Intelligence Start-Up Goes Behind Enemy Lines To Get Ahead of Hackers

anlashok writes: The Times profiles a company called ISight, which sells computer security intelligence gathered by professionals from the "dark web". From the article: "ISight's investors, who have put $60 million into the company so far, believe that its services fill a critical gap in the battle to get ahead of threats. Most security companies, like FireEye, Symantec, Palo Alto Networks and Intel's security unit, focus on blocking or detecting intrusions as they occur or responding to attacks after the fact. ISight goes straight to the enemy. Its analysts — many of them fluent in Russian, Mandarin, Portuguese or 21 other languages — infiltrate the underground, where they watch criminals putting their schemes together and selling their tools."

And that used to just be cops at the border!

[rmdingler]

I have always been uncomfortable with the potentially mutually beneficial nature of the roles of security provider and security breach specialist.

Re:

[TWX]

I don't think that they're criminally negligent because they're not themselves law-enforcement, so they can't really actually take an active role in stopping those that they see engaging in criminal acts. If the criminals they're interacting with are in foreign countries where reporting those individuals to that country's police forces won't do any good, then this is at least keeping tabs on things.

Now, it could be that some of those foreign countries for whom they're infiltrating the criminal hacker gr

Re:

[rtb61]

Other countries, isn't American exceptionlism so wonderful, who cares what American companies do in other countries, that is their problem, so long as we make money. This is such a horrendous idea, they are attempting to promote a company, that at it's core will purposefully and with intent and for profit break the law. The crime to be repeated en masse, accessory after the fact. So how much work will they be doing to ensure they get work, pretty much blatant for profit false flagging. The kind of accepted

just like you, except better

[raymorris]

"Allowing the bad guys to continue operating" you say. You've "allowed" crime just as much as anyone else has. You have just as much right to track down individual criminals and fly around the world trying to stop them as do the researchers working for these companies. We're not cops, we're nerds. You could register in the cracker forums, follow the social media feeds, and try to do what you seem to expect us to do. Why haven't you done it?

The difference between you and I is only that I HAVE contacted the FBI or National Center for Missing and Exploited Children the few times that I've come across a situation that warranted it. What have you done? I warned Wikipedia of an attack that would have taken them down, warned them in time to prevent the attack. What have you done?

99.99% of the time, we don't have the real name and home address of the bad guys. We have screen names, like you see on Slashdot, and we see what types of vulnerabilities and attacks they're talking about this month. Then we protect our clients, which may include your bank, from the types of attacks that are being discussed by the bad guys.

99% of my coworkers don't have any authority to arrest anyone. That's not our job. Our job is secure the systems you rely on. There is one person at the company I work for who used ton have the authority to arrest certain specific criminals. That happens to be me. I successfully found and arrested most of the people I was granted authority to go after. So yeah, we've actually personally put a few criminals behind bars, though that's not our day job. "Allowing criminals to continue operating", eh? I've told you what I've done to stop criminal activity. I ask you again, what have you done? You've done nothing, you have allowed them to continue.

I speak Mandarin, I know Russian too!

[Taco Cowboy]

As I am from China, and have picked up quite a bit of Russian while I was in school at China, can I go rogue, join up with the hackers, create all kinds of cyber mayhems, and then turn around sell the information to those on the 'white side' of the line?

The whole thing is mindbogglingly ridiculous!

Are we going to encourage the hackers to create yet another stream of income by selling outdated info of the dark side?

What's the definition of 'terrorists'?

[Anonymous Coward]

I wouldn't mind working for such a company, but I don't work for terrorists

If cutting off people's head is terrorist, what about bombing civilians' houses and killing those living inside, like what is happening in Yemen?

What about those, such as America, France & Britain, who supply planes, bombs and all kinds of logistical support to those who do the bombing?

Where do you draw the line, dude?

Ah yes, the Classic argument...

[bobbied]

Is it black hat or white hat hacking?

It's kind of hard to tell them apart with schemes like this. Oh yea, we will infiltrate the "bad guys" and get tipped off to their activities before anybody else knows, or we will invent some new attack vector, sell it to the bad guys and get loads of money from your because only we know enough to protect you from what the bad guys are doing.. You cannot know the difference....

