How the Shadowserver Foundation helps network defenders with free intelligence feeds

In this Help Net Security interview, Piotr Kijewski, CEO of The Shadowserver Foundation, discusses the organization’s mission to enhance internet security by exposing vulnerabilities, malicious activity, and emerging threats.

Kijewski explains the foundation’s automated efforts to track and disrupt cybercrime, while providing support to law enforcement and offering capacity-building services globally.

Could you provide an overview of the Shadowserver Foundation’s mission and approach to securing the internet?

The Shadowserver Foundation’s mission is to make the internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. We do so by providing free early warning, threat/vulnerability intelligence feeds and victim notification services to CSIRTs and network defenders worldwide.

By providing actionable intelligence we help equip CSIRTs and network defenders worldwide with the information needed to secure their networks and/or constituencies. We serve 201 National CSIRTs covering 175 countries and territories and 8000+ other organizations across a wide array of sectors. Any organization that has an internet presence can subscribe to our free daily notification services.

As a small organization (30 people) we can only achieve the above global impact through large-scale automation. We collect security related events at scale via sinkholing of malware/botnets, scanning for exposed/vulnerable/compromised assets, honeypot sensors that observe the latest attacks against exposed assets and by analyzing the latest malware at scale in sandboxes. We share around 1,000,000,000 cyber events daily with the community, responsibly and at no cost.

We also provide free technical support to law enforcement cybercrime disruption operations. We have played a critical, behind-the-scenes role in many significant actions against cybercrime, supporting our Law Enforcement and industry partners with technical capabilities, investigative assistance and victim notification channels.

We provide cybersecurity capacity building services around the world (typically funded through various grants, such as from the UK Foreign, Commonwealth and Development Office – FCDO) in areas of threat detection, cyber threat intelligence and incident response. This helps secure networks globally, which means that these networks cannot be used as proxies for attacks against others.

What are some of the most significant changes in malware and botnet activity that Shadowserver has tracked in recent years?

Threat actors have moved away from building huge botnets of infected Windows computers and using banking trojans to steal money via wire transfers to money mules. Botnets now tend to be smaller, and more focused on gaining access to high value targets.

Today, initial access brokers develop exploits for exposed public facing services and gain access to corporate networks. Ransomware-as-a-Service affiliates then deploy an array of ransomware families to encrypt victim data and extort payment through the threat of publishing victim data on public data leak sites, with payment via cryptocurrencies. Victims who pay the ransom do not appear on those data leak sites, meaning that it is difficult to measure the true scale of the problem. Edge devices such as VPN end points from popular vendors have become some of the most targeted devices.

Botnets made up of IoT devices have become common – whether used as proxy networks to hide an attacker’s true location (such as the huge 911 residential proxy botnet we sinkholed in May with the FBI/DoJ), or as Operational Relay Boxes (ORBs) to mask the origin of espionage or nation state activities (such as the Moobot botnet of Ubiquity routers we sinkholed in January with the FBI/DoJ).

Cryptominers remain at the forefront of exploiting many of the latest announced vulnerabilities, which is unlikely to change given the recent surge in the price of Bitcoin and other cryptocurrencies. Potentially Unwanted Programs (PUPs) delivered via backdoored apps or sideloading, such as Adload (which Shadowserver are sinkholing), continue to be a problem – including on platforms such as Apple and Android.

Europol’s Operation Endgame in May, which Shadowserver was part of, disrupted many of the major malware loader families – including IcedID, SystemBC, Pikabot, Smokeloader and Bumblebee. Some of these loaders have returned, others have not (yet). Information stealer malware, which harvest credentials from malware-infected victims, remain one of the main drivers of the cybercrime ecosystem.

Despite the industry frenzy about AI, we are yet to see much practical impact day to day in malware and botnets.

How does the foundation ensure the accuracy and timeliness of its reporting, especially when dealing with large-scale botnet infections?

Most of our activities are highly automated. This includes our notification processes. This means that we must always strive to minimize any false positives in our datasets or else the thousands of organizations that receive our information daily will be flooded with useless alerts. At the same time, we need to balance this with timeliness – ie. ensuring that we can bring relevant information into the hands of internet defenders as quickly as possible. We have to take these two considerations into account when enabling a new data sharing activity.

We take different approaches depending on what type of data we are collecting. We are typically conservative in our approach, due to the false positive concerns above. For the development of new internet-wide scans, we would typically test our scan methodology thoroughly first, to ensure accuracy before deploying in production. We are careful to ensure that our technical activities are minimized and do not cross offensive legal boundaries.

For malware infections and botnets disrupted by sinkholing, we would typically work for a longer period to ensure a thorough understanding of the threat actor’s technical infrastructure and the botnet’s command and control (C2) communications. This is required to establish sinkholes that “speak” the correct C2 protocols, thus helping filter out other noise.

How has the foundation’s information-sharing approach evolved to keep up with the threat landscape?

Aside from the changes in the technical methods used in attacks, we see a great acceleration in attack delivery. Everything is happening much faster than before. It is now often only hours after a vulnerability in a product is disclosed or exploit code published before we see widescale adoption by attackers. We adapt by being more active in our early warning announcements than previously. We are making our data easier to integrate in an automated manner with whatever systems internet defenders are using to ingest threat intelligence.

We have also started to build a community of like-minded organizations (the Shadowserver Alliance), to start working more closely together and communicating in real time to respond to threats and share additional intelligence. We have also engaged in building a Malware Information Sharing Platform (MISP) dedicated to Law Enforcement called MISP-LEA (an EU funded project, carried out jointly with the Luxembourg National CSIRT CIRCL who develop MISP), where we provide feeds of information that we believe particularly useful to that community.

Are there specific areas where you feel the cybersecurity community needs to improve awareness or response efforts?

Despite generally being better at sharing actionable information as a community, we are still lagging behind the attackers, and not responding quickly enough. Attacks are being conducted faster than ever. There is still not enough collaboration between governments, private industry, vendors and victims – who often talk about sharing, but in practice sometimes put up barriers, making incident response less effective and introducing delays. Different types of industries still remain siloed. Threat actors who are dedicated, motivated, capable, agile and unfettered by borders, law of funding restrictions do not have that problem!

When cyber attacks/crimes are reported, there is often a perception problem, with most attacks being described as “advanced” or “technically sophisticated”. Victims often believe they have been deliberately targeted by attackers – when in most cases, they were identified in an internet-wide scan, found to be vulnerable and compromised. So many incidents could be prevented simply by understanding what devices each organization is exposing to the internet, and following prompt and efficient software patching.

We also keep seeing a long tail of remediation – many organizations (outside the largest 1%) still do not seem to have the resources (including financial) or know how to adequately respond to intrusions or patch their vulnerable services. Until we solve this problem, attackers will continue to have the advantage. Shadowserver’s free daily network reports help provide organizations with a baseline of timely, actionable and often unique cyber threat intelligence – even for those organizations without big budgets.