Written by Scott Lambert, VP of Threat Research, ReversingLabs
In 2018, Kirstjen Nielsen, then secretary of the Department of Homeland Security (DHS), spoke at the first-ever National Cyber Security Summit in New York City, where she gave a stark overview of the cyberthreats facing the United States. Her message was pointed.
“We are facing an urgent, evolving crisis in cyberspace,” Nielsen said. “Our adversaries’ capabilities online are outpacing our stove-piped defenses. In fact, I believe that cyberthreats collectively now exceed the danger of physical attacks against us. This is a major sea change for my Department and for our country’s security. Don’t get me wrong. Terrorists and criminals still pose a serious threat to our lives. … However, the attack surface in cyberspace is now broader and under more frequent assault. DHS was founded 15 years ago to prevent another 9/11, but today I believe the next major attack is more likely to reach us online than on an airplane.”
The cyber-criminals and nation-state gangs behind the attacks on companies are sophisticated, talented, creative and well-funded. They also are organized – they run their operations like a business, with a structure that has people in CEO-like positions, and others with jobs akin to project managers, developers, specialists and the like.
And they collaborate. They offer their malware and other code on dark web marketplaces, some developers will sell or license their software to other bad actors or even run them as a managed service. In many ways it’s like a dark mirror image of our own world.
This is what makes organizations like the Cyber Threat Alliance (CTA) so important. Any company that believes it can protect its customers’ networks, data and applications on their own is mistaken. Cooperation and collaboration among cybersecurity vendors are the only ways to push back at a cyber-criminal underworld that has such resources and skills.
The collaboration at CTA can come in multiple forms. A vendor might be writing a blog about a malware campaign and may ask other members if they can share information about the subject. They will share what the blog is going to look like and invite others to add what intelligence they have. A committee within CTA may decide the organization needs to make a significant impact on a bad actor or malware campaign and will call members together to share thoughts and information. And then there are participating vendors who simply need more information about a threat, hacker or some malware and will ask if anyone in the group has anything about the subject.
For us at ReversingLabs, it comes down to the sharing of threat intelligence. The ongoing struggle against hacker organizations is one of cat-and-mouse. The bad guys are always finding new software vulnerabilities, are constantly improving on their malware and are always refining their techniques. For vendors to be proactive in their response to cyber threats, they need to know what their opponents are doing. Individually, they can collect a lot of threat intelligence; together they can get a more complete picture of what the cyber-criminals are doing.
CTA has an excellent platform for sharing threat intelligence in real time, the threat intelligence is much richer than with many similar organizations and we can easily monitor our contribution and improve the data for future submissions. CTA also does quality checks and we receive feedback from the group about our data, which is another way we can improve it.The use of the industry-standard STIX format means we can build complete threat intelligence around malicious samples.
What we aim to share is new malicious content. Through our algorithm, we select 8,500 new samples from our data and then push them out to CTA members. We regularly assess those 8,500 samples to ensure that they’re aligned with the needs of the organization’s members. Going forward, we are putting plans in place to enrich the metadata that we send to the CTA platform.
The world of bad actors and malware is constant in its change. Cyber-criminals are continuously adapting what they do to counter what it is that we do. They learn what works and what doesn’t and while they do compete, they also cooperate. They only way to effectively fight back against such an evolving and well-resourced foe is for us to collaborate, to share what we know with each other and to recognize that if we work together, everyone will be much safer.
That’s why we take our participation in CTA so seriously. It’s why we contribute the threat intelligence that we do and why we have a roadmap for improving the information we share with other members. Our strength comes in our numbers.
To learn more about research that ReversingLabs shares with the community, check out our blog.