Centralized to death: the commoditization of threat intelligence and its impact on human life

Centralized to death: the commoditization of threat intelligence and its impact on human life


"Protect the planet" - the words spoken, or some variation thereof, by managers across big tech companies to their employees working on threat intelligence (TI). Defending customers is spearheaded by the often thankless task of threat researchers, who's job it is to identify threats, research them, index them and report on them. But how much are we aware that the information curated by threat researchers globally becomes a global commodity in itself? Ironically, that which seems to be curated in the protection of the people is too, bundled up, packaged up and shipped back to the impacted customers as a nice profiting bundle of defense. Year on year, big tech organizations that are commoditizing threat intelligence in a productive way report increasing profits. Microsoft's security division disclosed a business revenue of $10 billion in 2020, $15 billion in 2021 and $20 billion in 2022; Corey Quin satirically Tweeted: "My business selling rocks that protect you from tigers has really taken off ever since I started releasing tigers into my neighborhood", well put I say.

The consolidation of technologies, digital services, platforms and data into the hands of the few most powerful corporations, leaves us in a bemused state of centralization. Those who discover and produce the most threat intelligence are those who hold the most centralized authority in technology. Companies like Microsoft are buying up the industry who bring diversity to the TI world, such as RiskIQ & CyberX. Google's purchase of VirusTotal is a hugely notable example of this. We could argue that there is a saving grace, in that most of the valuable TI across the industry is discovered by incident response companies - this is true, but wait, the tech giants are buying up those too! Google recently bought Mandiant for $5.4 billion, one of the largest acquisitions in the tech giant's history.

The centralization of technology & services that is monopolized by tech giants like Microsoft and Google ends up leaving the visibility of threats to them. If a vast majority of the curation of threat intelligence is available only to them; what is the outcome? This centralization gives them an unparalleled influence over the flow of information and the ability to shape and defend the digital landscape. For me, the lack of global discussion in this area shows a distinct bias in the industry. By monopolizing the threat intelligence industry, it allows them to have greater commoditization. Tech giants are then able to bake new TI into their products and push customers to their technology in light of it being the only real defensive option. It eradicated the competition. Some say this is okay (mostly those who work for them) and that they are happy to leave this in their capable hands – but with more commoditization comes less transparency. This is the inevitable outcome. This is something we are all too familiar with in industry and civil society. AV companies aren't openly sharing their signatures and malware samples. Newly discovered malware samples are bound by strict TLP policies and reports are released only when the marketing team approves.

I recall a time whilst I worked as a security researcher in Microsoft's Security Response Centre (MSRC) that spoke to me of this issue. It was January 13th 2022 and the TI (MSTIC) team had seen heightened activity from Russia against Ukraine. I was passed a "ransomware" sample that overwrote the 512bytes of sector 0 of the Master Boot Record. What was discovered was an attack on "multiple government, non-profit, and information technology organizations, all based in Ukraine". It was called WhisperGate, and when it had been reversed, it was a fully destructive malware, not a ransomware. A limited amount of information of this campaign was disclosed by Microsoft. They chose to only cover the high level aspects of the sample and didn't chose to share the malware samples to security researchers across the industry. This meant other products couldn't create detections, other researchers couldn't research it or find variants. Since there were rising tensions between Ukraine and Russia at the time (little did we know the war between the two would be ignited shortly after this), it was concerning that the TI was held close to Microsoft's chest. Many security researchers revolted at Microsoft's lack of transparency, and after internal battles, they finally made the samples available on VirusTotal on the 16th of January 2022 (which I should also add, isn't very transparent either since having access to VirusTotal requires an enterprise license or you to be a reputable member of the security community).

A tweet in reply by Shane Huntley, a notable researcher in the community
This Twitter thread relating to the publication has comedic value, since Shane Huntley works for Google.

