Creating a Malware Intel Sharing SystemSafety in Numbers as Groups Add Threat Data to Knowledge Base
Titan, the malware intelligence system developed by Georgia Tech Research Institute, aims to create an information sharing center for all industries. How will the system work and how can organizations participate?
Titan came about as a result of existing intelligence systems being narrowly tailored to individual companies and groups, and these systems never really grasped the "big picture," says Chris Smoak, research scientist at GTRI. "With Titan, we really want to be able to meld these communities together and be able to bring together both the analysis and information sharing," he says in an interview with Information Security Media Group's Eric Chabrow [transcript below].
By enabling anonymous reporting, organizations can contribute their data and eliminate the stigma that sometimes exists around organizations that don't want to "air their dirty laundry," Smoak says.
Organizations will be able to access one central system where participants can see malware threats from a global perspective and how organizations remediated them, he says.
For organizations interested in participating, Smoak encourages them to reach out via e-mail, and then GTRI will initiate a phone call to vet potential members, bringing in those who truly can contribute and eliminating any potential "bad actors."
Smoak, in the interview, explains how:
- Titan works;
- The malware intelligence system meshes with efforts of industries' information sharing and analysis centers and computer emergency response teams;
- Organizations can participate in the initiative.
Smoak has more than a decade of security-related experience, including building defensible systems and advanced malware and exploitation research. He directs research efforts geared toward automated, dynamic malware analysis to help detect and mitigate compromises. Smoak has worked to identify common attack vectors and methodologies employed to compromise computer systems and operate undetected. He holds the CISSP certification.
Titan: The Overview
ERIC CHABROW: The malware intelligence system is known as Titan. What's the genesis of the Titan project?
CHRIS SMOAK: Titan came out of a couple needs that we saw in the industry. Primarily, we noticed that there were a lot of systems ... that dealt with malware analysis. A lot of folks have been creating these systems over the past five or ten years, making them more automated to deal with increased malware volume, and the problem we saw was that each individual company or group has their own system, but then never really talked, number one, and number two they don't always grasp the big picture. We couple this with the fact that a lot of malware researchers and folks that are actually performing remediation on networks tend to rely very heavily on close personal associations with other folks in the industry and other organizations, even competitors in fact, to actually exchange information of what they're seeing on their networks, and these types of groups have done very well in the past, but we noticed that they're just not quite broad enough.
With Titan we really want to be able to meld these communities together and be able to bring together both the analysis and the information sharing. So instead of having point of contact you have with a competitor firm or at another associated vendor or workplace, you have one centralized place to go and you share in an anonymous fashion. Often times there's a stigma associated with sharing malware that you find on your network and people kind of don't want to air their dirty laundry so to speak. We're enabling Titan to be anonymous by default. So when you come into the system, you're anonymous. All of your contributions and all of your sharing is anonymous. You can choose later on to de-anonymize yourself to single users.
Interestingly enough, what this will do is hopefully get folks interested in just sharing that data. So instead of e-mailing a list or calling a friend I know within a different industry or in the same industry and sharing that information, I have one system where if someone has seen it within a global scope, we can see how they remediated it, what kind of issues they saw with it and all the particulars. Then you couple that with the fact that you have the malware analysis piece there as well. As our technologies grow, the modules inside of Titan - which can be plugged in and pulled back out - can be modified very quickly as technologies change to increase the fidelity of that data and the data that you're actually sharing.
CHABROW: If I'm an organization that wants to participate in Titan, what do I have to do and how does it work in that respect?
SMOAK: Right now we're in the beta-testing phase for Titan. We believe the next month or so, by mid or late summer of 2012, we plan on actually opening it. For right now, we're looking for partners who are interested in engaging with us. All they need to do is e-mail us at firstname.lastname@example.org and say they're interested in Titan and we'll basically follow-up with a phone conversation. We do a little bit of vetting to make sure that people are actually able to contribute and people that need this have access to it and try to keep the bad guys out obviously. But we do a little phone conversation, and then we set you up with an account and what that account means is the organization now is able to apply members to the system and start contributing.
