In a world where up to 80 percent of cybercrime is driven by organized crime rings, how can we hope to protect our sensitive data and critical assets acting as isolated islands? These black hat attackers are collaborating on everything from malware development to botnet management, sharing techniques and tactics to infiltrate networks and cash out financial information.

In the recent IBM X-Force Threat Intelligence Quarterly, the researchers at IBM Trusteer reported that future features in Citadel malware were being influenced by voting on an underground message board. In polls, users were asked to choose between features they would like to see in upcoming versions in the malware, and once a feature received a majority vote and a minimal amount of funding, the Citadel team committed to its development.

Share Like a Black Hat, Live Like a White Hat

Customer feedback roundtables are not a new idea, and every company worth its salt solicits feedback from its clients for future enhancement. What makes the cybercrime feedback loop effective, however, is the interorganizational cooperation. Crime cell A is soliciting feedback from members of crime cell B, almost the equivalent of Symantec calling up Intel and asking what it should add in the next version of its antivirus product.

Rather than dance on the fine line of corporate collusion, the conversation needs to include vendors and clients. This is the spirit of an executive order signed in February, which encourages private and public sector collaboration to fortify everyone’s defenses. There is healthy skepticism that government involvement can benefit voluntary efforts across commercial interests, and the shift toward STIX/TAXII from Oasis with the support of the U.S. Department of Homeland Security underscores the implication that government is “getting out of the way” of the private sector to move threat sharing practices forward.

Security vendors need to establish parameters of cooperation that enhance defenses for clients with the participation of clients themselves. Clients have worked to this end with groups like the National Council of ISACs, and security vendors have consortia like the Cyber Threat Alliance encouraging tactical collaboration to share malware samples to build better protection strategies. The trick will be finding a solution to bridge the gap between clients and vendors as a whole, not just within the related groups.

Experience threat intelligence: Visit the IBM X-Force Exchange

The Nitty Gritty

When it comes to the details of what the white hats can and should share to proactively protect themselves and contribute to a community with the same goal, many organizations are understandably hesitant to share details about threats to their networks on threat sharing platforms. The general guidance is to not share internal, proprietary information about security infrastructure, such as the number of endpoints and specific network security appliances, but rather external threat intelligence information being observed, such as scanning IPs and compromised websites.

Even then, there are still objections to revealing details due to a fear that the specific piece of threat intelligence could be used to infiltrate one’s network or that bad actors will see that information and use it. But guess what? The bad actors aren’t trying to infiltrate because they’ve very likely already done so. Keeping the bad guys out or stopping them at the gates has given way to active infiltration management, triage, risk assessment and remediation. Threat sharing arms colleagues with the intelligence needed to identify and address active infiltration. It is intended to recognize the tactics employed to aid defense before, during and after infiltration. There are certainly indicators of infiltration attempts, but the key elements that are most valuable are those that result from identifying evidence of infiltration, not attempts.

The benefit of platforms and forums to encourage the sharing of these elements is to give the white hat the same advantage as the black hat. The black hat attackers are smart and have learned how to work together, whether at arm’s length via message boards or in direct collaboration. There is no time to waste to learn how to give ourselves the same advantage.

More from Threat Research

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…