EclecticIQ Blog

The GDPR’s New Challenge For Threat Intelligence Analysts

May 16, 2018

By Caitlin Huey, Senior Threat Intelligence Analyst

With the May deadline for GDPR compliance nearing, the security community — especially threat intelligence analysts — will soon be subject to new ways of working. What this means to analysts in particular has not been spelled out.

In a previous post about GDPR, we described how the use of cyber threat intelligence (CTI) paired with intelligence sharing is one way to stay ahead of the threat landscape and improve situational awareness. This piece explores just one of the things that may change under GDPR: the importance of intelligence sharing.

When the new regulation comes into effect, companies will be forbidden from publishing information that identifies individuals. What this means for analysts is that ICANN’s (Internet Corporation for Assigned Names and Numbers) agreements with registrars about WHOIS data will be illegal, at least in Europe. GoDaddy, for instance, recently retracted bulk searches of WHOIS contact details for customers. Other registrars are likely to do the same.

But why should analysts care? And what is the direct impact to their workflows?

Analysts rely on WHOIS data — which is publicly accessible or available via fee-based tools — for day-to-day research and analysis. WHOIS is widely used to identify registered users of domain names, as well as IP address blocks or autonomous systems (ASNs). It has also been helpful for finding other types of information, such as email addresses and phone numbers.

For many analysts, losing WHOIS transparency means less ability to pivot between potential threats and the real-life identities and personas behind those threats. One high point in analyst work has long been going down the WHOIS ‘rabbit hole’ to discover that a bad actor has messed up by using a personal, public email address to register a domain for collecting ransomware payments.

Before OPSEC (operational security) was cool, and before adversaries became skilled at obfuscating their activities, that one-time discovery that an adversary registered a Minecraft server with a personal Gmail account could prove to be the break an analyst needed in an investigation.

Countless stories have been shared in the industry about how finding just one email address registered to a domain used for C2 (command and control) malware led to more insights about the malware threat and those operating it.

To help figure out what a GDPR-compliant WHOIS agreement would look like, ICANN on 28 February proposed an interim compliance model on how to deal with WHOIS data. In its model summary, ICANN described ‘tiered/layered access to WHOIS data’ under which registries would not be able to make all personal data in WHOIS directories available to the public.

This model represents a significant change to the current WHOIS system. Some highlights are listed below:

The registrant name field will not be published in the public WHOIS

The address fields that could be used to more specifically identify the registrant would not be included in the public WHOIS

  • The public WHOIS would include an anonymized, privacy-protected email address — not a personal one
  • The registrant phone number would not be required to be published in the public WHOIS

With this potential threat of WHOIS data ‘going dark’, it is worth looking back on various means of intelligence sharing, and on how some analysts have depended on WHOIS data for bulk access to unique data points:

  • BEC (business email compromise): Various groups and organizations openly sharing spoofed domains and domain registrants in efforts to prevent larger financial losses
  • Tracking and monitoring of bulletproof hosting providers (BPH)
  • Identifying trends in APT (advanced persistent threat) activity where groups register a set of domains for phishing purposes

ICANN is currently seeking comments on its proposal via gdpr@icann.org. It’s vital that the security community participates in this process, as it’s highly likely we could face some rather large workarounds to our normal processes.

The preceding discussion doesn’t attempt to cover other potential impacts that GDPR may have on analyst workflows. For instance, analysts have traditionally used social media to monitor, identify or gather PII (personally identifiable information) about various companies or institutions; this ability may change depending on how social media platforms will operate in the future under GDPR. Another area that could be affected involves cases where individuals’ financial information or PII is posted on forums or accessible paste sites.

In the end, analysts will continue working to identify threats and risks that are posed when certain types of PII is exposed. While GDPR will help prevent some of that data from appearing where it shouldn’t, it could also present analysts with some interesting new challenges in identifying and assessing threats.

We hope you enjoyed this post. Subscribe to our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.

Sources:

https://motherboard.vice.com/en_us/article/vbpgga/whois-gdpr-europe-icann-registrar

https://www.icann.org/en/system/files/files/proposed-interim-model-gdpr-compliance-summary-description-28feb18-en.pdf

https://www.icann.org/news/blog/data-protection-privacy-update-seeking-input-on-proposed-interim-model-for-gdpr-compliance