The relentless march of ransomware, business email compromises, and other attacks against small private and public organizations over the past few years has demonstrated the hazard of operating below the information security poverty line—the point at which local governments, small and midsize businesses, and other institutions lack the expertise and budget required to implement basic computer and network security best practices needed to protect the organizations against cybercrime.

So on September 17, a Los Angeles-based cybersecurity nonprofit organization unveiled a new effort to help end that cycle, at least locally. Partnering with IBM Security and enterprise intelligence management provider TruStar, LA Cyber Lab has launched two initiatives to help organizations spot and stop malware and phishing attacks—a Web portal for sharing threat data and a mobile application targeted at helping small businesses detect and avoid email-based attacks like spear phishing.

LA Cyber Lab, a 501(c) nonprofit organization, received $3 million in funding from the US Department of Homeland Security in 2017. The organization is a "private-public partnership," LA Cyber Lab executive director Joshua Belk told Ars, "which works with the City of Los Angeles and the business committee of the Greater Los Angeles area." The lab's mission is helping Los Angeles area organizations "protect themselves and be more aware of cyberattacks and just different things that are happening in that realm," Belk explained.

The daily feed

Up until now, LA Cyber Lab's intelligence sharing has taken two forms: a daily threat report distributed by email and a regularly shared comma-separated value (CSV) file containing "indicators of compromise" (IOCs)—fingerprints for known attacks that businesses can use to detect attacks. But this week, LA Cyber Lab announced that the organization was moving to provide automated access to current threat data through its new Threat Intelligence Sharing Platform (TSIP) Web portal. Businesses that sign up as members will be able to connect their existing tools to the data as well through a Web application programming interface (API).

The threat data LA Cyber Lab distributes currently comes from over 25 data sources, including IBM X-Force IRIS's threat data, information collected from partner organizations, and open-source threat feeds (including those from the Department of Homeland Security's US-CERT). The IBM data comes from IBM X-Force Exchange, an 800 terabyte set of threat activity data that includes information on over 17 million spam and phishing attacks, real-time reports of live attacks, and reputation data on nearly one million malicious IP addresses.

"The partners are a group of companies around Los Angeles, both public and private sector, who are sharing whatever they want to in terms of IOCs," Belk said. They currently include the City of Los Angeles, City National Bank, AT&T, and IBM. Other companies in the region are in the process of being enrolled as well. "We're asking partners to share only vetted information so that we're not receiving false positives and a lot of noise," Belk explained.

"What we're doing on the back-end," said Wendi Whitmore, Global Lead for IBM X-Force Security Services, "is feeding in IBM X-Force IRIS threat intelligence—and in particular, premium threat intelligence which is more of our human analyzed, curated intelligence—into the submissions, and ensuring that we're leveraging that when the analysis is being conducted." TruStar was brought in to build the portal and provide "all the connectors between the different organizations," she added.

Belk said organizations that become members of the LA Cyber Lab information sharing network "have the opportunity to interact with some of the threat data…they can take it back to their environment, look through their network's logs and see if there's anything in the past, a breach that might've already happened that they weren't aware of, or they can look forward and they can block it the edge of their security network and blacklist or put rules in place to allow different activities to happen when they see some of those indicators come through."

Partner organizations submitting data will also get the benefit of extra eyes on their data—and alerts back from IBM X-Force. "If we're finding things that are of high risk—maybe they're new, perhaps not zero-day, but a new tactic or a new way to leverage a certain tactic—then we're going to provide that information back to the organizations that submitted as well as to the group," Whitmore explained.

There’s an app for that

This type of data isn't something that small businesses can typically act on, which leads to LA Cyber Lab's second new tool. The LA Cyber Lab mobile app, which is now available on both the Google Play and Apple iOS app stores, will allow anyone to push suspicious emails to LA Cyber Lab for automated evaluation based on threat data. Users can also vet malicious links or content using analysis provided by IBM X-Force IRIS, based on data from the threat platform's feeds.

When users create an account with the application, they get an email address to forward suspicious messages to. "They're able to send in emails to our platform," Belk explained, which then processes the message using analysis tools provided by IBM X-Force IRIS. A response indicating whether the email was malicious or not is sent back through the mobile application to the email addresses used to enroll in the application.

The platform backing the application reviews the email and extracts headers, links, attachments, and other data. "We're analyzing if there's an actionable link, like a hash or IP address, or domains that are bad," Belk explained. "We've got a list of roughly 15 different indicators of compromise that we're utilizing in the first beta release that get pulled from the email and then bounced against the known sets of phishing indicators." Any malicious indicators found in the email are then added to the LA Cyber Lab threat data feed.

"There's no action taken on the information," Belk said. "The user has to decide what they want to do because it's theirs. They're just sending it in to say, 'Hey, I think this is bad, is it bad?' And to the best of our ability we are providing them an answer and a ranking. When they get that back, it comes back as either 'guarded' or 'critical' and it gives them some steps of things that they might consider based on whatever was seen or not seen." The application also includes access to trending data to give users an idea of what's happening in a wider context—in theory helping organizations become more aware of other, similar threats that they may face in the near future.

Belk sees LA Cyber Lab's platform as a model that can be reproduced in other regions across the country. But the success of the platform will be driven largely by adoption—and by whether organizations, large or small, will be willing to both share and act on the data.