As more diverse groups of researchers, both in private sector and civil society, got access to the sample, more key intelligence was brought to the table. Defense was improved to the situation. At the time of the finding, Microsoft were the only ones that had valid signatures for the attack. They made this clear in their publishing, that those customers who were impacted were warned and that those with their products installed would be protected. It took a number of days for the intelligence to become fully transparent. Their primary objective was to secure their customers and ensure their products were updated with the latest signatures. Clearly transparency was an after thought by Microsoft and one driven by external pressure from information security researchers.

In my work with human rights groups & journalists, I am often encountering undiscovered threats and intelligence that is vital to the defense of activists and writers. When disclosing a threat, I am often unsurprised to hear that a large big tech TI group are also aware of it. It's frankly perplexing to me; often their response when question on transparency simply is – we offer free enrollment in their products for non-profit groups, journalists & individuals (which they are then able to collect more TI from). For me, this is besides the point. Having independent and diverse groups of people have access to the threat intelligence, allows for a more holistic approach to defending those at risk.

Some of the most important discoveries and mitigations in information security have happened through the transparent sharing of threat intelligence. Marcus Hutchins (aka MalwareTech) found a killswitch in WannaCry, which contained a domain that when successfully resolved would destroy the propagating ransomware. Hutchins registered the domain and became a superhero for his efforts. Hutchins discusses that his finding was as a result of talking to people about the malware on message boards and that he was passed the sample by a friend. Whomever this friend is, also deserves a medal. Because this discovery not only saved many systems from being ransomed, but also saved many lives, since many healthcare systems globally were impacted by the attack. What this speaks to is a situation where the exchange of threat intelligence freely and transparently between researchers can have a monumental impact on the protection of human rights and more importantly human life.

What happens when the majority of digital attacks that impact human rights and human life are controlled by single entities? Are we potentially in a bad situation for that to happen? Should we not question and interrogate what threat intelligence companies have and more importantly should we not call for transparency where that threat intelligence impacts human rights or far greater, human life.

At this point, I realise that I haven't even touched on the geo-political/social-political issues surrounding this. Since these publicly trading tech giants, most of which are US based companies, generally demonstrate bias and control by the state & their shareholders - what impact does this have? In Snowden's leaks, we saw "Operation Socialist" a GCHQ man-in-the-middle attack on telecommunications company Belgacom between 2010 and 2013. This attack fundamentally undermined the privacy, security and human rights of every day people using Belacom. What would happen if a US tech giant discovered this attack – would they disclose it? Unlikely. We see very little intelligence come out against NATO states from corporations in those countries. Simply because they do not pool their resources and people to track them. A blind eye is turned out of political and shareholder interest.

If you haven't already discovered it yet, my argument is this: the monopoly of threat intelligence, its commoditization and the centralization of technology & services by big tech companies, already has shown negative impact on human rights and human life. The threat intelligence monopoly, results in closed source, untransparent, fragmented public information on threats impacting humanity. This is ultimately because we become reliant on these companies to be transparent with sharing their findings. We have seen too many cases, where they have not been transparent. Which leaves the penultimate question: how can we ensure that they can be transparent when threat intelligence impact human life?

Should government and civil society organizations be interrogating this? I think so. I think that there needs for deep interrogation of this situation and not just by governments, but by researchers, non-profit groups and privacy and security advocates. Policies should be put in place that when a threat or any form of threat intelligence has risk to human rights or human life, the commoditization of it should be secondary and it's transparency should be first. Not the other way round. That way, we can better defend human life and rights.

A bit about my new website:

This is a new site for me, I recently moved from Hugo to using Ghost. I am an independent researcher - I do not work for corporations and only work with non-profit groups. For me, getting my research and writing out to as many people for the betterment of digital security & privacy is my goal. I also wish to contribute directly to information security and human rights communities. In creating a subscription list for my work, it helps me publish my research and get it out to the right people. I hope, in time, I can continue to publish my research here without needing to rely on media outlets to get the work heard. If you would like to support me, please consider subscribing: