We’re all stronger by sharing threat intelligence, right? If I know that organization X is infected by URL Y, then I can block that URL before it reaches my organization! There are valid reasons to share threat intel between organizations, but only between organizations that you can explicitly trust. Case in point: VirusTotal knowingly and unknowingly sold its threat intelligence and real time API access to HackingTeam, thus aiding HackingTeam’s efforts to avoid detection by third parties. The intelligence hub became the perfect place for a snitch.
Early on, HackingTeam was a paying client of VirusTotal. This access supplied them with a real time feed of all malware signatures and URLs fed to VirusTotal by researchers, allowing them to proactively watch for leaks of their exploits. Eventually VirusTotal started to get uneasy about this arrangement and cancelled their service agreement in November 2013.
According to HackingTeam’s own words about the falling out (translated by Google):
“Scary stuff, if we block the service we are blind to the leak … for me they understood the use we make of it, or we are too visible and “uncomfortable” as customers (and we [do] pay little). Daniele”
VirusTotal never made any comments or provided an explanation to HackingTeam as to why their account was cancelled.
But this wasn’t going to stop HackingTeam! They simply got their friends over at SecLab.it to purchase them new licenses. Ever since then they kept a watchful eye on everything that got submitted to VirusTotal by every participating partner and researcher in order to spot their own leaks, and adjusting accordingly. This went on up until the trove of HackingTeam data was made public and a person on Twitter spotted the subversion and Tweeted to VirusTotal about it, only then did VirusTotal cancel SecLab.it ’s license on July 9th, 2015.
The most alarming part of all of this is that VirusTotal apparently had no way of knowing if their services had been infiltrated by a rogue actor. It can be further argued that Threat Intelligence as a whole has set the security industry back because fundamentally it’s a losing game when the goal is to have as many clients as possible. You simply cannot check that every person that has access to a feed is trustworthy.
That’s why I’m coining a name for a new line of security services called, “Threat Intelligence for Threat Intelligence.” Think of it as a radar detector detector. All joking aside, someone needs to be developing this technology and incorporate it into their services. I would love to see a product page that includes how it has an entire line of services to counter-countering the first service. Now what does all 0f this mean for the consumer of Threat Intelligence? Sharing and participating can undermine your efforts and you need to take that into consideration while developing your security posture for your organization.
My question to you, the reader, is if a private company from Italy that sold exploit kits and services all over the world was using VirusTotal to stay off the radar, how hard would it be for nation states or determined criminal organizations to do the exact same thing? In my opinion, not very hard at all. By trusting a platform with no transparency to self-police their partners and clients, the opportunity for leaks to be undetected and undermine every other participating partner is vast. While it is possible to have a cyber-security ecosystem where sharing is beneficial, there are few cases where it proves to be worth the effort and cost. Threat Intelligence providers are financially incentivized to get their feed in the most amount of places. Because of that, the barrier to the walled garden is extremely low. All you need is cash and a good front, or just go after one of the many clients/partners on the platform. One could argue that just by having access to a vetted feed could increase your value as a target.
In a recent post by Robert M. Lee to the SAN’s Digital Forensic’s blog titled “Data, Information, and Intelligence. Why your Threat Feed is likely not Threat Intelligence.” Robert does a great job breaking down some of the fundamental problems with Threat Intelligence, and it is refreshing to see that people are realizing this. I would also like to echo his “*edit*” note, there are a few companies that produce a true threat intelligence product/service, but contrary to the industry standard, they operate like a true intelligence organization and make it very clear that they do not sell a feed, they are selling a Threat Intelligence service. They are also extremely expensive services.
If you’re a Threat Intelligence service, don’t think for a second that your adversary isn’t already carrying out similar methods on you, finding ways to subvert your efforts at every turn, and looking for ways to get an inside line to your clients. This is the next evolution in the history of Anti-AV services. Before threat feed and threat intelligence snooping, the way malicious actors stayed off the radar was to employ antivirus sandbox testing services. The actor would run their new malware through every AV product to see if it got flagged. If it didn’t get flagged, then off to the races. If it did get flagged, then back to the drawing board. What we have now is detection evasion at web scale. It is no longer acceptable to be a security vendor with a giant backlog of tech debt and a priority of sales over platform security.
It’s difficult to be an effective intelligence service when your goal is to broadcast everything you know to everyone you have ever met.
-Neil, Independent Security Researcher.
