Most cybersecurity threat researchers are missing out on ways to leverage the Shadowserver Foundation’s Infrastructure. Patrick Garrity highlights an aspect of this in his post about the collaboration to identify additional CVEs.
If you are a threat researcher, consider accelerating the process Patrick is highlighting. If you are a threat researcher, don’t sit on your discovery in the dark or disclose on your own. Reach out to a community ecosystem that can help spread the word.
Here is one example of how threat researchers can utilize the Shadowserver Foundation’s infrastructure (taken from my personal experience). Shadowserver’s collaborative community can peer review, validate vulnerability risk, and work collaboratively to raise awareness.
- The Threat Researcher finds a new vulnerability risk. This could be someone at a company, an individual, or a student. You reach out to the Shadowserver Foundation via contact@shadowserver.org or use this form: https://www.shadowserver.org/contact/. All communications are TLP: RED (see the Traffic Light Protocol).
- Ask Shadowserver for help. They can use your data to build scans, run the prototype scans to validate your findings, help evaluate the risk, and consult on a plan of action. This conversation is all TLP: RED.
- Shadowserver validates the scan’s ability to deliver results. Sometimes, there is no logical way to scan effectively. Shadowserver and the Threat Researcher would work together and sometimes pull in other researchers from the Shadowserver Alliance to find an effective scan. Again, the integrity of the Threat Researcher is respected. It is their “finding of risk.”
- New Scan Types and Sensor Rules to detect “exploitation” are crafted and deployed. These are not published and are used to prepare for public disclosure. New insights are discovered, scaling issues are uncovered, and the process of publishing reports to Shadowserver Subscribers is validated.
- Public Notification Preparation. At this time, the Threat Researcher and Shadowserver set a time for the public disclosure. Often, the Threat Researcher’s blog, a vendor’s vulnerability disclosure, or other notice is timed with the Shadowdserver Public Alert Notifications.
- Shadowserver Alliance Peer Review. Once the disclosure timetable is in place, the public alert notification is shared under TLP: AMBER+STRICT guidelines to the Shadowserver Alliance via the Alliance chat. This is a peer review process and notifications for CSIRTs to prepare. This allows top researchers to double-check everything.
- Public Disclosure and Rapid Alert Notification to Thousands. When the Threat Researcher posts, Shadowserver posts together. The Threat Researcher’s post is part of the Shadowdserver alert details. This alert is distributed to thousands of organizations worldwide. Subscribing to these reports is a public benefit – no cost to the subscriber.
Now the world is aware of the risk that the Threat Researcher discovered. The researcher does not need to worry about notifying CSIRT/CERT Teams around the world. Shadowserver took care of it. A Threat Researcher does not need to monitor when the risk becomes an “active exploit.” Shadowserver has deployed the sensors and will let everyone know (i.e., like the VulnCheck team).
More critically, this process plugs into a non-profit ecosystem focusing on rapidly mitigating cyber risk. The next time you find vulnerability, reach out to the community. Explore how you might be able to leverage the Shadowserver Foundation’s Infrastructure. Shadowserver’s daily alert reporting might be the key to helping an organization secure its risk, protect its organization, and save lives.