I came across an article the other day on Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources!
A publication from justice.gov with interesting insight but opened an old wound for me! Trying to regulate an environment which is naturally unregulated sounds not reasonable. it is like saying you can go to drug underground market but please promise you only use it for medical purpose and by the way, make sure drug dealer is a good person! And washes his hand (yeah don’t forget about COVID-19!)
Today’s dark web is an inevitable result of a millennium movement towards non-disclosure as oppose to full disclosure. A silent movement against the direction of disclosing security vulnerability details. an argument with those believed disclosing vulnerabilities gives community a better chance to defend, but shall we disclose how to build a bomb to stop making bombs or have a better understanding on how to disable a bomb?!
I personally stopped disclosing security vulnerabilities, anything I published after 2000 was super naïve material and not usable for serious hacks! Because at some point I stepped back and I try to understand how disclosure is really benefiting the community, not at all, I mean limited if not zero.
But in opposite side, malicious hackers always used info to turn it to profit, hence using it maliciously and of course in a destructive manner. How many, if ever did you find any security product or solution relying on vulnerability disclosure to mitigate a security problem?
Today’s exploit DB and similar are nothing but vitrines! real deals organically created the dark web, this time more destructive than 90’s dark material on surface web. So again, thinking about rules, ethics, DOs and DON’T in such environment is irrelevant. Security pros, we, need to do something to make that intelligence unavailable! We need to make it unreachable not trying to regulate its usage or direct the intension.
We regulate healthcare industry to make sure anybody touching PHI has some sort of HIPAA training and awareness, but how we could make sure these companies that gather intelligence are abiding to rules and ethics?!