COVID-19 Has United Cybersecurity Experts, But Will That Unity Survive the Pandemic? – Krebs on Security

HomeCovid-19COVID-19 Has United Cybersecurity Experts, But Will That Unity Survive the Pandemic? – Krebs on Security
April 16, 2020

The Coronavirus has prompted thousands of information security professionals to volunteer their skills in upstart collaborative efforts aimed at frustrating cybercriminals who are seeking to exploit the crisis for financial gain. Whether its helping hospitals avoid becoming the next ransomware victim or kneecapping new COVID-19-themed scam websites, these nascent partnerships may well end up saving lives. But can thisunprecedented level of collaboration survive the pandemic?

At least three major industry groups are working to counter the latest cyber threats and scams. Among the largest in terms of contributors is the COVID-19 Cyber Threat Coalition (CTC), which comprises rough 3,000 security professionals who are collecting, vetting and sharing new intelligence about new cyber threats.

Nick Espinosa, a self-described security fanatic, author and public speaker whos handling communications for the CTC, said the group does most of its work remotely via a dedicated Slack channel, where many infosec professionals seem eager to counter the gusto with which the cybercriminal community has sought to profit by exacerbating an already difficult situation.

A nurse or doctor cant do what we do, and we cant do what they do, Espinosa said. Weve seen a massive rise in threats and attacks against healthcare systems, but its worse if someone dies due to a malicious cyberattack when we have the ability to prevent that. A lot of people are involved because theyre emotionally attached to the idea of helping this critical infrastructure stay safe and online.

Using threat intelligence feeds donated by dozens of cybersecurity companies, the CTC is poring over more than 100 million pieces of data about potential threats each day, running those indicators through security products from roughly 70 different vendors. If at least 10 of those flag a specific data point such as a domain name as malicious or bad, it gets added to the CTCs blocklist, which is designed to be used by organizations worldwide for blocking malicious traffic.

For possible threats, meaning between five and nine vendors detect an indicator as bad, our volunteers manually verify that the indicator is malicious before including it in our blocklist, Espinosa said.

Another Slack-based upstart coalition called the COVID-19 CTI Leaguespans more than 40 countries and includes professionals in senior positions at such major companies as Microsoft Corp and Amazon.com Inc.

Mark Rogers, one of several people helping to manage the CTI Leagues efforts, told Reuters the top priority of the group is working to combat hacks against medical facilities and other frontline responders to the pandemic, as well as helping defendcommunication networks and services that have become essential as more people work from home.

The group is also using its web of contacts in internet infrastructure providers to squash garden-variety phishing attacks and another financial crime that is using the fear of COVID-19 or the desire for information on it to trick regular internet users, wrote Reuters Joe Menn.

Ive never seen this volume of phishing, Rogers told Reuters. I am literally seeing phishing messages in every language known to man.

Among the more mature organizations working to counter the threat from COVID-19 scammers is the Cyber Threat Alliance, a industry group founded in 2017 that counts among its members more than two dozen major cybersecurity firms that are all required to regularly share threat intelligence with other members.

One thing were paying attention to in addition to phishing and malware attacks is anything targeting stuff involved in the pandemic response, such as the manufacturers of protective gear, testing kits, or hospitals, CTA President Michael Daniel told KrebsOnSecurity. One of those organizations getting hit with ransomware now would be really bad, and we want to make sure if we see that were alerting and working with law enforcement.

Earlier this month, the international police network INTERPOL issued a warning to law enforcement in nearly 200 member countries, saying it had detected a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response.

The alert came after several top ransomware gangs pledged a moratorium on attacking hospitals and other care centers for the near future. Nevertheless, these group have continued to target companies on the periphery of the pandemic response, including virus testing labs, N95 mask production facilities, and companies engaged in vaccine research.

The CTCs Espinoza said it would be a potentially fatal mistake to assume all cybercriminal groups might observe such a cease-fire.

We might have independent criminal groups saying they wont hit hospitals but theyll hit everyone else, but that doesnt prevent them from sending phishing emails and masquerading as the World Health Organization or the Centers for Disease Control, he said. These are people who have no problems locking out little old ladies out of their computers for 800 bucks, and of course there are state-sponsored hackers who love any opportunity to sow discord and disrupt things.

The CTAs Daniel said while its great to see so much voluntary collaboration between the cybersecurity industry, governments and law enforcement, hes been thinking a lot lately about how to sustain these relationships and networks once the urgency of the pandemic subsides.

Formerly special assistant to President Obama and cybersecurity coordinator on the National Security Council, Daniel said he sees preserving and enhancing this information sharing effort post-COVID as one of the biggest policy issues facing the federal government over the next few years.

Information sharing is easy to talk about, and hard to do in practice, Daniel said. I dont use the term public-private partnership because its been bandied about so much over the years that I dont know what it means anymore. Its probably best described as working together on an operation.'

What prevents private companies from working more closely and frequently with governments on operations to target cybercrime organizations and networks? Daniel said on the government side, there are real concerns that working with one or two particularly clueful or effective companies (versus all of them) might give the impression that the government is showing favoritism, or picking winners and losers in the market.

But you have to do that to some extent because the truth is some companies matter in this space, and a lot dont, Daniel said. The government has to accept that, determine what are the objective rules, and establish transparency so that [their efforts] arent seen as some secret club but as part of a normal process.

Daniel said governments in general also need to get more comfortable sharing information about operations targeting specific crime groups in advance of those actions.

The government has to figure out how to let the private sector in on some of the planning and preparation, he said. If you want [the cybersecurity industrys] help against certain targets, you have to tell us who they are ahead of time. But this goes against how governments operate in almost every way.

On the private sector side are issues of how for-profit companies can closely collaborate with the government without being perceived as potentially compromising the privacy and security of their customers, or as simply an agent of the government.

For companies, the question is how do you deal with the liability and other questions that come with that, Daniel said. These are very real impediments, and why I think we need to get past the endless discussions of public-private partnerships and start talking about what we can do to coordinate actions against these groups so we can have a more strategic impact on the adversary.

Tags: COVID-19 Cyber Threat Coalition, Cyber Threat Alliance, Joe Menn, Mark Rogers, Michael Daniel, Nick Espinosa

This entry was posted on Wednesday, April 15th, 2020 at 11:28 amand is filed under The Coming Storm.You can follow any comments to this entry through the RSS 2.0 feed.You can skip to the end and leave a comment. Pinging is currently not allowed.

Excerpt from:

COVID-19 Has United Cybersecurity Experts, But Will That Unity Survive the Pandemic? - Krebs on Security

Related Posts
Tags: