CryptoWall 3, the Cyber Threat Alliance and the Future of Information Sharing

Executive Summary

The Palo Alto Networks vision for threat information sharing is that cybersecurity vendors should share the intelligence that they all individually collect with each other and with whomever else has the capacity to consume it. In that way, each vendor can build more innovative products with that superset of intelligence and better protect their combined customer bases because of it.

Project Redstone, the results of which we announced today, was a 90-day proof-of-concept designed to test the value and practicality of security vendors collaborating against one cyber adversary campaign in the summer of 2015: the campaign associated with CryptoWall version 3.  The project showed immediate tactical success and demonstrated the value of such a collaborative information sharing arrangement. That said, the project also identified four capability gaps that Palo Alto Networks must solve in order to share intelligence on 5,000 adversary campaigns, every day in real time:

1. How to convert large volumes of Indicators of Compromise into prevention controls;
2. How to measure alliance member contributions with more granularity;
3. What is the common set of success metrics for deployed security controls across Alliance membership; and
4. What is the right sharing architecture that works at scale.

Introduction

Palo Alto Networks has a bold vision about threat Information Sharing. We believe that cyber threat intelligence collected by security vendors should be shared by all. We believe that the intelligence all security vendors collect through their vastly deployed product sets should not be marketed individually to promote product differentiation or rolled out as an additional revenue stream. Instead, we believe that all security vendors should have access to the same threat intelligence so that individually each vendor can build better and more innovative products to protect its customers. Those innovations are how the security vendors will distinguish their products in the market place. More importantly, the result of that cooperation among security vendors will exponentially provide better threat prevention capabilities to the shared global customer base. Palo Alto Networks helped found the Cyber Threat Alliance with that vision in mind.

Officially formed on September 4, 2014, with nothing more formal than a common Non-Disclosure Agreement (NDA), the Cyber Threat Alliance members began working through the issues of how a group of competitive security vendors could share threat intelligence with each other. Two issues became paramount: building trust between all members and establishing an infrastructure that could facilitate the sharing of large volumes of threat intelligence.

While the Cyber Threat Alliance began working those two issues, other security vendors who agreed with the vision came on board: Barracuda, ReversingLabs, Telefonica, and zScaler. At the White House Summit on Cybersecurity and Consumer Protection held at Stanford University in February 2015, President Obama signed an executive order directing the creation of new Information Sharing and Analysis Organizations (ISAOs) and praised the Cyber Threat Alliance as a model for the way forward.

Three organizational principles distinguish the Cyber Threat Alliance from other existing information sharing groups.

• The first is that every participating member must contribute. No members can simply consume the shared intelligence. They must share in equal quantities and the Cyber Threat Alliance measures the volume and quality of intelligence contributions daily to ensure compliance.
• The second is that whatever is shared by individual members is deployed across all other members’ product lines. For example, when Palo Alto Networks shares malware samples with the Cyber Threat Alliance, all other Cyber Threat Alliance members use that intelligence to strengthen their individual product sets and vice versa.
• The third is that Alliance members will update their security controls to their deployed products within their respective customer bases without the customer having to review and install themselves. In the traditional ISAC (Information Sharing and Analysis Center) model for example, customers must decide that they want to share intelligence. They have to package it up and send it off to their respective ISAC Security Operations Centers. Once the new intelligence arrives, the ISAC Security Operations Center must process the information, transform it into useful intelligence and distribute it to the other ISAC members. Once the ISAC members receive the new intelligence, they have to read it, understand it, decide if it is pertinent to their organization and if it is, develop security controls for their organization and deploy them in a timely manner. The process provides good intelligence, but it is also slow and cumbersome. The Cyber Threat Alliance system eliminates the customer as a middleman. Alliance members automatically deploy the right security controls to their deployed systems making the process more efficient for their respective customer bases.

In June 2015, the Alliance founding CEOs met to discuss the next steps for the Cyber Threat Alliance. Now that trust had been established and a rudimentary infrastructure had been built, where should they take the organization?

The original charter stated that all members would share 1,000 unique malware samples with each other daily as the price of admission to the Cyber Threat Alliance. But security experts estimate that adversaries create approximately 1 million unique pieces of malware a day. The CEOs understood that 1,000 shared samples a day between Alliance members is not that significant. On one hand, having competitors share and collaborate on threat intelligence is a good thing for the security industry. On the other, if we are going to go through all this effort, shouldn’t it be for some meaningful goal?

The Big Hairy Audacious Goal (BHAG) that emerged was what if the Cyber Threat Alliance members decided to share adversary campaign information with each other? Instead of simply sharing newly discovered malware, what if the Cyber Threat Alliance dedicated itself to sharing the entire playbooks, the Indicators of Compromise throughout the cyber attack lifecycle, for every cyber adversary operation that is known? The implications of that idea could be a game changer.

