When I speak at conferences or meet with companies, I talk about the importance of having an open and honest discourse—about sharing intelligence. You can be certain our enemies are sharing intel, trading in information and leveraging each other to become more effective. We, as the defenders, need to do the same.
Since we informed our customers of a security incident, I have read the articles, the blogosphere and the Twitterverse. While the reactions range from supportive, to factual, to critical, one theme is clear—people want more information. I know I cannot answer all of the questions, and we will never satisfy the eternal skeptics, but let me be very clear on this point: We will be providing more information.
Our first and foremost priority was to inform our customers quickly and directly. As soon as we understood and had mitigated the attack, and we were able to provide actionable advice, we reached out to our customers. We notified them by email, contacted them by phone, and will be meeting with them to answer their questions and ensure they are fully protected. Discussing the details of the incident without first providing our customers with the necessary information would be irresponsible.
We then posted a blog informing the public about the situation. Brian Krebs contacted us around the same time we were about to post, and he and other media outlets broke the story wider. I have followed Brian’s writing for some time, and share his sentiment that more open discourse and threat intelligence sharing is needed in the security community.
We have already shared the cryptographic hashes of all the files we know were signed maliciously, both with our customers and with the security community. We will share more intelligence at the right time—network information, tactics, files, and hopefully more. The investigation is ongoing. We’re not going to share details that will compromise our customers or violate confidentiality, nor are we going to share details that will compromise our own security. For anyone who has ever been involved in an investigation of this type, you know that absolute or complete information is not always possible, so I can’t promise that every puzzle piece will be revealed. That is the plain and simple truth.
As members of the broader security community, we consider it our responsibility to provide information that can help others protect themselves, raise awareness and aid in any investigations. We can only speculate, but we believe the attack on us was part of a larger campaign against a particular and narrow set of companies. I hope we will be able to provide more insight into that so we can all better understand the nature of our cyber enemies.
There is no easy answer to a world where there are sophisticated actors continuously targeting every company and individual and whose primary goal is to steal information, whether for profit, power or glory. This is not fear-mongering or hype—everyone in the security business knows this fact. This is the state of cybersecurity today, and we are all frustrated and angered by it.