Conficker Working Group Lessons Learned Document

By: Jose -

On the Conficker Working Group’s website, the Lessons Learned document has finally been made public. Sponsored by the US DHS, with key efforts at getting it written from Rick Wesson and David Dagon, the document was prepared by in large part by interviewing key folks in the CWG. The purpose was to explore all of the issues we encountered in the CWG, which was an unprecedented event. In short, the document helps illuminate challenges the information security community as a whole faces in the coming years.

As a member of the CWG, there are a number of takeaways for me. I think they illuminate a path for work in the coming years for many of us, which we will have to address collaboratively.

First, it should be clear that technology alone isn’t the solution here. One of the focuses of the CWG was to ensure that all of the AV, IDS and related companies had timely access to the samples to write signatures against. These technologies and companies represent the front line of defense for all of us, end users, enterprises, and ISPs. As should be clear from the infection data, the numbers haven’t plummeted, suggesting that gaps in addressing the problem exist. We have to explore how to get defenses and cleanup to more people more efficiently, if not preventing the infection in the first place. As someone in the CWG said, “we can’t patch our way out of these worms.”

Secondly, the world needs even better global coordination for such events, and clear authority to act for certain groups. In the case of the CWG, some organizations – such as ICANN – assumed authority for coordination when no one had such a clear mandate. In all cases everyone tread carefully and with the goals of protecting users forefront. You can see how contentious this winds up being by looking at the DNS-CERT discussions at ICANN, where issues like roles and responsibilities raise a lot of objections. Figuring out the groups that will choose issues to tackle and coordinating that globally is an open question.

A third – and technical – issue made visible in the experiences of the CWG is that we need tools to quickly tackle complex malware. Our tools are labor and time intensive, things that are in short supply when addressing the volume of threats we face in 2011. There’s a clear set of technical needs and accomplishments that can easily be funded here.

I think the CWG report is worth a study for these and many more reasons. I’m proud to represent Arbor as we battle the worm and protect the global Internet.

Another after action report came from ICANN, who was instrumental in the response. The report was published in May, 2010, and is largely a timeline of events. The two together are very worthwhile reading if you are involved in the operational security community.