May 11, 2015 By Pamela Cobb 3 min read

In a world where up to 80 percent of cybercrime is driven by organized crime rings, how can we hope to protect our sensitive data and critical assets acting as isolated islands? These black hat attackers are collaborating on everything from malware development to botnet management, sharing techniques and tactics to infiltrate networks and cash out financial information.

In the recent IBM X-Force Threat Intelligence Quarterly, the researchers at IBM Trusteer reported that future features in Citadel malware were being influenced by voting on an underground message board. In polls, users were asked to choose between features they would like to see in upcoming versions in the malware, and once a feature received a majority vote and a minimal amount of funding, the Citadel team committed to its development.

Share Like a Black Hat, Live Like a White Hat

Customer feedback roundtables are not a new idea, and every company worth its salt solicits feedback from its clients for future enhancement. What makes the cybercrime feedback loop effective, however, is the interorganizational cooperation. Crime cell A is soliciting feedback from members of crime cell B, almost the equivalent of Symantec calling up Intel and asking what it should add in the next version of its antivirus product.

Rather than dance on the fine line of corporate collusion, the conversation needs to include vendors and clients. This is the spirit of an executive order signed in February, which encourages private and public sector collaboration to fortify everyone’s defenses. There is healthy skepticism that government involvement can benefit voluntary efforts across commercial interests, and the shift toward STIX/TAXII from Oasis with the support of the U.S. Department of Homeland Security underscores the implication that government is “getting out of the way” of the private sector to move threat sharing practices forward.

Security vendors need to establish parameters of cooperation that enhance defenses for clients with the participation of clients themselves. Clients have worked to this end with groups like the National Council of ISACs, and security vendors have consortia like the Cyber Threat Alliance encouraging tactical collaboration to share malware samples to build better protection strategies. The trick will be finding a solution to bridge the gap between clients and vendors as a whole, not just within the related groups.

Experience threat intelligence: Visit the IBM X-Force Exchange

The Nitty Gritty

When it comes to the details of what the white hats can and should share to proactively protect themselves and contribute to a community with the same goal, many organizations are understandably hesitant to share details about threats to their networks on threat sharing platforms. The general guidance is to not share internal, proprietary information about security infrastructure, such as the number of endpoints and specific network security appliances, but rather external threat intelligence information being observed, such as scanning IPs and compromised websites.

Even then, there are still objections to revealing details due to a fear that the specific piece of threat intelligence could be used to infiltrate one’s network or that bad actors will see that information and use it. But guess what? The bad actors aren’t trying to infiltrate because they’ve very likely already done so. Keeping the bad guys out or stopping them at the gates has given way to active infiltration management, triage, risk assessment and remediation. Threat sharing arms colleagues with the intelligence needed to identify and address active infiltration. It is intended to recognize the tactics employed to aid defense before, during and after infiltration. There are certainly indicators of infiltration attempts, but the key elements that are most valuable are those that result from identifying evidence of infiltration, not attempts.

The benefit of platforms and forums to encourage the sharing of these elements is to give the white hat the same advantage as the black hat. The black hat attackers are smart and have learned how to work together, whether at arm’s length via message boards or in direct collaboration. There is no time to waste to learn how to give ourselves the same advantage.

More from X-Force

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

Widespread exploitation of recently disclosed Ivanti vulnerabilities

6 min read - IBM X-Force has assisted several organizations in responding to successful compromises involving the Ivanti appliance vulnerabilities disclosed in January 2024. Analysis of these incidents has identified several Ivanti file modifications that align with current public reporting. Additionally, IBM researchers have observed specific attack techniques involving the theft of authentication token data not readily noted in current public sources. The blog details the results of this research to assist organizations in protecting against these threats. Key Findings: IBM research teams have…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today