Why Collaboration Requires More Than a Local Team

Written by

Earlier this week, Infosecurity attended NTT Security’s ISW 2018 conference in central London, which was framed around the concepts of intelligence, scenario planning and collaboration. One person covering all of these areas for NTT Security is Steven Bullitt, global VP threat intelligence & incident response, who spoke at the event on the need for better collaboration between the private and public sectors, and law enforcement. 

Formerly a supervisor of the Electronic Crimes Program at the US Secret Service, Bullitt came on board in early 2016 as part of the acquisition of Solutionary. 

In a keynote session, Bullitt said that there is a common problem that adversaries are in different countries not only from those that they attack, but also from the servers and services that they are using, and for law enforcement this results in a scenario where incidents are “chased through resellers.”

He said that the priority for law enforcement is to arrest and charge, but for the public sector it is policy and geo-politically driven, and for the private sector “it is the bottom line,” and the capable criminal networks of collaboration are not being replicated by those defending and capturing.

He said: “Law enforcement has to work on absolutes, private sector can only get so far and some do a good job on mapping out an infrastructure, but at the end of the day you need to work together.”

Speaking to Infosecurity, he said that global visibility is needed with today’s threats and each country thinks their nation’s agenda is the primary focus, but relying solely on a regional team is not enough.

In the case of building a team, do companies need to look externally from their own countries to hire? Bullitt said that the right fit is needed, and while he has a Masters degree in Forensic Science, most of his skills have been self-taught and learned through experience.

“The threat environment is constantly changing, and applications change as the landscape evolves and you’ll always have the threats out there,” he said. 

Is it the case that law enforcement will never catch up with this evolution? He said that the crime-as-a-service model works and is profitable, and there is an unlimited supply of vulnerable targets out there, and we work in silos.

Pointing to the takedown of AlphaBay in 2017, Bullitt argued that this showed what can be achieved when law enforcement is involved, as they get a court order and a sinkhole while in other cases, the attackers simply re-group and move their botnet.

“The one thing you see with these takedowns is they are never alone, law enforcement is always working with the private sector and with NTT Security, I really want to be part of that team,” he said.

“I just feel that in the private sector you’re only going to get so far, so you trace an IP address to an ASN or an ISP and then what? You cannot really find that domain, as it was probably re-sold to another reseller who sold it to another, so you really don’t know who owns that hosting environment. So unless you have law enforcement involved, you’re going to stick with the assumptions.”

Bullitt said that the technical side does have the advantage over law enforcement, but the partnerships need to be formed across the globe.

So how well is this working? Bullitt said that he had worked with the United Nation’s Internet Governance Forum and they were struggling to establish “norms,” as there is still the problem of the dispersed nature of the internet and every country has its own laws and rules, and no one will agree on another.

“How do you get through it? Some may say that we’ve only been on the internet for X amount of years, and eventually it will work itself out, but it is going to be interesting,” he said. “We’re in a much better place now than we were years ago, and we’re in the place where everyone is starting to understand it.”

What’s hot on Infosecurity Magazine?