I recently commented on this post by +Richard Bejtlich
over on his TaoSecurity blog (Google borked the authentication and listed me as "Unknown"). Richard lists the pros and cons of disclosing vulnerabilities in attacker tools, such as the recently revealed vulnerability in the Poison Ivy RAT. Richard tends toward the side on non-disclosure, and I see his point. I haven't fully made up my mind on this.
But as I was reading, I saw a parallel to the frequent debates about sharing threat intelligence and indicators of compromise. I see both sides of the argument there as well, but one thing I don't recall having ever seen discussed is the class system the lack of sharing creates among defenders. As I mentioned while commenting on Richard's post, there are effectively two tiers of defender that result from this. The first tier, those "in the know" who have access to all manner of shared intelligence, are far better able to defend their networks and systems. On the flip side, those defenders who aren't privy to such privileged information are left to cull what they can from public sources and hope for the best. Now, I don't pretend to know what the answer is in terms of bridging that gap. But there's no way this can lead to better security for our country or any country. The only answers I see are to make threat intelligence and indicators of compromise more widely available (firms like +Mandiant
who monetize that data will object) or to put more of the nation's Information Security defense in the hands of the federal government and/or ISPs. I can see all manner of objection to that as well.