Experts from the Cyber Threat Alliance estimate that the number of adversary campaigns that exist in the world at any given time could be as many as 5,000. This is not the number of attacks. This is the number of existing playbooks that adversaries use to conduct those attacks on multiple victims. Other experts not in the Cyber Threat Alliance say the number is higher -- roughly 25,000 -- and others say it is much smaller, roughly 500. Regardless of the actual number, what is interesting is that the number is not 1 million or even 100,000. The number of existing adversary playbooks is in the thousands. Analysts can track a thousand items in a spreadsheet. This is a manageable number, and that means something that can be done if the Cyber Threat Alliance focuses the right resources on the problem.

If the Cyber Threat Alliance was able to share Indicators of Compromise (IOCs) down the cyber attack lifecycle for every adversary campaign that is known, members of the Cyber Threat Alliance could automatically deploy threat prevention controls to their products and to their customer base potentially in real time. If the Cyber Threat Alliance membership grew large enough, the membership roles would reach a tipping point where every organization – commercial, government and anything else – that connects to the Internet would have at least one Cyber Threat Alliance member’s product deployed within their networks helping to defend it against attacks. At that point, every organization on the planet connected to the Internet will have the latest and greatest attack prevention controls within minutes of discovery.

That is a bold and disruptive idea and it could revolutionize the business.

The founding CEOs decided to run a proof a concept. Instead of tackling 5,000 adversary campaigns at once, they tasked the group to focus on one campaign: collaborate on one playbook to see if the intelligence collected and shared amongst members is better than what the individual Alliance members collect on their own. And they gave the team 90 days to do it. The name of the project was called Redstone and the CEOs met on October 1, 2015, to discuss the results.

Project Redstone: “Lucrative Ransomware Attacks: Analysis of the Cryptowall Version 3 Threat

The Cyber Threat Alliance intelligence analysts focused on the adversary campaign associated with the malware called CryptoWall version 3. CryptoWall version 3 is a nefarious piece of ransomware that encrypts the data on victim’s laptops and consequently demands payment in return for the key that can unlock the data. It is one of the most lucrative and broad reaching ransomware campaigns affecting the customers of the Cyber Threat Alliance members today. Project Redstone was the Cyber Threat Alliance’s attempt to work collaboratively to disrupt this ransomware campaign.

The Cyber Threat Alliance founding members handpicked their best intelligence analysts for Project Redstone. The analysts worked independently during the week but collaborated daily through a chat program called Slack. They conducted weekly progress meetings with the Cyber Threat Alliance working committee to receive guidance and resource support. They deployed a CryptoWall version 3 tracker for public consumption and posted it on the Palo Alto Networks website. This will track new instances of CryptoWall version 3 emerging in the future. During the 90 days, they drafted a white paper describing the results of their research.  In the end, they discovered that each founding member knew something about the CryptoWall version 3 campaign that the others did not. In total, after they finished their research, the combined analyst team identified the following:

• $325 million in estimated revenue generated by the adversary campaign
• 406,887 attempted infections across the Cyber Threat Alliance customer base
• 839 Command & Control URLs used by the campaign
• 5 Second Tier IP Addresses used for Command & Control by the campaign
• 49 Campaign Code Identifiers attributed to the campaign

Palo Alto Networks Information Sharing Capability Gaps

In addition to participation in the Cyber Threat Alliance, Palo Alto Networks also shares threat intelligence with other non-vendor organizations and individuals who have the capacity to consume it and whom are willing to share with us. With all of these relationships, the types of sharing generally fall into two buckets.

The first bucket contains large collections of Indicators of Compromise that have no context about specific adversaries at all. They are simply collections of random bad guy activity that somebody, somewhere declared was malicious. This is not helpful. Single Indicators of Compromise by themselves, even if you have a large set of them, are prone to false positives. In order to give them validity, you have to attribute them to the playbook of an adversary. In that way, your Security Operations Center is not looking for a single Indicator of Compromise. Your Security Operations Center is looking for a percentage of Indicators of Compromise about one adversary. If you only see 1/100 in your network, your confidence that a specific adversary is in your network is not high. But if you see 60/100 in your network, your confidence is very high that a specific adversary has compromised your network.

The second bucket usually contains Indicators of Compromise about one adversary. While this is useful as far as it goes, it is not enough. We want to track 5,000 campaigns, every day, in real time.

