Cybersecurity Must Learn to Collaborate Like the Threats

Malicious Teamwork2.jpg

Cyber threats have evolved over time to communicate, cooperate, and in some cases directly collaborate among themselves, giving them a distinct advantage over their security counterparts.  Hackers possess a culture which is comparatively open, mutually supportive, and largely opportunistic.  This has in part contributed to their ability to outpace their security minded adversaries.  It is an advantage the cybersecurity industry largely lacks and must learn to overcome.

Security product and service companies don’t like to share.  They are in the business of protecting their customers against a highly diverse and complex intelligent adversary.  Any information or insights they gain is inherently viewed as a competitive advantage against other vendors.  Sharing such knowledge with others security firms seems counterintuitive from a business perspective.  It is that mindset which has greatly limited cooperation and the pace of innovation.

Businesses and government entities are also unwilling to share how they have been attacked, exploited, or had to respond to such incidents.  It is viewed as a poor public relations choice and also opens the door to other hackers who may attempt a similar attack on a susceptible victim.  Attackers do love to know when something works and then simply duplicate or iterate. 

In essence, the security industry and targets being attacked prefer to remain silent about threat intelligence, best known practices, active exploits, successful attacks, ongoing investigations, and crises they are managing.  The data they do share tends to be sanitized, redacted, and stale.  This greatly limits the value and applicability.   

Attackers are not limited by these compartmentalized practices.  They share code, methods, and readily offer advice.  This has become so rich and valuable, services are now emerging to meet broadening demands.  A variety of different activities are available for a price.  Dark and grey markets offer more than just illicit drugs.  They enable the purchase or lease of knowledge, code, independent contractors, and supporting resources for shady ventures.  Vulnerability brokers act as middle-men to buy and sell weaknesses in software and protocols.  Some offer tantalizing bounties, of up to a million dollars, to entice researchers to deliver valuable 0-day exploits. 

Malware-as-a-Service will author custom malware, sell popular packages, or offer hands-off rental services where they run the malware on your behalf and point it at a target of your choosing.  Along the same lines, hacking services are essentially proficient penetration teams who will breach or provide explicit capabilities to bypass a specific target’s digital defenses for a price.  Distributed Denial of Service (DDOS) packages and platforms can be rented, with prices varying based upon the duration and saturation amount which will be directed at the target. 

Looking for legitimate identities and credentials?  Identity hackers and brokers do all hard data-breach work and sell the end results in nice packages and offer bulk discounts.  Spam and phishing engines can be rented to generate and distribute mind numbing amounts of emails, texts, and links to malicious sites which manipulate or infect visitors.  For those seeking a reputation, social accolades are for sale, where positive-reviews for sites, sellers, vendors, and businesses will be written and posted for your benefit.  Some professional for-hire reviewers, with many followers themselves, will write glowing customized testaments on whatever you want, for as little as a few dollars.  Social media ‘likes’, fake accounts, and bulk ‘followers’ are also available for a price.

Code repositories exist for hackers to share and collaborate on software.  Often different independent parties will download code and make incremental improvements then re-upload it for others to use and repeat the process.  This creates rapid iteration of improved software, with novel features, fewer bugs, and fosters a continuous exploration of new ideas.  There are even malware quality-assurance services which will test your toxic software to make sure it will not be detected by all the major anti-malware software packages and that it will get by the code review protocols of various digital stores.

Human resources are also available.  There are call-centers for hire which can service fraudulent transactions, CAPTCHA verification services for fake account creation verification, mule recruiting for money laundering, digital currency handlers, and package-forwarding people for accepting fraudulent online purchases and then forwarding them to another destination. 

The world of cyber threats has morphed into a specialty economy.  Communication is the grease which allows the wheels to turn.  No longer does an attacker need to be an expert in all areas of hacking.  In fact, attackers no longer need high degrees of technical skills.  They can simply hire-out specialists and orchestrate the pieces into a customized solution to victimize targets and cause havoc with a worldwide reach. 

Threats are evolving ever faster and the security industry must adapt to keep pace.  Teamwork among security professionals, against a common enemy, is no longer an option, but a necessity.  We are collectively better when we actively work together as a community against those who seek to undermine digital security.  Competition in the security industry must not impede providers from recognizing who the real enemy is: the cyber threats.

Cyber Threat Alliance.jpgThis is why initiatives like the Cyber Threat Alliance are so important.  The Cyber Threat Alliance is an organization co-founded by Fortinet, Intel Security, Palo Alto Networks, and Symantec.  (full disclosure: I proudly work for Intel)  The alliance is open to all security vendors serious about sharing relevant and valuable threat information.  Such partnerships across domains and providers is crucial.

Top security organizations with vast sensor and threat intelligence capabilities can paint a better picture and stand together in the fight against sophisticated cyber threats.  These leaders can share and collectively leverage data necessary to gain the insights for better predictions, more effective preventions, improved detection accuracy, and faster response procedures.  Cooperation is both a tactical and strategic security advantage.

Cybersecurity must evolve and learn from its adversaries.  Communication and collaboration are key to rapid innovation and maximizing knowledge.  We are stronger together than separately.

Twitter: @Matt_Rosenquist

Intel IT Network: Collection of My Previous Posts

LinkedIn: http://linkedin.com/in/matthewrosenquist

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.