A Problem Shared

By the end of Friday, the first wave of the WannaCry Ransomware attack was over – a researcher (MalwareTechLab) had, in trying to gain further insight into the attack, inadvertently disabled its worst damage, preventing it “detonating”.

The researcher wasn’t working alone – in fact, he was working alongside researchers all across the UK and the world. New information was constantly shared back and forth, between both those organisations suffering from the malware, and researchers working on finding a cure.

A considerable amount of that co-operation can be seen on Twitter for example. Indeed, the first suggestion that MalwareTechLabs had, in fact, disabled the WannaCry worm just by registering a domain, came over Twitter. But not everything can be shared so openly and effectively on Twitter, so in the write-up of the discovery, MalwareTechLabs notes that another platform was essential.

The NCSC’s Cyber Intelligence Sharing Platform is an environment specifically designed for sharing cyber threat intelligence. Researchers and network defenders work together to find solutions, whilst remaining in a “safe space”. Even if a network defender feels uncomfortable sharing information, they can still participate anonymously. Access is controlled in all cases, so each individual can be assured that everyone else is “meant to be there”.

Newcomers to the community can rapidly see which participants are highly regarded by the rest of the community, through detailed profiles including scoring, feedback systems, and endorsements. The social aspects of Threatvine are carefully designed to minimise information asymmetry, ensuring the quality of the information.

The headlines today, and for the coming weeks, will most likely be dominated by follow-on damage, as thousands of infected machines are turned back on this morning. Not all information will be in the headlines though – Threatvine’s cyber-security information sharing platform allows every participant to indicate how far to share the information, using the industry standard Traffic Light Protocol (TLP) pioneered in the UK. Information can be assigned a colour to indicate the sensitivity, from Green to Amber to Red, or not coloured at all to share on Twitter, the BBC, and so on.

Thanks to the researchers and network defenders using CiSP, numerous attacks have been repulsed well before they made the headlines. But for those that do make the headlines, the teamwork enabled by Threatvine will be behind the story.

If your organisation has been affected by WannaCry, you can find the latest guidance from NCSC here: https://www.ncsc.gov.uk/news/latest-statement-international-ransomware-cyber-attack-0