The GDPR’s enforcement date is finally upon us, and from Friday 25th May the entire security community will have to become accustomed to new and different ways of working in order to ensure that their organisations comply with the new legislation.
Much has been written, of course, about what IT security experts can do to help their organisations in their compliance efforts. However, in an environment in which a combination of cyber threat intelligence and intelligence sharing can enable businesses to improve their situational awareness and stay a step ahead of bad actors, it’s never been clearly spelled out just how GDPR is likely to impact the work of the threat intelligence analysts responsible.
A reliance on WHOIS data
As part of their day-to-day research, threat intelligence analysts tend to rely on WHOIS data, which is widely used as a means of identifying registered users of domain names, blocks of IP addresses or autonomous systems.
While the information can be obtained via certain fee-based services, analysts will often make use of a number of free WHOIS tools available on the internet that allow anyone to look up the name, address, email and phone number of any registrant that hasn’t opted to mask their information.
Analysts have a long and successful history of going down the WHOIS ‘rabbit hole’ to discover that careless potential criminals have registered domains for collecting ransomware payments using their own public email address, thereby unwittingly incriminating themselves. Indeed, the industry is rife with stories of how, in the days before operational security (OPSEC) became a popular means of preventing the exploitation of critical information, and before bad actors became highly skilled at covering their tracks, a single email address registered to a domain used for malware C&C (command and control) could lead analysts to learn more about the threat and those behind it.
Under GDPR, however, the reliance by analysts on WHOIS data may be all set to change.
No more WHOIS data
ICANN (Internet Corporation for Assigned Names and Numbers), the non-profit organisation responsible for maintaining and co-ordinating the internet, has agreements in place with thousands of domain registrars around the globe such as GoDaddy, HostGator or BlueHost, which require them to post WHOIS data—such as names, emails, and phone numbers—for everyone that has a domain registered with their service. When the GDPR is enforced, however, companies in Europe at least will no longer be permitted to publish any information that could be used to identify an individual. The agreements between ICANN and the domain registrars will therefore be deemed illegal under the regulation. In fact, GoDaddy has already retracted the facility that allows users to conduct bulk searches of WHOIS contact details of its customers, and it won’t be much longer before other registrars do the same.
On 28th February 2018, ICANN proposed an interim compliance model on how to deal with WHOIS data under GDPR. Representing a significant change to the current system, the new approach is described as offering ‘tiered/layered access to WHOIS data’, under which registries would no longer be able to make all personal data held in WHOIS directories available to the public.
In this latest model, for example, the public WHOIS data will no longer include details of a registrant’s name, their phone number, or any address details that could be used to specifically identify an individual. What’s more, rather than a registrant’s personal email address, the public WHOIS data would include an anonymised, privacy-protected address instead.
Hindering the ability of analysts
Removing the transparency offered by WHOIS data is likely to hinder the ability of threat intelligence analysts to pinpoint the real-life identities and personas that lie behind potential threats.
Business email compromise, for example, in which details of spoof domains and domain registrants are openly shared by various groups and organisations in order to prevent large financial losses, is just one of many intelligence sharing techniques employed by analysts that depend on WHOIS data for bulk access to unique data points. Other means of intelligence sharing that could be adversely affected by WHOIS data ‘going dark’ under the new legislation include the tracking and monitoring of bulletproof hosting providers, who often bypass laws and contractual terms of service regarding internet content and service use, and the ability to identify trends in advanced persistent threat activity in which groups of bad actors register a set of domains for phishing purposes.
Consideration must also be given as to how social media platforms will operate under GDPR and the potential impact that any changes to their governance may have on the use of social media by analysts to monitor, identify or gather personally identifiable information (PII) on different business or institutions. Likewise, any change to rules around the posting of an individual’s PII or financial information on internet forums is also likely to have an adverse effect on the work of the threat intelligence analyst community.
The remit of the GDPR isn’t at odds with that of the security community – both have the protection of information at heart, after all. Once implemented, however, the new legislation is likely to present analysts with some interesting new challenges when it comes to identifying and assessing threats.
ICANN is currently seeking comments on its proposed compliance model and, given its implications regarding the future of their processes for the discovery and analysis of information, it’s vital that the entire security community – and threat intelligence analysts in particular – participates in this feedback process.
Ultimately, the sharing of threat intelligence is a key part of protecting the information of an organisation, its employees and its customers. It’s for this reason, therefore, that regardless of the impact that GDPR will have on their traditional methods, analysts will continue working to adapt to the challenges GDPR may bring in order to keep identifying and mitigating against the threats and risks that may arise from that information being exposed.
Caitlin Huey, Senior Intelligence Analyst at EclecticIQ
Image Credit: SFIO CRACHO / Shutterstock