The General Data Protection Regulation (GDPR) is finally in force, and the entire cyber security community has had to familiarise itself with new and different ways of working to ensure that organisations are fully compliant.
While IT security experts must work to protect the privacy of any data held by their organisation on its European staff, clients or customers, one area in particular impacted by the legislation is the sharing of data among threat intelligence analysts. Indeed, analysts and security teams are heavily reliant on a combination of cyber threat intelligence and intelligence sharing in their efforts to stay a step ahead of cyber-criminals.
The need for organisations to comply with the requirements of the GDPR, however, is set to change the way in which this vital work is undertaken.
Relying less on WHOIS
In their day-to-day research, intelligence analysts tend to make use of WHOIS data, widely used as a means of identifying registered owners and operators of domain names, blocks of IP addresses, or autonomous systems.
Analysts will often employ one of many WHOIS tools freely available online that enable them to look up the name, address, email and phone number of any registrant that hasn’t chosen to mask their details. Under the GDPR, however, analysts may no longer be able to rely on these tools and online data to inform their hunt for potentially malicious infrastructure operators.
ICANN, the Internet Corporation for Assigned Names and Numbers, is the non-profit organisation responsible for maintaining and co-ordinating registered internet entities. It has agreements in place with thousands of domain name registrars around the world such as GoDaddy, BlueHost or HostGator, requiring them to post the name, address, email, and phone number of everyone that has a domain registered with their service.
Since the GDPR came into force, however, any company that stores such data, including these registrars, is no longer permitted to share or publish any information that a third-party could potentially use to identify an individual. The agreements between ICANN and the registrars could be deemed illegal under GDPR, and previously common capabilities such as looking up a domain’s contact email address to report malicious report behaviour could be found to be technically in breach of the legislation.
This very possibility led to GoDaddy recently withdrawing its search feature which previously allowed its users to conduct a bulk search of millions of WHOIS contact details of its customers, and it won’t be long before most, if not all, of the other major domain registrars do the same.
Common sense approach
Of course, the raison d’etre of the GDPR is to protect the privacy of personally identifiable information, and the previously outlined measure does just that. At the same time, however, it can restrict what data is available to investigators attempting to identify the bad actors behind known malicious infrastructure. Where an email address would once have been re-used to register a malicious domain, for example, allowing researchers to trace that address from data point to data point and illuminate other potential threats, this option may now only be available with very specific, correctly qualified and vetted feeds.
A common sense approach is therefore required. Over time, it’s hoped that GDPR practitioners and authorities will recognise that, in certain cases, sharing data will actually increase security rather than diminish it.
In the meantime, ICANN has proposed an interim compliance model on how to deal with WHOIS data under GDPR, described as offering ‘tiered/layered access to WHOIS data’, and under which registrars would no longer be able to make publicly available all the personal data held in WHOIS directories. Among other significant changes to the current system, WHOIS data made publicly available under this model will no longer include details of a registrant’s name, phone number, or any address details which could be used to specifically identify an individual.
Until a final agreement can be reached, judgment calls on the sharing of WHOIS data for security intelligence purposes will be necessary to ensure the ongoing effectiveness of security research.
Complying with the GDPR presents the security community with a number of challenges. It must be remembered however that, being concerned with the protection and security of business and personal information and data, the remit of the new legislation is largely similar to that of security experts.
It’s a fact that threat intelligence analysts will need to re-assess a number of the methods they’ve traditionally used for identifying, assessing and sharing information on potential threats. ICANN is currently seeking comments on its proposed compliance model, however, and it’s vital for the future success of threat intelligence sharing that the entire security community participates in this feedback process.
Ultimately, analysts will never stop working and closely collaborating in their efforts to identify potential threats. For the time being at least, they will need to assess any GDPR compliance risks that might arise from the sharing and exposure of the information behind these threats.