kras99 - stock.adobe.com

Infosec industry calls for more public sector collaboration

As cyberattacks continue to rise, infosec professionals address the need to increase private and public sector partnerships to assist law enforcement operations.

While the private sector has increasingly contributed to law enforcement operations against cybercriminals and nation-state actors, infosec professionals agree there's more to be done as threats continue to rise.

Law enforcement agencies across the globe announced several takedowns over the year that successfully disrupted cybercriminal operations, particularly ransomware groups, and led to arrests of alleged threat actors in some cases. Many actions only temporarily impacted the threat landscape, and actors found ways to resume activities. But infosec experts agree they did make a difference.

In some cases, private sector collaborations made those law enforcement operations more successful through information sharing with government agencies. Those partnerships are important, but many infosec professionals told TechTarget Editorial they could be enhanced.

One of the most significant botnet takedowns ever, dubbed Operation Endgame, occurred in May. The international effort resulted in four arrests, more than 100 server seizures and 2,000 domain takeovers. The takedown disrupted several malware droppers, including IcedID, Smokeloader and TrickBot, that attackers often used to bypass detection tools to deploy ransomware. Operation Endgame involved agencies from all over the world as well as private industry partners such as BitDefender, Proofpoint and the Shadowserver Foundation.

Randy Pargman, director of threat detection at Proofpoint, expanded on Proofpoint''s contributions to the operation. Pargman told TechTarget Editorial that one goal Proofpoint set for itself is to share specific information it had discovered with law enforcement agencies, which can use it to take action against threat actors.

"Proofpoint threat researchers shared their technical expertise of botnet infrastructure, identifying new patterns in how the threat actors set up their servers and proactively identifying new malware infrastructure as it was created," Pargman said. "We lent our expertise in reverse engineering malware to provide accurate and insightful information about how the bot clients were designed and written, which helps law enforcement understand how to safely remediate it."

He added that threat researchers helped law enforcement identify the largest and most effective malware distribution campaigns. "We also used our extensive knowledge of how many botnets started and grew over time to identify the new botnets that are most likely to grow and become the dominant threats affecting the most number of people around the world," Pargman said.

There are other ways private sector companies can assist law enforcement efforts. Mark Lance, vice president of digital forensics and incident response at GuidePoint Security, said his company urges clients they've worked with to set up threat intelligence sharing groups. "We're not asking them to share trade secrets with their direct competitors but share with what you're dealing with because everyone's dealing with it, so let's be open and learn from it," Lance said. "There used to be a stigma associated with incidents, like they don't want to talk about it, and no one will acknowledge it."

An international law enforcement effort named 'Operation Endgame' seized several malicious domains for botnets and malware loaders.
A massive botnet takedown, dubbed 'Operation Endgame,' disrupted several notorious malware loaders and led to more than 2,000 domain seizures as well as four arrests.

Need for increased contributions

While infosec experts agreed that transparency is increasing across the industry, which helps quell cyber threats, there is more the private sector could be doing. Raj Samani, senior vice president and chief scientist at Rapid7, highlighted the need for increased awareness around The No More Ransom Project as one area that needs improvement. The joint initiative with law enforcement and cybersecurity vendors launched in 2016 to help ransomware victims recover without giving into ransom demands. No More Ransom offers decryptors and provides ransomware awareness resources.

Samani said he always highlights the project during speaking engagements he attends around the globe, but responses can be discouraging.

"I always ask people if they've heard of it and even at conferences like RSA. The most I've ever gotten is 20% with hands up, and that's our industry," Samani said. "If 80% of my audiences, who know my background, haven't even heard of No More Ransom in our industry, what hope do we have of anyone else? I'm dismayed."

Tony Anscombe, chief security evangelist at ESET, also said private sector efforts could be more effective. As of now, he described the sector's efforts as "reactive."

He also stressed that while collaboration is important, law enforcement actions might need to shift to the source of the problem, which he said is money. Ransomware groups and other cybercriminal operations are fueled by cryptocurrency, which is challenging to trace.

"I think you should try and take the source out, but that's complicated. Make it illegal to pay someone who doesn't have a verified identity," Anscombe said. "If you stop the payment, you not only restrict ransomware, but you restrict the cybercriminals moving to some other method because you can't get the money out."

Patrick Sullivan, CTO of security strategy at Akamai Technologies, said recent government takedowns are beginning to change economics for the attackers. For example, in May, authorities identified and sanctioned the LockBit ransomware group's alleged ringleader, Dimitry Yuryevich Khoroshev, who is known as LockBitSupp. Since the law enforcement action exposed LockBitSupp, industry experts say it will make other threat actors think twice before working with him if they want to get paid.

Sullivan stressed that private sector companies are increasingly promoting transparency and collaboration where they can, even among staunch competitors. While companies might engage in aggressive marketing against rivals, the researchers and engineers at those same companies will join forces behind the scenes to share data and intelligence to assist government efforts.

"We all want to stop attacks as they come in. But anything you can do to help stop them -- whether it's the economic incentive or helping law enforcement remove some of the adversaries or [tearing] down infrastructure -- will help."

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.

Dig Deeper on Threat detection and response