In a world where up to 80 percent of cybercrime is driven by organized crime rings, how can we hope to protect our sensitive data and critical assets acting as isolated islands? These black hat attackers are collaborating on everything from malware development to botnet management, sharing techniques and tactics to infiltrate networks and cash out financial information.
In the recent IBM X-Force Threat Intelligence Quarterly, the researchers at IBM Trusteer reported that future features in Citadel malware were being influenced by voting on an underground message board. In polls, users were asked to choose between features they would like to see in upcoming versions in the malware, and once a feature received a majority vote and a minimal amount of funding, the Citadel team committed to its development.
Share Like a Black Hat, Live Like a White Hat
Customer feedback roundtables are not a new idea, and every company worth its salt solicits feedback from its clients for future enhancement. What makes the cybercrime feedback loop effective, however, is the interorganizational cooperation. Crime cell A is soliciting feedback from members of crime cell B, almost the equivalent of Symantec calling up Intel and asking what it should add in the next version of its antivirus product.
Rather than dance on the fine line of corporate collusion, the conversation needs to include vendors and clients. This is the spirit of an executive order signed in February, which encourages private and public sector collaboration to fortify everyone’s defenses. There is healthy skepticism that government involvement can benefit voluntary efforts across commercial interests, and the shift toward STIX/TAXII from Oasis with the support of the U.S. Department of Homeland Security underscores the implication that government is “getting out of the way” of the private sector to move threat sharing practices forward.
Security vendors need to establish parameters of cooperation that enhance defenses for clients with the participation of clients themselves. Clients have worked to this end with groups like the National Council of ISACs, and security vendors have consortia like the Cyber Threat Alliance encouraging tactical collaboration to share malware samples to build better protection strategies. The trick will be finding a solution to bridge the gap between clients and vendors as a whole, not just within the related groups.
The Nitty Gritty
When it comes to the details of what the white hats can and should share to proactively protect themselves and contribute to a community with the same goal, many organizations are understandably hesitant to share details about threats to their networks on threat sharing platforms. The general guidance is to not share internal, proprietary information about security infrastructure, such as the number of endpoints and specific network security appliances, but rather external threat intelligence information being observed, such as scanning IPs and compromised websites.
Even then, there are still objections to revealing details due to a fear that the specific piece of threat intelligence could be used to infiltrate one’s network or that bad actors will see that information and use it. But guess what? The bad actors aren’t trying to infiltrate because they’ve very likely already done so. Keeping the bad guys out or stopping them at the gates has given way to active infiltration management, triage, risk assessment and remediation. Threat sharing arms colleagues with the intelligence needed to identify and address active infiltration. It is intended to recognize the tactics employed to aid defense before, during and after infiltration. There are certainly indicators of infiltration attempts, but the key elements that are most valuable are those that result from identifying evidence of infiltration, not attempts.
The benefit of platforms and forums to encourage the sharing of these elements is to give the white hat the same advantage as the black hat. The black hat attackers are smart and have learned how to work together, whether at arm’s length via message boards or in direct collaboration. There is no time to waste to learn how to give ourselves the same advantage.