Combating Threat Landscape
CHABROW: How will Titan make a difference in the ever-growing threat landscape?
SMOAK: I think primarily it's the fact that we're now going to hopefully, with Titan, bridge the gap between industry and government and academia and have really all the players that are all in the same boat when it comes to threats really talk to each other, and we have one system that's dedicated to allowing that anonymous communication and allowing that sharing without relying on those kinds of personal communications. If one of your friends at a competitor's firm leaves, you no longer have a point of contact over there. That's a big loss. With Titan, you have the ability to just go back to that system and you'll find another person that's in the same boat as you and effectively it can supplement in a way your own resources as far as dealing with malware.
Judging Its Effectiveness
CHABROW: How will you judge whether Titan is effective or not?
SMOAK: I think Titan will be judged primarily by its usage. Today, the system exists as a really strong - we believe - malware analysis platform, but the real key is to get those users and right now we have about 8-10 very high-profile groups within government and industry that are working with us as partners. As we continue to grow that, I see in a year's time a success criterion for us would be we have hundreds of members that are actively contributing to the group and that we see a lot of success stories; we see a lot of folks come to us and say, "I saw something in Titan that I was able to catch in my network two weeks before they tried that particular attack vector on us."
CHABROW: How would Titan work with industry ISACs - information sharing analysis centers - or CERTs?
SMOAK: I would like Titan to be a supplementary organization to the existing groups you mentioned. Realistically, there are some that are very focused on certain industries for very good reasons, because obviously there are some threats that are so specifically unique that it might be useful. But I still think that in a global scope, as a broad brush, even within industries, I would love to see Titan get a bigger foothold in that kind of an arena because what we find over time is that sometimes malware will attack a certain industry. It may be tested on academia or higher education and it may eventually then move into oil and gas or other industries. Being able to communicate across those industries is critical. When it comes to CERTs, I believe it's equally useful primarily because a lot of the CERTs are able to basically act in a reactive fashion right now. That has kind of been the de facto standard for security over the past couple of years.
As we see more and more threats, and Titan processes over a 100,000 samples per day, we see this broad kind of scope malware and the interesting part about that is we can start making some very interesting trend decisions and understand where, from a forecasting perceptive, we think things will go in six months or in a year, and that kind of thing is really critical to understand. If we think that we see more vectors attacked and spear phishing e-mails [coming in] today and we expect it to go more mobile in the next six months, [it] can really help organizations and CERTs get on top of the problem before they really start realizing those attacks.
CHABROW: What's up next for Titan once you get through the beta stage?
SMOAK: Hopefully we will have a solid base of users by the time we go live. The interesting part about Titan is that it's never going to really be finished. We constantly are taking in feedback from users what they would like to see and user interface designs. We're constantly re-rolling those back out and providing those updates. And the fact that Titan in itself has a modular and pluggable analysis interface means that all of the research that Georgia Tech is doing on malware, a lot of research that we're hoping to pull in from other higher education universities, perhaps graduate students, PhD students, as they do their analysis they need to access to samples and they need access to data to be able to do that. We may have the next PhD student that has the greatest approach toward analyzing malware that just doesn't have the data he or she needs to get the job done. We'd like to bring all of those in and really continue to start growing the analytical perspective, analytical portion of Titan so that it really does become the place not only for threat sharing but also [that] we have the latest and greatest, most cutting edge, analytical techniques available.
CHABROW: Anything else you would like to add?
SMOAK: I really hope that listeners think really hard about the issues that they're having and how we really are trying to implement a paradigm shift here in how we think about malware. Everyone really is affected by this type of thing. The saying that's been going around for a year or more than that [is] there are two types of people basically. One [is] an organization that recognizes they've been the victim of these types of malware attacks and then one that has been the victim but doesn't know it yet. Realistically, we need to recognize that it's not a stigma; it's not saying anything necessarily bad about your organization to recognize that you've had problems with malware. It's really time that we all come together as a community, share what we know, facilitate all of that sharing and then the community as a whole will be much better for doing so.