If information is generated inside Akamai, it can either be created for internal-only use or it could be created specifically for release to all customers or to a limited subset of customers.  The TLP classification applies directly to the customer receiving the information from Akamai, and Akamai employees need to understand how to release it to customers.  In most cases, the release instructions will be in an email with the actual information to share being in a PDF, DOC, etc with only the TLP classification on the document. If a document is marked TLP:RED or TLP:AMBER and does not have "Releasable to Customers" marked, the document must not be given to customers. Assume the data is classified as the table above.

ClassificationWhat You Can Do With It

Red

Mandatory Marking:                                       "Releasable to Customers"

Share only with respective account teams for customers that the information is relevant to. Share only with relevant customers, and preferably with their incident response, InfoSec, or security operations teams.

Amber

Mandatory Marking: "Releasable to Akamai Customers"

Share with the respective account teams for customers that the information is relevant to, CSIRT, threat-intel email list, platform architects, and InfoSec.

Share with customers in the relevant industry, geography or sector. 

Green

Mandatory Marking: "Releasable to Akamai Customers"

Share freely inside Akamai.  Share with any and all customers.

White

Mandatory Marking: "Releasable to Akamai Customers"

Share freely inside Akamai.  Share with any and all customers.

Outcomes