How can CERTs, incident response teams, security companies, and independent threat researchers provide information on malware attacks to the anti-malware industry?

Malware threats are born, and they may fade away, but the most effective – and lucrative – evolve and grow. Successful malware remains in the wild for years with new variants appearing continuously, their growth and distribution changing and expanding.

Malware-as-a-Service has become common, enabling malware kits or source code to be purchased, often with professional support. Malware authors have become experts at adapting their tactics and methodologies to allow their products to spread faster and infect more. One hacker group (REvil) recently claimed to have made more than $100million from ransomware.

The importance of sharing data

To combat the growth in malware, the cyber-security industry must have an effective method to share information.

Sharing information on threats enables security vendors to identify zero-day malware, new variants of existing malware, and rapidly analyze them. By learning how malware evolves and the infection techniques used, we can quickly and effectively protect our partners and customers.

For years, anti-malware providers, vendors, and CERTs have collaborated, exchanging samples of prevalent malware. However, the lack of a common platform means that the existing sample exchange programs are not always efficient or effective.

The lack of a central place to exchange prevalent threat data between all parties, ideally from a single unique submission, reduces the industry’s ability to protect customers and partners alike.

Access the Real-Time Threat List from AMTSO

Recognizing this challenge, the Anti-Malware Testing Standards Organization will open its Real-Time Threat List (RTTL) to submissions by non-member organizations. This will create a single platform for the exchange of threat data, accessible by the entire industry.

Most major anti-malware providers are members of the Anti-Malware Testing Standards Organization (AMTSO). It is AMTSO’s Real-Time Threat List (RTTL) that enables malware samples and related telemetry to be shared between members.

The RTTL provides a source of high-quality, prevalent, real-world samples for testing purposes. It includes data on the distribution, regional and industry-vertical indicators, and other useful elements.

A single reporting system for the industry

Opening the service to individual threat researchers, CERTs and non-member security organizations allows participants to reach the entire security industry via a single reporting system.

The RTTL service is now accessible for non-AMTSO members to contribute samples. Submission of samples is via an API with tools to assist in the automation of upload. Attaching metadata to samples, such as prevalence (how often a given sample has been observed in the wild), or other factors such as geolocation is beneficial. However, samples on their own are also of value. RTTL also offers support for the open-source MISP format.

If you are interested and you would like to know more, please email us for more information.

Alexander Vukcevic
Chief Technical Officer, AMTSO