Malware

Sharing the pie: Threat collaboration

Georgia Tech's Christopher Smoak helped create an intelligence system for threat information collaboration. Dan Kaplan reports.

When hackers from the United States, Eastern Europe and Russia raided Heartland Payment Systems to funnel out an estimated 100 million credit card numbers, most observers were flabbergasted by the astonishing number of records involved in the incident.

But as it would turn out, if the Princeton, N.J.-based company had only been privy to the methods and malicious executables that the intruders used, it may have avoided one of the largest recorded data breaches in history, says John South, Heartland's chief security officer. This may sound implausible in hindsight, except that South and his team were far closer to those answers than you may think.

“One of the things we found going through our breach, the indicators that would have been available to protect ourselves were out in [the financial services] community,” he says. “People knew about the indicators, but they had no way of sharing the information. Everything [the hackers] used, everything was known by someone at some point in time, including some of our competitors. If we had known them, perhaps things would have been different.”

The breach, which was disclosed in January 2009, prompted Heartland to not only get serious about beefing up its data security stance – it implemented an end-to-end encryption system to cloak credit card numbers from point-of-sale swipe to bank handover – but also recognizing the value of collaboration. Bob Carr, the company's founder and CEO, helped launch the Payments Processing Information Sharing Council, part of the Financial Services Information Sharing and Analysis Center, better known as FS-ISAC. The endeavor created an interesting dynamic – all of the council's members are staunch competitors – but it underscored the collective realization that threat data carries exponentially greater value when it is aggregated.

All of the drivers to make more partnerships like this one thrive seem to be in place. By their very nature, IT security departments crave visibility. And, they are befuddled by the sheer speed by which attacks occur and the long period it often takes to discover them. Plus, the criminals share information, so why shouldn't the good guys, too? If everyone assisted one another, the theory goes, they'd be in a much more enviable position to combat cyber risks. Still, despite efforts across the industry to improve threat intelligence, even among seemingly fierce rivals, significant barriers to information sharing still exist, chief among them the fear of admitting compromise.

That's why researchers at the Georgia Tech Research Institute (GTRI) are trying to reimagine information sharing through the introduction of Titan, an anonymous threat intelligence system that, for a small cost, seeks to lend a hand to organizations of all sizes. In devising the idea, engineers at GTRI determined that a need existed within the industry to communicate around threat data. Large organizations either relied on purchasing too many appliances for malware analysis – or they had to build their own – while smaller outfits didn't have the budget to do either. Yet most companies, no matter their spending ability, have one thing in common: Their security efforts are far too inward focused. 

“A lot of them think of this as their dirty laundry,” says Christopher Smoak, a research scientist at GTRI and one of the creators of Titan. “It's time for us to stop being scared about talking to each other. If we're not going to start building these bridges to share stuff with each other, then we might as well give up.” 

He even suggests sharing security intelligence during the times when organizations often are most reluctant, like during internal investigations, or, if they are permitted to, during a law enforcement probe. The more, the better, Smoak believes.

Titan of industry

There are already an abundance of efforts underway to share information, from email lists among a few trusted parties to nonprofit efforts like the Shadowserver Foundation to industry associations like FS-ISAC to for-profit threat feeds like Microsoft or VeriSign's iDefense Security Intelligence Services. Even the U.S. government is trying to get in on the game through the introduction of a number of bills in Congress, such as the controversial Cyber Intelligence Sharing and Protection Act (CISPA), which would regulate information sharing among the public and private sectors.

The key differentiator with Titan is accessibility and interaction, Smoak says. The portal is billed as a “community-driven” threat intelligence engine, operated by an entity with no cards in the game. It already has support from close to 20 organizations in industry and government, is receiving and processing more than 100,000 malware samples each day, and is scheduled to officially go live by the end of the summer. Smoak admits, though, that the portal will best work for reporting and retrieving information about mass malware, rather than more targeted threats, because that is what organizations are more likely to fess up about.

“Members can search malware samples based on industry, specific network domains and even develop and share their own analysis module,” according to a fact sheet. “Titan users may quickly and easily pass samples of both known and unknown type to the system, which automatically processes them according to file type and user request, and produces dynamic reports within minutes. Unlike traditional malware-analysis platforms, Titan does not define a static set of analysis methods. Instead, the framework allows members to add, remove and modify ‘pluggable' analysis modules to suit analysis needs over time.” 

Titan: What makes it unique 

A trifecta of functionality 

  1. It offers a sandboxing/analysis framework that is constantly being updated/changing. 
  2. It provides a forum to share human-based intelligence on top of automatically derived intelligence from the modules described in the framework.
  3. It enlists an easy method to mold/filter the output intelligence, such as standards or reports, to what an organization needs most at the time. 

Source: GTRI

The researchers believe a big draw will be the portal's versatility. Whether one is an engineer who wants to create a script or a module that can be fed into a company's intrusion prevention system, or one is a CISO who desires high-level reports of threat activity across a particular vertical, they can all extract value. “We're adaptive,” says GTRI research scientist Andrew Howard. “We're flexible. The advantage of Titan is that as threats change, we can change at the same speed. You don't have to buy a new appliance.”

