Sharing bug intel is vital, but not without risk

A Microsoft R&D campus building in Hyderabad, India. (prashanth dara, CC BY-SA 3.0, via Wikimedia Commons)

Microsoft is reportedly investigating whether hackers who have been abusing a series of Microsoft Exchange bugs managed to obtain sensitive information about the vulnerabilities after Microsoft privately shared certain details, including proof-of-concept exploit code, with various security partners.

It’s possible that one of these partners accidentally or intentionally leaked details to additional entities, until key details somehow fell into the hands of attackers, according to a report by Wall Street Journal report on Monday. Whether this scenario bears out as true or not, the story leads to a number of interesting questions regarding how companies determine which partners to share sensitive bug info with and which ones to exclude from that intel because the risks outweigh the benefits. Also, if a business partner did leak the critical information, what should be the consequences?

According to experts, mistakes can happen during the information-sharing process.

“Usually, if something goes wrong, it’s either due to human error or because there is a mismatch in expectations over how to handle the information,” said Michael Daniel, president and CEO of the Cyber Threat Alliance (CTA). “For example, one side thinks the information can be shared more broadly within their organization; the other thought it would be restricted to specific individuals.

Sometimes a leak doesn’t even have to result from a direct communication. Curtis Dukes, executive vice president, security best practices, at the Center for Internet Security (CIS), wondered if was possible that a security partner could have responded to the intel too quickly and too overtly, indirectly tipping off observant malicious actors through the “early release of protection measures within their product.”

The four Exchange bugs were first exploited last January, with a second wave of attacks beginning on Feb. 28 and exploding in volume by March. According to sources, adversaries during the second wave leveraged automated…