Problem with this is you will never know and you will be letting some outfit with admitted ties to some bad actors have access to your network security systems... What could possibly go wrong?

Re:

[Anonymous Coward]

So true.

The nsa got extra funding to protect us from terrorists. What did they use it for? To spy on their spouses if they were cheating on them.

I feel safer already.

Re:

[gl4ss]

well the thing is, they're selling "stuff" anyone could go find from the dark web, so there's that.

oh the days of just having all that stuff on rootshell

Re:

[aaaaaaargh!]

That would be illegal.

Re:

[Anonymous Coward]

It's green hat hacking. 60 million, lol. Way to set fire to a pile of cash.

A mini NSA?

[Anonymous Coward]

Who's a good little mini NSA? You are! Yes, you are. I'm so proud of you!

I wouldn't be so sarcastic and probably even be supportive of it if it weren't a recipe for abuse. A company or organisation would eventually abuse it and then claim it was legal and nothing wrong.

Extra points if you can lie in front of congress.

legitimacy of the business

[WSOGMM]

If your operations can be carried out in specific countries, you might be able to bypass some anti-hacking laws, or at least diminish some of the potential legal blame of 'going too far'. If you have to limit your offensive capabilities, there are probably ways of cataloging/surveying/classifying incoming attacks and thwarting them without doing anything illegal. The main factor in the success of this business relies on them providing monetarily valuable information to potential targets.

That said, what they say they're doing is not illegal, and it is probably already practiced by most security companies. It's just a business pitch. From TFA, they spend their time

monitoring underground chatter and markets, analyzing computer code meant to cause harm, watching the networks of potential attackers and poring over social media channels for signs of imminent attacks.

Re:

[CanadianMacFan]

I find it morally wrong to know of crimes that are about to be and giving that information only to those people who have paid you money. They should be stopping the attacks for everyone by alerting the authorities. But then there's no profit in that.

I wonder if there could be a case made against them for profiting because of an act of a crime. By not telling some of the potential victims they are conspiring with the hackers. I'm sure some lawyer would have a go with it.

you expect me to call you personally?

[raymorris]

> By not telling some of the potential victims they are conspiring with the hackers. I'm sure some lawyer would have a go with it.

What, you expect me to call you, and every other person in the world, personally? Why don't YOU have a go at that. YOU go monitor the cracker forums and such, then call me when you see something interesting. For free. You'll start doing that tomorrow, right?

No? Well those of us who spend our working hours on this stuff have to eat too. So yeah, if you want instant ana

Great name

[GrahamJ]

https://en.m.wikipedia.org/wik... [wikipedia.org]

Cat and mouse

[koan]

The "hackers" will just their methods.

Re:

[Anonymous Coward]

You accidentally the whole verb

This isn't new or immoral.

[Euphorinaut]

Businesses that attempt to monetize threat modeling have been around for a long time without the same scrutiny a lot of you are giving this company. Is it immoral for a company that makes antivirus software to not give their software away for free rather than charging money? Do you think the moral thing to do would be to just go out of business instead of charging money? If you aren't currently an IT security expert working for a non profit or for free, I invite you to apply your train of thought to just as

not exactly new

[sociocapitalist]

Brian Krebs has been doing this for awhile now.
http://krebsonsecurity.com/ [krebsonsecurity.com]

Someone's just taking it to the next level - not a bad idea at all IMHO.

Re:

[Euphorinaut]

I'll jump into the "great minds think alike" party, although my comment seems to have attracted the attention of someone randomly ranting at me about whether or not it's ok to spy on spouses(no idea). I love Brian Krebs. Can't think of why it took businesses this long to actually implement that sort of thing in threat modeling.

Marcus Brody

[ultranova]

Its analysts - many of them fluent in Russian, Mandarin, Portuguese or 21 other languages - infiltrate the underground, blend in, and with any luck, they've got the exploits already [youtube.com].

Krebs on Security is also there

[swschrad]

potentially has been watching the bad boys longer, with more impact.