Global cyber threat intelligence partnerships: an opportunity to work together

Derek Manky, Chief, Security Insights & Global Threat Alliances at Fortinet’s FortiGuard Labs, elaborates on the need to work together to fight cybercrime.

Fighting cybercrime is a collaborative effort, with cybersecurity experts, law enforcement, and policymakers teaming up with industries and the public to fight the war on cybercrime. Most people will agree that combatting cybercrime is critical to our society’s digital and structural health, so the opportunity to help has always been there. However, those bad actors know cybercrime is a trillion-dollar business, and the odds of getting caught are low since cybercrime overall has no borders like countries do.

As today’s cyberthreats become more sophisticated and aggressive, with ransomware attacks moving to an affiliate-based, as-a-service model, working together is the only way to get ahead of it. Interestingly, according to a Fortinet ransomware survey, ransomware has become a top threat concern for global organizations. This is just one threat type. Recent episodes have caused massive supply chain infections from just a single intrusion point. And cybercriminals are becoming more well-funded the more advanced they become, with growing business models and supply chains of their own. So how do we create action and execute on the knowledge we’ve amassed studying cybercrime? Simply nodding in agreement is just not enough. Goodwill is one thing, but the time to act is now. The answer is by working together with global partners to raise resiliency, disrupt, and ultimately take down these criminal empires.

A Needle in a Haystack

Cybercrime is now a criminal empire that functions like any other criminal organization, with bosses, managers, and money mules. But the world of cybercrime is a bit more complicated. Take, for example, the number one reason these adversaries don’t get caught: jurisdiction. Many cybercriminals operate from countries that don’t extradite to the U.S., making it harder to pinpoint them, let alone find, charge, and prosecute them.

There is a ton of data around ransomware and other types of cybercrime. Still, accurate data on the number of incidents is hard to come by because a large percentage of victims don’t even report their cases. Even though there have been some big, successful takedowns recently, less than 0.05% of cybercriminals are arrested and prosecuted. And the bad guys like those odds. This giant cybercrime enforcement gap gives bad actors the confidence to continue without fear of being caught, charged, or punished. The cybercrime supply chain has exploded, and there are so many moving parts and participants at the ready at each point that it takes concerted, global, collaborative efforts to track them all down and stop them.

A Collaborative Effort

Our mission at FortiGuard Labs is to provide Fortinet customers with the industry’s best threat intelligence to protect them from malicious activity and sophisticated cyber-attacks. But we don’t stop at protecting our customers—Fortinet is actively engaged with and has bi-directional threat intelligence–feed relationships with more than 200 partners. These partnerships are vital to providing increased visibility to FortiGuard Labs’ operations. They include threat-intelligence peers, national community emergency response teams (CERTs), computer security incident response teams (CSIRTs), government agencies, international law enforcement organizations (including NATO and INTERPOL), and other critical partners such as MITRE and the World Economic Forum’s Centre for Cybersecurity.

Fortinet also belongs to INTERPOL ICGEG (Global Expert Group), and we work with the FBI to help counter cybercrime and cyber-terrorism. (We were one of several private sector companies that provided support to an INTERPOL-led operation targeting cybercrime across the ASEAN region.)

We are increasing our efforts and focus to go beyond our own research to lead, interact, share, and foster the sharing of actionable threat intelligence. For example, Fortinet co-founded the Cyber Threat Alliance (CTA). Today, the CTA organization has grown from four founding members to actively bring threat researchers, security vendors, and alliance partners together to share threat information and improve defenses against advanced cyber adversaries across member organizations and their customers. The goal of the CTA is to disrupt cybercrime and attacks by raising resiliency—the more we share, the better equipped we will all be to fight the war on cybercrime.

Fortinet is also a founding member of and supports multiple initiatives for the World Economic Forum’s (WEF) Centre for Cybersecurity, holding one of only two permanent seats on this international council. The Centre for Cybersecurity was designed to shape the future of cybersecurity and digital trust worldwide, safeguard innovation, protect institutions, businesses, and individuals, and secure our growing reliance on the digital economy.

Fighting the Good Fight

The main goals of the Centre for Cybersecurity are to:

  • Build cyber resilience by developing and scaling forward-looking solutions and promoting effective practices across digital ecosystems
  • Strengthen global cooperation among public and private stakeholders by fostering a collective response to cybercrime and jointly addressing key security challenges
  • Understand future networks and technology to identify and prepare for future cybersecurity challenges and opportunities

In addition, the Partnership Against Cybercrime, brings together a dedicated community including leading law enforcement agencies, international organizations, cybersecurity companies, service and platform providers, global corporations, and leading not-for-profit alliances. Following the 2020 Working Group recommendations, the Partnership will support the establishment of a global network of hubs for operational public-private cooperation. The Partnership will serve as the platform for interactions and insight sharing on a global and strategic level.

Other actionable insights gleaned from Fortinet’s participation in the first INTERPOL High-Level Forum on Ransomware are to:

  • Prevent ransomware by raising awareness, partnerships, and information sharing
  • Aim for pre-exploit disruption of ransomware and its ecosystem through global law enforcement actions both reactively and proactively
  • Provide in-event emergency support against ransomware attacks
  • Ensure post-event support following ransomware attacks to increase resilience, agility, and responsiveness

Good News

In cybersecurity not every action has an immediate or lasting effect, but several events in 2021 show positive developments specifically for defenders. Aligning forces through collaboration is being prioritized to disrupt cybercriminal supply chains. Shared data and partnership can enable more effective responses and better predict future techniques to deter adversary efforts. Some results of this cooperation were the coordinated takedown of Emotet, one of the most prolific malware operations in recent history, and the disruption of the Egregor, NetWalker, and Cl0p ransomware operations which represent significant wins by global governments and law enforcement to curb cybercrime. The US Department of Justice (DOJ) sent a strong message when they charged a NetWalker affiliate. Recently, two ransomware operators were arrested in Ukraine. FortiGuard Labs’ data showed a slowdown of threat activity following the Emotet takedown. Activity related to TrickBot and Ryuk variants persisted after the Emotet botnet was taken offline, but it was at a reduced volume.

It may sometimes seem like cybercriminals have the upper hand because their criminal empire has become so large and unruly that it’s becoming harder to contain it. However, efforts are paying off. Cybersecurity is a long game, and not all actions have an immediate effect. But increasing pressure from critical voices is having an impact.