If the industry is going to make this information sharing concept useful, we need a different bucket. We need a bucket that contains the changes noticed by the information sharers about 5,000 adversary playbooks every day. That is a big ask and we can’t do it today unless we solve some technical issues. From a Palo Alto Networks perspective, there are four research gaps that we must close in order to make this thing work at scale:

1. Convert Large Volumes of Indicators of Compromise into Prevention Controls: The first capability gap that Palo Alto Networks must solve is how to ingest large volumes of newly discovered Indicators of Compromise from outside sources and convert them into brand new prevention controls for our product line. About half way through Project Redstone, Palo Alto Networks realized that the combined Cyber Threat Alliance intelligence team was discovering reams of new Indicators of Compromise, but we did not have the ability to quickly turn them into prevention controls for our customer base. This was a semi-manual process for us and this does not scale.

2. Measure Sharing Contributions with More Granularity: The second capability gap we have to solve is how to measure the value of information shared. Our initial thought was that counting Indicators of Compromise down the cyber attack lifecycle, or Kill Chain, from each sharing partner might be sufficient. But Project Redstone showed us that not all Indicators of Compromise are created equal. On the one hand, a sharing partner might provide 100 Indicators of Compromise that are so common that intelligence analysts from Unit 42, the Palo Alto Networks threat intelligence team, will not be able to distinguish them among multiple adversary campaigns.

In other words, they do not help us identify the specific adversary campaign we are trying to track. On the other hand, another sharing partner might provide one Indicator of Compromise that is the linchpin to attributing the entire campaign. Clearly, counting Indicator of Compromise volume between sharing partners is not the right metric. Further, using the Kill Chain to categorize Indicators of Compromise might not be sufficient either. Distinguishing Indicators of Compromise in the Recon, Delivery and Installation stages of the lifecycle is very difficult. A new approach might be called for or if not, we have to get a lot smarter about how to do it with the cyber attack lifecycle model.

3. Develop Common Success Metrics for Deployed Security Controls: The third capability gap that the security community must develop is a way of collecting success metrics for deployed security controls. When the Alliance analysts finished their research and each individual member company finished deploying their prevention controls to their respective product lines, all Alliance members struggled with capturing meaningful metrics that demonstrated that the deployed prevention controls stopped actual adversary activity. First, since all Alliance members have their own language around how to describe this activity, there was no common language to normalize the information. Second, all security vendors struggled with their respective customer bases about what intelligence is acceptable to share from the customer enterprise to the security vendor intelligence cloud. There are many reasons for this, privacy concerns are the chief among them, but security vendors and their respective customer bases must come to terms with the idea that sharing bad guy information is not sharing company secrets. If the security community wants to establish meaningful metrics around the security controls we all deploy, we have to come to terms with this notion.

4. Identify the Sharing Architecture that works at Scale: Finally, the fourth, and probably most important capability gap, is the sharing infrastructure. In parallel to Project Redstone, the Alliance technical team started to build out the first working STIX/TAXII instance for the Cyber Threat Alliance members. They did not finish their work until after the research for Project Redstone was complete. Project Redstone analysts relied on their chat program and a shared Box folder to exchange information. This is highly inefficient, does not scale and demonstrates the need for an installed information sharing infrastructure. Further, Cyber Threat Alliance analysts are beginning to suspect that STIX/TAXII may not be the sharing standard that we need for this kind of research. For what we are trying to do, the STIX/TAXII framework has some limitations namely in the area of scaling. At Palo Alto Networks, we either need to determine how to use STIX/TAXII more efficiently or adopt a new framework altogether.

Palo Alto Networks Future State for Information Sharing

In order for Palo Alto Networks to pursue the vision articulated by the Cyber Threat Alliance Founding CEOs -- that members of the Alliance will innovate their product lines based on a common shared intelligence and exponentially protect their respective customer bases at the same time – a focus on scaling the Palo Alto Networks operation is required.

In order to track the changes in approximately 5,000 adversary campaigns daily, share that intelligence with all of our sharing partners, and convert that intelligence into real prevention controls for the Palo Alto Networks customer base in a timely and efficient manner, the capability gaps identified above must be closed. For the next six months, the Unit 42 technical team will focus their efforts on these issues.

Conclusion

The vision of the Cyber Threat Alliance is a classic BHAG (Big Hairy Audacious Goal). Project Redstone was the Alliance’s proof of concept that the vision is possible. While the result showed some immediate tactical success, Palo Alto Networks realizes that there are four capability gaps that must be solved in order for the effort to scale. These are all hard but solvable problems. I am hopeful. In the mean time, when non-Alliance vendors come to your door to pitch their wares, ask them why they are not member of the Cyber Threat Alliance. We currently have eight members. We want 50 and we need their help.