Security Experts:

Georgia Tech's 'Titan' Malware Intelligence System Offers Threat Sharing, Collaboration Tools

Georgia Tech's Titan Project

A new malware intelligence system developed at Georgia Tech Research Institute (GRTI) is helping government agencies and private companies share threat intelligence and work together to understand attacks. Dubbed Titan, the system allows member organizations to submit threat data and to collaborate on malware analysis and classification.

Members contribute data anonymously so no one would know which specific organizations had been affected by the attack, Chris Smoak, project leader and branch head for malicious software analysis at GTRI's Cyber Technology and Information Security Lab, told SecurityWeek

"You are asking people to submit information about targeted attacks, so anonymity is built-in to the platform," Smoak said.

In addition to receiving information about attacks affecting other organizations, members receive reports on malware samples they've already submitted, such as the potential harm, the likely source, the best remedy, and the risks posed by the sample. The analysis is based on what GTRI researchers learn by reverse-engineering the malware and other information that was compiled from other sources within the malware repository.

Titan is "not just for the technology professionals" as CSOs and CTOs are seeing how insights from Titan can be used to improve the organization's security, Smoak said. Executives and managers can decide how to allocate their spending dollars once they have a better understanding of what threats they face, he said.

Titan can highlight "hot button issues" and be used as a forecast tool. In one example scenario, Smoak outlined how analysts can correlate several threat indicators and figure out that a certain attack was hitting several universities at once. They may also be able to draw parallels with similar incident reports that have happened in the past and forecast that the attack will move to target financial services firms in a few months. This is the type of proactive intelligence members will have access to through Titan that they can use to prepare, Smoak said.

Research scientists Andrew Howard and Christopher Smoak, and graduate research assistant George Macon. Comparing how companies use VirusTotal with how they can use Titan is a "fair comparison," Smoak said, but noted that Titan can do much more than the malware analysis site. Generally speaking, people can upload suspicious files to VirusTotal to find out if it is malicious, and whether existing security tools can detect it. However, there is no way for VirusTotal to look at two variants of malware and correlate it to say they are the same, while Titan can do that, Smoak said.

Many malware developers use polymorphism to dynamically generate slightly different versions of malware to avoid detection by traditional antivirus scanners. Under Titan, members would be able to see that incidents they thought involved different types of malware were actually all hit by the same one, Smoak explained.

Smoak described Titan as a "modular framework." With new types of malware and attack techniques emerging, techniques for analyzing these threats are evolving rapidly, he said. Titan is designed to let researchers build new modules to handle different analysis tasks as necessary. For example, even though Android malware is on the rise, there aren't many tools for dynamic automated analysis of mobile malware. Members could just build a module with the Titan API that can unpack and analyze the malware while still taking advantage of all the other features and information in the system, Smoak said.

There is more analysis and correlation capable in Titan, which is what makes it so valuable to members, Smoak said.

First unveiled in May, the system has been in public beta since then. The project currently has about 20 members and analyzes and classifies an average of 100,000 pieces of malicious code each day. A bulk of the malicious samples being analyzed is data provided by various sharing groups, Smoak said. Members submit five to 10 samples a week, Smoak said.

The system has "good critical mass," with members spanning government agencies and across the industry providing actual data that is useful, Smoak said. There is no push to add new members for the remainder of the beta period, Smoak said. The system will be expected to be final in "a few weeks," at which point the platform will likely be expanded to add more.

The fact that GTRI is a non-profit and academic institution has helped attract members, Smoak said. There are several other information sharing initiatives that have been launched in recent months, many of them by vendors. While the vendors are working hard to make the platform useful to everyone, there is some concern that the vendor may have some bias, and may be pushing a certain product to members, Smoak said. There may be no bias at all, but "perception drives results," Smoak said.

Members are vetted before they are allowed to participate. At the moment, there are no security companies using Titan, Smoak said, although he didn't see any reason why they wouldn't be able to get access if they asked to join.

Titan is also not currently partnering with companies such as RSA/Netwitness and Microsoft, who are working on their own projects to provide the industry with intelligence feeds containing information derived from botnets and other malicious network activity. Smoak said he would like to "talk with folks at Microsoft" to see how to make use of data, but nothing is in the works at this time.

The primary goal of Titan is to "keep the cost of data very low" and provide these insights and data analysis cheaply to members, Smoak said.

Businesses, large and small, often don't have the time and resources to analyze the threats hitting their environment or to operate their own threat analysis centers. Defenders have a difficult time fighting advanced targeted attacks without a way to share information with their counterparts.

Titan "fills the gap" and helps the organizations figure out what the current threats are "without breaking the bank," Smoak said.

Related Reading: Threat Sharing - A Necessary Defense Strategy

Related Reading: Building a Bridge for Information Sharing

Related Reading: Intelligence Sharing Key in Cybersecurity Arms Race, Experts Say

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.