As cyber attacks swell, a move toward improved industry collaboration
At the First Conference for computer security in Boston’s Park Plaza Hotel last June, Andre Ludwig listened as Holly Stewart, a product manager for Microsoft’s Malware Protection Center, lectured to a crowd of cyber professionals about a new program that would unite organizations against the growing wave of malware that infects computers across the globe. The Coordinated Malware Eradication program, or CME for short, calls for organizations to pool their resources—from tools to strategies—to fight the onslaught, she explained. Instead of beating malware back when it flares up, a coordinated response can eradicate it altogether.
And that’s when Ludwig, a senior technical director at the data analytics company Novetta, had an idea. “We had just started working on some instrumentation against HiKit malware,” he says. “That requires a massive amount of reverse engineering and intelligence. My first thought was, ‘Oh, I’ve got something for you.’” Ludwig cornered Stewart after the presentation and the pair chatted about knocking heads together. In hindsight, the benefits seemed obvious.
At a time when Moscow has shown a willingness to wage digital war and Chinese espionage is considered an economic strategy, the U.S. cyber security industry is moving toward more cooperation. In September, at FireEye’s MIRcon 2014 conference in Washington, D.C., Ret. Gen. Keith Alexander implored a swarm of industry veterans—from Microsoft (MSFT) security experts to the Belgian police’s cyber division—to abolish cyber crime entirely by banding together with each other and the federal government. Distrust of the National Security Agency aside, the sentiment resonates: If gangsters, businesses, and hostile states can team up, why can’t we?
Watch more about how companies are combatting hacks from Fortune’s video team:
In October, Novetta and others announced the beginning stage of Operation SMN, a collaborative battle against the HiKit malware family, a favorite of well-funded and sophisticated hacking groups. Ten days later, the coalition released a report on the effects: 43,000 separate installations of tools related to Axiom, a prominent cyber espionage group allegedly sponsored by the Chinese state, were removed from machines covered by Operation SMN; 180 of those were examples of HiKit.
“We’re really pleased with how this played out,” Novetta CEO Peter LaMontagne says. “Since the release, we’ve had significant success in degrading the capabilities of the malware, and the actors relying on it.”
Operation SMN marks the first time that computer security players such as Microsoft, Symantec, FireEye (FEYE), and Cisco (CSCO) are bonding without using federal or international law enforcement agencies as glue. In July Symantec, Microsoft, and other firms partnered with the Federal Bureau of Investigation and the United Kingdom’s National Crime Agency to take down Operation Zeus and Cryptolocker, both operations committed to criminal financial fraud. In May several firms worked with the FBI and Europol to arrest dozens of users of Blackshades, a remote-access Trojan virus sold to entry-level hackers in online black markets.
Groups like Axiom, also known as Hidden Lynx, operate with what LaMontagne calls “extremely impressive” capabilities and resources, focusing on items in China’s stated five-year agenda. In 2012, the group targeted a tech hardware manufacturer contracted with the U.S. government. Unable to breach the security system, which was provided by the Waltham, Mass. security firm Bit9, Hidden Lynx instead broke into Bit9 itself to steal signing certificates and place malicious binaries onto the company’s servers.
Operation SMN takes a page from the enemy’s playbook: sharing is caring. Groups like Hidden Lynx operate with massive synergy, says Eric Chien, a senior technical director at Symantec (SYMC). Industry is moving to operate the same way, uniting technical experts by a love for problem-solving. “This didn’t come from the top-down, executive level,” LaMontagne says. “This was a personal interaction between really smart, really talented people in each organization who wanted to help each other out with their respective problems. We wanted to get back to that informal, hackathon-style interaction and the open-source ethos that goes with it.”
And perhaps make fighting malware a far less slow and irritating process. “This is a prototype for a new methodology that shifts away from just observe and report,” Ludwig says. “This is collaboration for a more proactive approach of observe, analyze, distribute, then report. It’s a shift in the way we can solve problems.”