Level 3 Communications

Beth Ard

Threat Collaboration. It’s What We Do.

Collaboration, it’s what we do. And so should the industry. Here’s why: Cybercrime has infiltrated the lives of IT professionals, corporate employees, business owners and consumers in a way that goes beyond flashy headlines. A state of constant defense against the cybercriminal invasion of all aspects of our lives, personal and professional, is the “new normal.” Whether we, as IT security organizations, have proactive measures in place, or not, thestate of cybersecurity continues to leave us with the uncomfortable feeling that we are continuously operating on the defensive. What can we do to gain an upper hand?

Threat intelligence, the latest security buzzword, is often cited as the elixir that will improve our security posture. And while we agree that actionable threat intelligence is a critical tool to help get in front of mounting threats, we admit it is a broadly defined, confusing concept in the industry today. There are a range of services on the market, from “honeypot” malware data providers and threat feed aggregators, to forensic incidence response. Many organizations have deployed a few instances of all of these services and the alerts generated from the data can be overwhelming. It is a real challenge to determine what information is truly actionable. Early adopter learnings suggest that organizations should evaluate how they would use these tools to not only identify, but also mitigate threats. Simply put, don’t only look at the data; consider how the services fit in your operational process.

Perhaps most important, understand your potential partner’s position on threat intelligence collaboration. The bad guys are great at sharing data and best practices; yet many in the security industry are reluctant to collaborate. Targeted organizations also are slow to come forward due to (valid) concern over becoming the next day’s headline news. The lack of threat data collaboration puts us good guys at a clear disadvantage.

Over the past year, Level 3 Research Labs partnered with Cisco’s Talos Security Intelligence and Research Group to take action on several threat situations that we agreed were egregious, with widespread victim impact. Action was necessary in order to protect our customers and the network. Level 3’s Threat Research Labs and Cisco’s Talos worked together to investigate and mitigate the risk posed by an attacker’s Internet-wide scanning and DDoS botnet, SSHPsychos. After proper vetting, the Level 3 Security Operations Center blocked the associated malicious IPs. Level 3 Threat Research Labs also assisted in the investigation of the Angler exploit that generated $60M in ransomware alone. In the recently released Cisco 2016 Annual Security Report, Cisco cites these cases and highlights the importance of industry collaboration.

Craig Williams, Sr. Technical Leader and Manager of Talos Outreach, said that “Talos exists to protect Cisco customers and to disrupt the activities of our adversaries. Collaborating with Level 3’s Threat Research Labs brings the strengths of both groups together and helps us make the Internet a safer place.”

The DD4BC two-year ransomware rampage is a great example of how the lack of data and collaboration from targets can slow the process. Europol’s European Cybercrime Centre, a joint task force member on the case, cited the importance of incident reporting and information sharing to the investigative process and ultimate arrest of these criminals. Only the organization (target) can share its data with law enforcement.

We believe collaboration on actionable threat data is critical to the future cyber success of our customers and the industry. Together, let’s make this the new normal.