Industry Trends

Collaborating on Threat Research: What We Learned from the Cyber Threat Alliance CryptoWall v3 Research Project

By Derek Manky | October 29, 2015
There is a greater mission on the part of every security vendor to make the world safer and more secure for people to interact, do business, and communicate ideas. 
Today the Cyber Threat Alliance, founded May 30, 2014, published its first collaborative research project -- an analysis of the CryptoWall version 3 campaign The CryptoWall research report represents the successful culmination of a big project, a 90-day proof of concept effort among the founding members of the CTA to see what they could achieve if they collaborated on one adversary campaign playbook. 
It’s been a long tradition in the security world to share information on new malware, new botnets, and newly discovered threats and vulnerabilities in general. Security vendors have a responsibility with the general global ecosystem to share threat findings with each other and other agencies and end-user advocacy groups because the best way to combat the creativity and negative impact of malware and adversaries is to build security solutions based on data from wide and diverse sources.  
The process of creating the CTA’s CryptoWall v3 report was arduous but we learned a lot along the way. It’s one thing to share malware samples, it requires another level of work entirely to collaborate on a deep analysis of an adversary campaign like what was in the CTA research project. We have a lot of work to do to be able to replicate this type of collaboration for hundreds or thousands of attack campaigns on an ongoing basis. A few challenges immediately come to mind when we consider scaling up this type of intelligence sharing.
How Do We Share a Lot of Different Types of Threat Data? How Do We Classify and Track the Significance of Data Being Shared? How Do We Set Up A System that Can Handle Huge Amounts of Data?
There are many different types of intelligence on threats that can potentially be shared in the realm of threat intelligence. The usual types of threat data shared across the industry consist of malware hashes, IP addresses, and malicious URLs. We call these The Big 3 of threat intelligence. The research went way beyond the Big 3 in this project – which is exactly what the bigger security industry needs to do to improve the way we all combat cyber crime.
The CTA members tackled the challenge of sharing a range of Indicators of Compromise (IOCs)  such as malware behaviors identified in a sandbox and bitcoin wallets associated with the CryptoWall campaign. This kind of data is challenging to classify and prioritize as an IOC can contain details like the reputation of network traffic sources, time to live, frequency of attacks and traffic, methodology, and even behavior analytics of a machine in normal vs compromised state.  Identifying the significance of a particular IOC can be challenging -- some IOCs are very significant while many others are not. The group collected vast numbers of IOCs throughout the course of this project. And all that data required manual processing before it could even begin to be applied to existing security solutions at each company. 
What Do We Need To Make it Really Possible to Share Data Across Organizational Boundaries?
Through our affiliation with OASIS, we are part of the development effort for the STIX and TAXII framework for sharing threat intelligence.  STIX, Structured Threat Information eXpression, is a method for describing IOCs accurately using common terms. TAXII, Trusted Automated eXchange of Indicator, is a method for sharing that threat information. The goal of these two standards working together is to enable sharing of malware information in a secure, automated or semi-automated fashion between organizations.
We learned a lot about applying STIX and TAXII as part of the CTA’s recent work to build out a working instance of the framework.  By experiencing the practical application of the standard we gained good insights to help us and the other groups involved with developing it to further improve it to enable easier and more scalable sharing of information. This work is ongoing. 
We Are Optimistic But There Is More Work to Do
The CTA CryptoWall project demonstrated that we can learn much more about an adversary campaign by working together. We were able to share IOCs and we were able to use new findings from this research to improve our respective security solutions to provide more protection for our customers. 
If we can solve these issues to build a system that can scale and if we can get more security providers to participate equally in collaborative research, we could dramatically improve the foundational effectiveness of cyber security across the entire industry. 
If we do this, we will make the world safer and more secure for people to interact, do business, and communicate ideas.