May 11, 2015 By Pamela Cobb 3 min read

In a world where up to 80 percent of cybercrime is driven by organized crime rings, how can we hope to protect our sensitive data and critical assets acting as isolated islands? These black hat attackers are collaborating on everything from malware development to botnet management, sharing techniques and tactics to infiltrate networks and cash out financial information.

In the recent IBM X-Force Threat Intelligence Quarterly, the researchers at IBM Trusteer reported that future features in Citadel malware were being influenced by voting on an underground message board. In polls, users were asked to choose between features they would like to see in upcoming versions in the malware, and once a feature received a majority vote and a minimal amount of funding, the Citadel team committed to its development.

Share Like a Black Hat, Live Like a White Hat

Customer feedback roundtables are not a new idea, and every company worth its salt solicits feedback from its clients for future enhancement. What makes the cybercrime feedback loop effective, however, is the interorganizational cooperation. Crime cell A is soliciting feedback from members of crime cell B, almost the equivalent of Symantec calling up Intel and asking what it should add in the next version of its antivirus product.

Rather than dance on the fine line of corporate collusion, the conversation needs to include vendors and clients. This is the spirit of an executive order signed in February, which encourages private and public sector collaboration to fortify everyone’s defenses. There is healthy skepticism that government involvement can benefit voluntary efforts across commercial interests, and the shift toward STIX/TAXII from Oasis with the support of the U.S. Department of Homeland Security underscores the implication that government is “getting out of the way” of the private sector to move threat sharing practices forward.

Security vendors need to establish parameters of cooperation that enhance defenses for clients with the participation of clients themselves. Clients have worked to this end with groups like the National Council of ISACs, and security vendors have consortia like the Cyber Threat Alliance encouraging tactical collaboration to share malware samples to build better protection strategies. The trick will be finding a solution to bridge the gap between clients and vendors as a whole, not just within the related groups.

Experience threat intelligence: Visit the IBM X-Force Exchange

The Nitty Gritty

When it comes to the details of what the white hats can and should share to proactively protect themselves and contribute to a community with the same goal, many organizations are understandably hesitant to share details about threats to their networks on threat sharing platforms. The general guidance is to not share internal, proprietary information about security infrastructure, such as the number of endpoints and specific network security appliances, but rather external threat intelligence information being observed, such as scanning IPs and compromised websites.

Even then, there are still objections to revealing details due to a fear that the specific piece of threat intelligence could be used to infiltrate one’s network or that bad actors will see that information and use it. But guess what? The bad actors aren’t trying to infiltrate because they’ve very likely already done so. Keeping the bad guys out or stopping them at the gates has given way to active infiltration management, triage, risk assessment and remediation. Threat sharing arms colleagues with the intelligence needed to identify and address active infiltration. It is intended to recognize the tactics employed to aid defense before, during and after infiltration. There are certainly indicators of infiltration attempts, but the key elements that are most valuable are those that result from identifying evidence of infiltration, not attempts.

The benefit of platforms and forums to encourage the sharing of these elements is to give the white hat the same advantage as the black hat. The black hat attackers are smart and have learned how to work together, whether at arm’s length via message boards or in direct collaboration. There is no time to waste to learn how to give ourselves the same advantage.

More from X-Force

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Getting “in tune” with an enterprise: Detecting Intune lateral movement

13 min read - Organizations continue to implement cloud-based services, a shift that has led to the wider adoption of hybrid identity environments that connect on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). To manage devices in these hybrid identity environments, Microsoft Intune (Intune) has emerged as one of the most popular device management solutions. Since this trusted enterprise platform can easily be integrated with on-premises Active Directory devices and services, it is a prime target for attackers to abuse for conducting…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today