Not clicking on that suspicious link is a great start when it comes to combating cyberthreats. Cybersecurity experts can do much more.
Specifically, the new COVID-19 Cyber Threat Intelligence League (CTI)— it’s a group of over a thousand cybersecurity experts from around the world volunteering their time to help fend off attacks.
Marc Rogers is the vice president of cybersecurity strategy for Okta, a popular identity and access management service. He’s also one of the managers of the project. He spoke to The World's host Marco Werman about how the group got started.
"Well, it was a group of us, friends and colleagues of mine, and we were thinking there's a lot of security people sitting around not doing a lot in their evenings, no social time. We just tend to kind of do security time. And so, we went to see if we could pull that group together and see what the appetite was. And we were blown away by the response," Rogers said.
The group has grown to include members from 40 countries. "So, we cover almost every single time zone," he said. "And people have just been absolutely willing to come forward and do what they can to help protect those who are defending us and who are at the front line of this fight by ensuring that malware doesn't cause a problem or disrupt their operations."
Marco Werman: Walk us through one incident — like, how does the process work when volunteers from the COVID-19 CTI League step in and respond?
Marc Rogers: Sure. So, probably the easiest ones to talk through is either a malware or phishing campaign. We'll get indicators, we've got tools that we've set up that automatically scan for these things publicly. We also have people submitting information. We then tear it apart. Look at how it works. Try to understand the structure of the campaign. And then we find domains with indicators of compromise or we find other links that take us onto other parts of their infrastructure. And then we work to dismantle it. We work to get the domains pulled down. We work to identify other campaigns they're doing and take those down.
We have taken down hundreds of domains. We've dismantled a significant number of campaigns. We're just using the same techniques that we use during our day jobs. The only difference is because we're all together and we're all so much closer, we can do this really fast instead of having to send an email that has to go over several country boundaries. We can just say, "Hey you, we've got a bad thing on your registrar. Here's the information. What do you want to do?" And they go, "Yep, we agree, it's bad. We're going to take it down." And so we're able to kill things in a matter of hours that under normal practice would probably take us days or even weeks.
And the cases that the COVID-19 CTI League has responded to — does law enforcement take over at some point?
Yes. If there's anything that's out of our reach or if we think it's above our pay grade, we push up to law enforcement. We're very keen that we follow a responsible process. We don't want to step on potentially active cases that they may be working on. So very early on, we got deep engagement with law enforcement there on the site with us, helping us. We have law enforcement from all over the world. I think it might be up to 20 different countries all over the world who have all come and joined. And there's no hint of, you know, territorial concern or "What are you guys doing?" It's just literally, "How can we help?"
I've got to say, your take on the cooperation is really encouraging. Do you think it's going to continue past the pandemic?
I really do hope so. There's been a big discussion I've been having with some of our law enforcement partners and with my co-founders. Every time there's a major event worldwide, there was a major upswing in cybercrime. We would love to see a group like this continue. So there was a major upswing in defense; that would be phenomenal. We would make the internet a much safer place.
This interview has been lightly edited and condensed for clarity.