Good news: the coordinated malware eradication preparations are almost done. We have held several roundtable meetings at industry events around the world, and the last two are scheduled for June and July. We had insightful conversations with a diverse group of experts from across the antimalware industry. The ideas have converged into a shared vision of how we’ll work together to put pressure on the malware ecosystem. I am excited for the first coordinated eradication campaigns to launch!
Discussions have given the industry a place to talk about how coordination happens today. Data-sharing partnerships are becoming more common, and the resulting campaigns are paying off. As you might imagine, this has led some roundtable participants to ask us to explain why coordinated malware eradication is necessary.
Our response is simple: We’ve learned from experience that the amount of time and effort required just to plan, execute, and measure each antimalware campaign is daunting. Our roundtable discussions have shown that others are feeling this too. Coordinated malware eradication can reduce this drag on efficiency.
I think the appeal of this drag reduction is why there’s been such great engagement. We recently talked with the Asia-Pacific Computer Emergency Response Team (APCERT). APCERT is working to increase transparency and the use of common measurements through a project named Cyber Green. Like us, they believe that getting closer to malware eradication requires a wide range of individuals and organizations to get involved and work together.
Yurie Ito, Chair of the Steering Committee for APCERT said, “What we have been discussing around coordinated malware eradication is very complimentary to the driving concepts behind Cyber Green. There are huge benefits to working together to increase visibility into the sources and presence of cyber risks. Fix this, and we go a long way to making the Internet a stronger, more resilient and safer place.”
Here’s a short list of areas that we’ve heard cause the most drag on antimalware campaign efficiency:
- Incomplete contact lists: There is no simple and commonly available way to find, and then reach, the right person inside each of our organizations.
- Missing patterns: We lack standard recipes and templates for running eradication campaigns, and find ourselves rebuilding these from the ground up each time.
- Incomplete measurements: We each struggle to calculate and track the damage caused by malware, and the impact our eradication efforts make.
What we want to do through coordinated malware eradication is solve these on-going challenges, which should help unleash our industry to focus its efforts on eradication.
From our roundtable discussions, an outline is taking shape. Here’s how we’re thinking about the campaign process. One or more members set an eradication goal, and then they invite others to join them in a campaign. Interested members opt-in and specify their level of commitment. Now formed, the group chooses a leader and begins planning.
Once the group defines tactics and metrics, the execution phase begins. See details about this step in my last blog. The short version: a coordinated malware eradication sandbox can help correlate information from all campaign participants, allowing the group to not only measure and correlate better, but precisely target the bad actors’ weak spots.
Having a clear ending for each campaign helps keep the cycles short and the participants focused and motivated. Once the campaign ends and we celebrate another malware eradication, we have an opportunity to review the results and discuss future improvements to the process. At this point, some members might choose to talk publicly about the results and their contribution.
Figure 1: An outline of the malware eradication campaign process under discussion
There has been strong interest in this campaign process and we’ll soon host a set of pilot campaigns with current and prospective members of Virus Information Alliance (VIA) program. It will be great to be able to eradicate some malware as we learn from what works. In the meantime, we welcome your feedback. The more engagement the better!
Partner PM Manager
- 26th Annual FIRST Conference, June 22, 2014 – June 27, 2014 Boston, Massachusetts, USA.
- Microsoft Security Research Alliance Summit, July 22, 2014 – July 24, 2014 Seattle, Washington, USA.