Intelligence Start-Up Goes Behind Enemy Lines To Get Ahead of Hackers

anlashok writes: The Times profiles a company called ISight, which sells computer security intelligence gathered by professionals from the "dark web". From the article: "ISight's investors, who have put $60 million into the company so far, believe that its services fill a critical gap in the battle to get ahead of threats. Most security companies, like FireEye, Symantec, Palo Alto Networks and Intel's security unit, focus on blocking or detecting intrusions as they occur or responding to attacks after the fact. ISight goes straight to the enemy. Its analysts — many of them fluent in Russian, Mandarin, Portuguese or 21 other languages — infiltrate the underground, where they watch criminals putting their schemes together and selling their tools."

And that used to just be cops at the border!

[rmdingler]

I have always been uncomfortable with the potentially mutually beneficial nature of the roles of security provider and security breach specialist.

Re: And that used to just be cops at the border!

[TWX]

I don't think that they're criminally negligent because they're not themselves law-enforcement, so they can't really actually take an active role in stopping those that they see engaging in criminal acts. If the criminals they're interacting with are in foreign countries where reporting those individuals to that country's police forces won't do any good, then this is at least keeping tabs on things.

Now, it could be that some of those foreign countries for whom they're infiltrating the criminal hacker groups of might not take kindly to their doing this, so those that masquerade as criminals themselves might find that the foreign country in question wants them for prosecution as a result, but I would be surprised if they'd face very much domestic prosecution. Hacking-back is illegal, but it doesn't sound like they're actually hacking.

Ah yes, the Classic argument...

[bobbied]

Is it black hat or white hat hacking?

It's kind of hard to tell them apart with schemes like this. Oh yea, we will infiltrate the "bad guys" and get tipped off to their activities before anybody else knows, or we will invent some new attack vector, sell it to the bad guys and get loads of money from your because only we know enough to protect you from what the bad guys are doing.. You cannot know the difference....

Problem with this is you will never know and you will be letting some outfit with admitted ties to some bad actors have access to your network security systems... What could possibly go wrong?

legitimacy of the business

[WSOGMM]

If your operations can be carried out in specific countries, you might be able to bypass some anti-hacking laws, or at least diminish some of the potential legal blame of 'going too far'. If you have to limit your offensive capabilities, there are probably ways of cataloging/surveying/classifying incoming attacks and thwarting them without doing anything illegal. The main factor in the success of this business relies on them providing monetarily valuable information to potential targets.

That said, what they say they're doing is not illegal, and it is probably already practiced by most security companies. It's just a business pitch. From TFA, they spend their time

monitoring underground chatter and markets, analyzing computer code meant to cause harm, watching the networks of potential attackers and poring over social media channels for signs of imminent attacks.

just like you, except better

[raymorris]

"Allowing the bad guys to continue operating" you say. You've "allowed" crime just as much as anyone else has. You have just as much right to track down individual criminals and fly around the world trying to stop them as do the researchers working for these companies. We're not cops, we're nerds. You could register in the cracker forums, follow the social media feeds, and try to do what you seem to expect us to do. Why haven't you done it?

The difference between you and I is only that I HAVE contacted the FBI or National Center for Missing and Exploited Children the few times that I've come across a situation that warranted it. What have you done? I warned Wikipedia of an attack that would have taken them down, warned them in time to prevent the attack. What have you done?

99.99% of the time, we don't have the real name and home address of the bad guys. We have screen names, like you see on Slashdot, and we see what types of vulnerabilities and attacks they're talking about this month. Then we protect our clients, which may include your bank, from the types of attacks that are being discussed by the bad guys.

99% of my coworkers don't have any authority to arrest anyone. That's not our job. Our job is secure the systems you rely on. There is one person at the company I work for who used ton have the authority to arrest certain specific criminals. That happens to be me. I successfully found and arrested most of the people I was granted authority to go after. So yeah, we've actually personally put a few criminals behind bars, though that's not our day job. "Allowing criminals to continue operating", eh? I've told you what I've done to stop criminal activity. I ask you again, what have you done? You've done nothing, you have allowed them to continue.

you expect me to call you personally?

[raymorris]

> By not telling some of the potential victims they are conspiring with the hackers. I'm sure some lawyer would have a go with it.

What, you expect me to call you, and every other person in the world, personally? Why don't YOU have a go at that. YOU go monitor the cracker forums and such, then call me when you see something interesting. For free. You'll start doing that tomorrow, right?

No? Well those of us who spend our working hours on this stuff have to eat too. So yeah, if you want instant analysis of what's important to you, you get buy one of my kid's meals. Other than that, sign up at Threatpost and sift through it yourselc every day.

Lazy self-entitled liberal bastards.