A Critical Internet Safeguard Is Running Out of Time
Credit to Author: Lily Hay Newman| Date: Mon, 16 Mar 2020 12:00:00 +0000
Keeping the internet safe may sometimes feel like a game of Whac-A-Mole, reacting to attacks as they arise, then moving on to the next. In reality, though, it's an ongoing process that involves not just identifying threats but grabbing and retaining control of the infrastructure behind them. For years a small nonprofit called Shadowserver has quietly carried out a surprisingly large portion of that work. But now the organization faces permanent extinction in a matter of weeks.
There's a pivotal scene in Ghostbusters in which Environmental Protection Agency inspector Walter Peck marches into the group's headquarters, armed with a cease and desist order. "Shut this off," Peck tells the utility worker accompanying him. "Shut this all off." They cut power to the Ghostbusters' protection grid, and all the ghosts are released. Think of Shadowserver as the internet's protection grid.
"Something similar will take place on a digital basis if Shadowserver were to close up shop," says Roland Dobbins, principal engineer of Netscout Arbor. "The work they do in conjunction with network operators, security researchers, law enforcement, and technology vendors is a mainstay of internet security work today."
For more than 15 years, Shadowserver has been funded by Cisco as an independent organization. But thanks to budget restructuring, the group now has to go out on its own. Rather than seek a new benefactor, founder Richard Perlotto says the goal is for Shadowserver to become a fully community-funded alliance that doesn't rely on any one contributor to survive. The group needs to raise $400,000 in the next few weeks to survive the transition, and then it will still need $1.7 million more to make it through 2020—an already Herculean fundraising effort coinciding with a global pandemic. They’ve set up a page for both large corporate donations and smaller individual contributions.
It's hard to overstate the importance of the organization's work. Shadowserver scans more than 4 billion IP addresses—almost the entire public internet—every day and puts together activity reports based on the findings for more than 4,600 network operators, as well as the national computer security incident response teams of 107 countries. Shadowserver also hosts a repository of 1.2 billion malware samples, similar to Google's VirusTotal, that's freely accessible. In all, the organization hosts more than 11.6 petabytes of threat intelligence and malware-related data. But all of that is just for starters.
The real ghost-escape potential comes from the fact that Shadowserver doesn't just monitor incidents, it also actively works to contain them. The organization has a vast "honeypot" and "sinkholing" infrastructure. The former lures attackers and records details about them, while the latter diverts malicious traffic into a sort of digital black hole and away from its intended target.
Shadowserver says it sinkholes up to 5 million IP addresses per day, neutralizing malicious firehoses of data that would otherwise spew from botnets and disruptive malware. More than four years after researchers exposed the iOS and macOS malware known as XcodeGhost, for example, Shadowserver still has more than half a million devices connecting to its sinkhole in an attempt to talk to the malware's command and control infrastructure. The organization also runs what it calls a "registrar of last resort," which takes control of malicious domain names to disrupt criminal infrastructure, so malware can't phone home to follow a hacker's commands.
On top of all of this, Shadowserver collaborates very actively with law enforcement groups all over the world to use its own infrastructure and expertise in massive coordinated operations. In recent years, for example, Shadowserver participated in 2016's Avalanche takedown and 2019's Goznym takedown. The organization says its goal is always to help law enforcement make arrests and remediate damage to victims.
"If we hadn’t been there to help mitigate these losses, how much larger would they have been?" Shadowserver's Perlotto says. "And if we stop mitigating these losses, how large will they be in the future? Because we’ve been quietly erasing a portion of the threat to the internet for 15 years, and people just didn’t know about it. Someone else paid the bill."
Though Shadowserver has a separately funded sister branch in Europe and its "registrar of last resort," which is technically a separate foundation based in the Netherlands, Perlotto says that he and the other Shadowserver employees and volunteers never had an interest in raising the organization's profile. Instead, the group worked on building trust with law enforcement and the security industry. "We’re just engineers," Perlotto says. "We just know how to do the job, complete the mission. But we can’t keep our heads in the sand about the work anymore."
Cisco says it is "proud of its long history as a Shadowserver supporter and will explore future involvement as the alliance takes shape."
Perlotto emphasizes that the funds he's seeking are nothing compared to the resources it would take to form a new version of Shadowserver if the current one disappears. The law enforcement relationships and infrastructure in particular would take years to rebuild.
"The Department of Justice has all of our contact and IP information," he says. "We’ve had things just entered in subpoenas and then told about after the fact, like 'By the way we’re using your sinkhole.' And we say, 'Uh … which one? We have a lot!' It would be difficult to build a Shadowserver from scratch today."
There are many other organizations that do similar work, but most are research and defense units within for-profit companies. Shadowserver's relatively neutral position makes it unique. But if it shuts down, the digital Pandora's box Shadowserver has built over more than 15 years will break open and flood the internet.
"This is something that’s absolutely vital to internet security for everyone, and those in the operational security community and law enforcement communities who took advantage of it basically thought it was free forever," Netscout Arbor's Dobbins says. "But it ain’t free."