By Derek Manky, Chief Security Strategist & VP Global Threat Intelligence, Fortinet
Inception
It has been six whole years since the official launch of the CTA, and two more in practice as the dream was built. And what a fantastic journey it has been over the racing course of time. I’m proud to say I was there at CTA ground zero, from the proverbial pen and napkin if you will. Back in 2014, Rick Howard and I sat in a hotel meeting room in Singapore on a conference call with McAfee & Symantec drumming up ideas with the simple, yet equally complex question of “What can we do together in partnership that can change the game, without creating further redundancy in industry?”. We naturally approached this with a crawl, walk, run strategy. Really, there have been three generations of the CTA’s platform as it has evolved and adapted as the direct work of the various committees within the CTA.
Crawling
Our original platform and proof of concept was a simple exchange system operating off open source intelligence with some vetting rules in place. The original criteria we set forth outlined a minimum amount of intelligence for each member to share and be evaluated (this rule still holds very true today), including unique samples and encouraging sharing of mobile malware samples (APK) and botnet C2 to create diversity. This was at a time when mobile malware just started becoming really hot. With only four original members it wasn’t too difficult to get this basic system up and running, and after running it for a while we all verified that indeed this was something different and useful. Simple, albeit but the point is that we had built a mechanism to reduce redundancy by focusing on optimizing sharing of samples that were in fact net new, and not something that was already in our collection. And yes, we could tune it.
Walking
Still with the original four members, and with a mostly automated process running with the original criteria we had established, we wanted to take on more. This was a very much hands on approach, including on-site meetings (essential for trust building), whiteboarding and brain storming directly with our supporting CEO/CxO from each organization. Talk about mindshare! This was a key component of early trust exercises as we effectively had competitors in the same room, teaming up to discuss how we can coordinate efforts to elevate security and mitigate cybercrime. During this walking phase, lots of new ideas were presented and more stakeholders involved. We launched a project in 2017, to do a deep dive jointly between analysts from each organization on a prolific ransomware operator at the time, Cryptowall v3. We learned that following our collective effort and publication of this report, which exposed operations of the group, the Cryptowall gang noticed us. Immediately following publication of the report, Cryptowall operators shifted gear and tried to come up with a new variant (v4) which ultimately was not as successful. To us, that was a great sign and a win emphasizing what we could achieve together.
In parallel, we worked on a new platform to replace the original simple sharing and be more aligned with industry. The second generation of the CTA platform was running on STIX (v1) and TAXII and allowed us to be more expressive and share more types of artifacts. And yes, the CTA was born! Governance was set up, staff was brought on board, and committees established. Scoring engines were enhanced on the new platform, and we started to expand scope and bring on additional members.
Running
While the birth of the CTA was security vendor led, over the years a diverse ecosystem has flourished through an array of members – 37 and counting, spanning global regions, sectors, and subject matter experts. I can say I am even more proud of the holistic, collective effort the CTA has now become. Credit is really due to every single contributor to the alliance, which is in fact every member by design of the CTA’s information sharing platform, Magellan. Magellan was launched in 2020 and is CTA’s third generation platform still in place today. Magellan runs on STIXv2 and allows even more context to be shared throughout members, such as cyber kill chain mappings, MITRE ATT&CK TTPs, and more. It’s also friendlier for onboarding new members and features a UX/UI to describe attacks that automatically generates STIXv2 language. Something that vastly accelerates the both the learning curve, and cycles required for information sharing. The CTA continues to enhance Magellan. Today over 11 million observables are contextualized, shared, and evaluated on Magellan every month.
An Early Share program has been operating since 2018, which in fact has been a game changer in the industry. There have been over 720 early shares in the CTA, and the idea is that trusted intelligence is shared within the community prior to public release of research such as security blogs. This allows all members the opportunity to elevate their security and prepare in advance, so nobody is caught off guard. Prior to this, it was a scramble out of the gates approach and hence the game changing effort in industry. A contributing allies program has also been set up for public sector strategic engagement. Communication channels are active for threat response when we face a large industry threat as we have in the past, such as VPNFilter, WannaCry, SolarWinds, Log4J. It’s truly a refreshing experience when you have such an experienced industry roster getting on a call, to compare notes, validate intelligence and debunk myths. From early shares to Magellan and daily contextual sharing, a scoring report has also been set up to encourage healthy competition between members.
The CTA’s mission is to protect end-users, disrupt malicious actors, and elevate overall security. I can confidently say we are doing this today thanks to all of the dedicated members and effort within the CTA. We’ve crawled, walked, and ran, and I can now catch my breath again seeing first-hand the invaluable dedication of our members and their commitment to the mission. I can’t wait to see what tomorrow brings!