Heartland's South says systems like Titan provide help to counteract some of the pressures organizations are facing, such as an overworked security staff and small budgets, which have worked to tip the balance very much in favor of the attacker. “It gives us insight into the things we should be looking for,” he says. “For example, by someone making a DLL [dynamic-link library] available to us as an indicator, we could look at our network to see if that DLL exists somewhere.”

John Johnson, the global security program manager at Illinois-based John Deere, the world's leading producer of agricultural machinery, says he sees the value in Titan's drive to cross-pollinate threat information across industries. That's because the manufacturing sector in which John Deere plays traditionally has been slow to embrace the latest security technology and doesn't have the formalized sharing infrastructures that the more heavily regulated verticals do. Instead, Johnson relies on data sharing within a CISO peer circle to which he belongs in the Chicago area. “It's basically a dinner group where we get together and talk in person,” he says.

But, he recognizes that malware and the techniques used to spread it often are agnostic of industry. No longer is anyone immune. “We can't rely on obscurity and lying low and waiting for the financial companies to take a lead,” Johnson says. “I think we need solutions that are more intelligent and more proactive. If academia can step up and pull people together and demonstrate it's going to work and these concerns are being addressed, I think it'd be a worthwhile approach.”

Roadblocks to acceptance

The “concerns” Johnson speaks of are ones Smoak often hears. A big one for Johnson is trust. That's why a critical feature of Titan is its anonymity component to prevent any leaks that could jeopardize an investigation or encroach on someone's privacy. Or provide fuel to the very attackers Titan is seeking to stop. 

Smoak and company have extended a great deal of effort in ensuring that Titan is leak-proof, and that its members are vetted to ensure that information isn't accessible to the sinister.

“Every time data goes in or out of the system, we perform pre- and post-filtering that strips out things folks can't see,” he says. “That's before it leaves our internal network. Additionally, all data associated with any user/organization is referenced by a pseudo-random identifier.” The hope, though, is that once contributors feel comfortable using Titan, they will de-anonymize themselves and pick out certain people with whom they want to work. This speaks to Titan wishing to solve a more fundamental problem: removing the stigma that a successful compromise should be cause for shame. 

As for vetting users, Smoak says: “We call or have a face-to-face meeting with every prospective Titan member. During this call, we discuss background on the requesting user/organization, as well as give information about our backgrounds.”

For Titan to succeed, it also will have to convince ardent critics, such as John Pescatore, vice president and research fellow at Gartner, who says information sharing has amounted to more of a buzzword than a saving grace. To make his point, Pescatore references anti-virus companies, which, he says, essentially have been doing threat intelligence collaboration for better than two decades. Often, a business customer submits a malware sample to an AV firm, and the vendor in turn creates a signature. “The answer to these attacks is not going to come from more information sharing,” he says. “If that was the case, anti-virus would've solved our problems a long time ago. The answer is making your systems less susceptible to attack.”

But, Smoak says Titan offers far more capability as an information repository than an AV company can provide. “AV vendors typically only provide signatures to their particular product,” he says. “This means that during the time it takes the AV vendor to get a signature back – which may not necessarily detect all variants or other dropped files – malware may have already moved laterally or downloaded additional code that has not been identified. Their financial motivations only serve to push a small AV signature update and nothing else, which leaves organizations in a bit of a bind when remediating something in a time crunch.”

Pescatore makes a fair point, though, when he says that any successful data-sharing endeavor necessitates a two-way street. Naturally, most organizations want to get more than they give, and any model would be hard pressed to achieve the inverse of that. But mutual contribution is necessary, and the U.S. government has been one of the largest culprits. Pescatore says most federal agencies, like the FBI and Department of Homeland Security, covet the situational awareness that private-public sharing provides, but they are reluctant to reciprocate, tending instead to pick and choose which information they dispense – and when they do share, offering that data to only certain parties.

John Deere's Johnson has come to a similar conclusion. “The idea of a public-private partnership in sharing data seems to have mostly failed and been one-way,” he says. “Feds want corporate data, but they are reluctant to share what's going on, unless it directly impacts your company. When they do share information, it tends to be watered down and ambiguous, after the fact, and not prescriptive enough.”

The bevy of information-sharing proposals on Capitol Hill is the 800-pound gorilla in the room right now. Keith Alexander, the head of the U.S. Cyber Command, which serves as a depot of cyber space operations and liasions with U.S. military networks, recently pleaded with Congress that such a bill is needed to protect critical infrastructure, yet privacy and civil liberties advocates remain concerned. Titan may just have a role to play down the road to ease the transition for many private sector companies that are reticent to deal with the three-letter agencies. 

“My hope is that Titan becomes a technical conduit upon which info-sharing legislation can ride,” Smoak says. “Since many folks are weary of getting data directly from government, we can be a trusted third party to that exchange. But only time will tell. We're only just beginning to start these discussions.” 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.