The Elephant in the Room

In the past couple of years there has been a shift in the infosec landscape. The shift has been caused by a style of attack that some companies have been dealing with for years before the shift. It has been labeled targeted attacks or Advanced Persistent Threat (APT). In a lot of ways the shift has been a good thing for the infosec community. Companies are starting to adapt new security technologies, methodologies and building out teams to do analysis. Many large organization are trying to implement internally what the anti-virus companies have in house. They want automation, classification and intelligence of malware. They want to use the data so they can create their own campaigns and mitigations to thwart this style of attack. Due to the limited number of targeted attacks against organization many anti-virus companies will not be able to detect the samples. Targeted malware differentiates from commercial grade malware, banking trojans and other malware cruft because the sample count. It's not as widely distributed as other forms of maware. Many anti-virus companies will never see targeted attack samples.

There are three things that are needed to battle targeted attacks. The first is detection, the second is mitigations to remove and prevent the attack and the third is intelligence of previous attacks. Anti-virus engines are designed for detection, blocking and removal. They are very powerful tools against known samples or known malicious behavior.  In order to prevent targeted attacks organization have to had to have intelligence about their adversaries.  Since targeted companies have not been able to rely on one technology, they have created a defense based off of intelligence. For more information on how the intelligence is used to prevent attacks please see Intelligence-Driven Computer Network Defense [1]. The intelligence comes from analyzing previous successful and unsuccessful attacks. The analyzed data is kept private. If the adversaries were aware of the mitigations taken against them they would shift infrastructure and tactics.

From an intel perspective the release of the data could be perceived as good for the community. Other intel analyst can cross reference the data for building out and linking campaigns against their organization. It can also hold individuals targeting organizations accountable for their actions. This is very important when individuals are being targeted for their political, religious or other beliefs. From a defense perspective public intelligence has an estimated life cycle value of 24 hours. This of course  depends on the sophistication of the adversaries. After which the adversaries will abandon infrastructure making the indicators from intelligence analysis of dated value. Which leads us to the elephant in the room.

When intelligence around targeted attacks is posted publicly, the data is of little value for people who use the data to protect their network. This is why the organizations that are commonly targeted do not share samples. The intelligence gathered from previous attacks is more valuable for protecting a network than the detection of the samples. By not sharing samples, organizations protect themselves by preventing intel and indicator leakage from antivirus companies and other third parties. With the rise of security companies joining in the intel field there needs to be a more subtle way of sharing intelligence around targeted attacks. Posting analysis and intelligence publicly alerts the adversaries and devalues intelligence.

Disclaimer:
I’m not involved in the intel community.
This isn’t singling out any companies, organizations or individuals.
Don't worry this won't be a common topic here. I'd rather write about reverse engineering and malware.

[1] Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and ntrusion Kill Chains