Cyber security coalition aims to change the game against malware

It’s good to see that “collaboration” is not just an empty word for the cyber security industry.

Novetta Solutions announced it is leading a cyber security coalition developed to interdict malware used by advanced threat groups, and to remediate the adverse impact of professional cyber espionage groups and other threat actors.

The group includes Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Symantec, Tenable, ThreatConnect, ThreatTrack Security, Volexity and other industry leaders.

Novetta teamed with the security industry leaders to execute coordinated remediation and disruption of activities tied to several families of malware used by advanced threat actor groups across the globe.

The effort was originally focused on the HiKit family of malware with plans to expand out to address other tools used by a particular threat actor group. The coalition’s efforts were tied to Microsoft’s Malware Software Removal Tool (MSRT) and other coalition signature and product updates to be released on October 14, 2014.

The targeted threat actor group under this effort has designed and used several tools and techniques that focus on remaining undetected by security researchers and law enforcement authorities while allowing attackers to quickly compromise and expand within targeted networks.

The observed targets of these attacks are large public network infrastructure providers, holders of extensive IP portfolios, and government entities from various countries in Asia and the United States. Technical details to be released in the comprehensive report, as well as the Executive Summary, indicates that this threat actor group operates out of China. Their motives appear to be oriented toward large-scale technology theft and intelligence gathering.

“We felt it was important to take action proactively in coordination with our coalition security industry partners. The cumulative effect of such coordinated approaches could prove quite disruptive to the adversaries in question and mitigate some of the threat activity that plagues the joint customer base of this coalition,” said Novetta CEO Peter B. LaMontagne.

This initiative is one of the first efforts under the Microsoft supported Coordinated Malware Eradication (CME) program which aims to bring organizations in cyber security and in other industries together to change the game against malware.

It seeks to go beyond reporting of malware and put into action tools and an approach that will better protect coalition customers. To date, the operation has acquired an extensive set of malware samples associated with this actor group, constructed an in-depth knowledge base of the malware family and associated tool chain, and has begun the process of shipping developed signatures and remediation recommendations to industry partners for internal and external consumption and use.

This coordinated effort provides a broader view and access to more data than if efforts had been undertaken by any one partner alone. “This is akin to an “open source software’ approach for cyber threat mitigation—the adversaries share and retool their malware. We need to do the same on the defensive side,” commented LaMontagne.

The coalition has published several preliminary triage reports (find Symantec’s here) to outline this Advanced Persistent Threat group and several of the malware families it uses, and plans to release a comprehensive technical report by October 28, 2014.

That technical report will include a high level overview of the threat actor group, some of the targeted industries they attacked, an overview of malware families they used and their capabilities. It will also include an in-depth review of the Tactics, Techniques, and Procedures of this group and who they believe they could be based on this larger narrative.

As a result of this effort, Novetta and its coalition partners encourage other security vendors to not just analyze and report on these types of threats, but to also work within industry circles to share their finished and raw technical analysis with those in the industry who are able and willing to take action.