This blog post was written by Vincent Weafer.
During keynote presentations at the RSA Conference 2016 in early March, Chris Young from McAfee, Mark McLaughlin from Palo Alto Networks, and Michael Brown from Symantec discussed the need to share cyber threat intelligence (CTI). There were also a half-dozen conference sessions that examined this important topic.
Young made the point that sharing CTI is vital to everyone’s success, citing the US government’s passage of the Cybersecurity Information Sharing Act (CISA) as a first step on the road to cooperation. However, lamenting a perceived lack of progress, he noted “there hasn’t been much that’s happened since that bill became law to start to operationalize threat McAfee sharing in a real way.”
In the McAfee Labs Threats Report: March 2016, published today, we present findings from a 2015 survey in which we interviewed almost 500 security professionals to understand their views and expectations about CTI sharing.
We wanted to know whether security practitioners actually see value in sharing CTI, whether they are they willing to share it themselves and, if so, what they are willing to share.
We learned that awareness is very high and that 97% of those who share CTI see value in it.
We also discovered that there’s tension between users willingness to receive CTI and their willingness to share CTI. Most want to receive threat intelligence (91%), but far fewer (63%) are very likely or somewhat likely to share threat intelligence.
Nonsharing respondents were asked why they do not share CTI. Here’s a summary of their responses:
- Company policy: Companies often have blanket policies that don’t take into account what is being shared, such as hashes vs. personally identifiable information.
- Catching bad guys: Sharing could interfere with ongoing investigations. Some allow exploits to succeed while monitoring them—in order to gain more information about who is behind the attack. If the threat data is shared with a CTI community and the attackers participate in that community, they could be alerted that their activities have been identified.
- Concerns over legality: Legal and trust frameworks for sharing cyber threat information are not well established, making it easy for risk-averse corporate lawyers to say no or to set up highly restrictive policies to limit sharing.
- Concerns over privacy: Global laws and norms make sharing an extremely complicated landscape. Regulations regarding the sharing of personal information are not always fully understood. To avoid fines and penalties, many err on the side of caution.
- Lack of exchange standards: Until recently, established and widely accepted technical standards have not existed except in focused areas such as incidence response.
We also summarized our views about the future of CTI sharing:
- Legal frameworks: CISA provides, in part, legal foundations for sharing between government and the private sector and between private sector organizations. It provides liability protection extending to private entities. It could become a model for global information sharing legislation.
- Increased community sharing: With standard threat data representations, communities of cooperation will be able to review and examine malicious events, attacks, and tools in a much more coordinated fashion than has been possible in the past.
- Integrated automation: The automated creation, import, and export of standardized CTI is critical for an organization to take advantage of a CTI exchange. Stopping attacks in real time (or near real time) will require automated tools and processes.
- Innovative CTI organizations and services: Whole businesses and sharing organizations such as the Cyber Threat Alliance will arise whose only mission will be to enrich the data around individual threats.
The discussion around CTI sharing will grow as standards solidify, legal hurdles are cleared, and organizations gain better understanding about what they share and with whom they share.
To learn more about integrating CTI in an McAfee environment, read the solution brief on Operationalizing Threat Intelligence.
The Adwind Java-based backdoor Trojan
In the March Threats Report, we also discuss Adwind, a Java-based backdoor Trojan that targets various platforms supporting Java files. Adwind typically propagates through spam campaigns that employ malware-laden email attachments, compromised web pages, and drive-by downloads. Because spam campaigns are now short lived, with frequently changing subjects and carefully crafted attachments, it has become more difficult for users and security technologies to spot attacks. This has led to a rapid increase in the number of Adwind .jar file submissions from customers to McAfee Labs, with 7,295 in Q4 2015, a leap of 426% from 1,388 in Q1 2015.
To learn how McAfee products can help protect against Adwind and other malicious remote administration tools, read the solutions brief on Stopping Backdoor Trojans.
Q4 2015 Threat Statistics
Finally, we highlight significant threat activity and statistics.
- Overall threat activity: The McAfee Global Threat Intelligence (GTI) network detected an average of 316 new threats every minute, or more than five every second. The network also detected:
- • McAfee GTI received on average 47.5 billion queries per day.
- • Every day more than 157 million attempts were made (via emails, browser searches, etc.) to entice our customers into connecting to risky URLs.
- • Every day more than 353 million infected files were exposed to our customers’ networks.
- • Every day an additional 71 million potentially unwanted programs attempted installation or launch.
- • Every day 55 million attempts were made by our customers to connect to risky IP addresses, or those addresses attempted to connect to customers’ networks.
- Malware: After three quarters of decline, new malware grew 10% in Q4, with 42 million new samples, the second highest number on record.
- Ransomware: McAfee Labs collected 26% more new ransomware samples in Q4. Open-source ransomware code and ransomware-as-a-service make attacks simpler. Attacks are financially lucrative with little chance of arrest.
- Mobile malware: We registered 72% more new mobile malware samples in Q4. Google’s monthly updates to Android may have forced attackers to develop malware more frequently.
- Rootkits: The number of new samples dropped by 49% in Q4. This long-term downward trend is likely driven by the improved security in 64-bit CPUs and 64-bit Windows.
For more information on these focus topics, or more threat landscape statistics for Q4 2015, read the full report.