Stories of Cyber Defense Collaboration: Trustworthy Accountability Group (TAG)

Nicole Perloth’s new book, This is How They Tell Me the World Ends, details our past and troubling trajectory in cyberspace. It is a terrific and sobering read for both the initiated and uninitiated in information security. Ms. Perloth quotes numerous experts prophesying, “this will not end well”. Indeed our descent into cyber chaos will accelerate if we don’t alter our course.

This doom and gloom title prompts the need for a blog series focusing on slivers of success in defending cyberspace that can propagate as best practices. This series, “Stories of Cyber Defense Collaboration”, highlights promising beginnings and “wins” in the field where others are encouraged to contribute. 

This first installment tells the story of laser-like collaboration in a modestly named organization called the Trustworthy Accountability Group, which is comprised of some of the world’s most prominent companies to combat malware in digital advertising, also known as malvertising. 

The War Against Malvertising

Malvertising is the delivery of malware, malicious code, through digital advertisements. Three years ago, the Trustworthy Accountability Group (TAG) took on the scourge of malvertising. According to TAG’s white paper, “Changing the Criminal Calculus, Best Practices in the Fight Against Malvertising,” the first instance of malvertising dates to 2007. Malvertising erodes trust in advertising with significant knock-on effects on brand safety and the advertising industry as a whole. More than 20% of consumers may be impacted by malvertising¹.

There are several types of malvertising:

• Deceptive download attack: Consumers are lured by a fake ad to a fake landing page by criminals seeking to infect consumer devices with malware or to steal consumers’ money or personal information. Consumers believe they are downloading programs or contents they desire, but they are in fact, malware in disguise. In other cases, consumers are redirected to an infected ad on a fake website.
• Redirects: These represent the most prevalent form of malware in digital advertising. Drive-by-downloads occur without any user action. Malware is downloaded automatically through infected ads on a website or app.
•  Watering hole attacks: These attacks target a specific audience by taking advantage of a legitimate site or app or setting up fake ones of interest to users.  Users visit the “watering hole,” where an infected ad initiates the download of malware onto their devices without their knowledge. 
   

The financial impact of malvertising is significant, totaling nearly $6 billion in losses in 2019, according to a study by White Ops and the Association of National Advertisers. There are also intangible costs associated with malvertising, with consumer trust at the top of that list. A recent survey1 of U.S. consumers conducted by the Brand Safety Institute (BSI) and TAG found that 93% of respondents would reduce their spending on an advertised product if the ad had infected their computers or mobile devices with malware, and 73% would stop buying that product altogether.  These findings highlight the significant financial risk that brands face if their ads are found to carry malware payloads that can harm the very consumers their ad campaigns seek to engage.

TAG, working with its members, set out a series of best practices focused on responsibility, partnership, and strategy. They also realized a real exchange of threat information was necessary among participants, which was tricky given a number of factors, including the speed and scale of events. As an example, “3ve” in 2017 was a very complex and sophisticated ad fraud operation in which criminals controlled over 1 million IP addresses through botnets. In this case1, multiple companies including but not limited to Adobe, Amazon, Facebook, Microsoft, Oath, and TradeDesk carried out a coordinated takedown of 3ve’s operational structure. This event helped precipitate the creation of an ongoing threat exchange infrastructure where, rather than fighting adversaries on an individual basis, companies are committing to work together to share data that, when combined, drives up the costs for adversaries and reduces the number of successful attacks. A list of those companies can be found here.

Why is TAG Different?

TAG’s work is distinct from other Information Sharing and Analysis Organizations in five ways:

First, TAG is focused on combating malware in a particular industry supply chain — that of digital advertising. Other sharing organizations, such as Information Sharing and Analysis Centers, focus on sector-wide information security challenges in the areas of health, retail, IT, and finance. Both models are needed and relevant.  

Second, the membership of TAG is diverse, representing two constituencies. The first constitutes those that buy, sell, broker or facilitate ad distribution. The second includes those contributing to detection efforts. There is crossover between constituencies where buyers and sellers are involved in detection and prevention efforts too.

Third, the data exchanged between parties often constitutes more than typical “indicators of compromise.”, for example, the data includes information on fake websites, threat actor behaviors, and TTPs associated with sophisticated and long-running campaigns. TAG also shares malware-specific information to help companies identify new attack techniques so that they can preempt them. TAG uses TruSTAR’s platform to exchange and corroborate information provided by involved parties. Parties also convene calls to verbally exchange information, excluding any personally identifiable information. 

Fourth, TAG does both prevention and remediation through their certification to help standardize collaboration. Companies that meet TAG’s “Certified Against Malware Guidelines” are awarded the TAG Certified Against Malware (CAM) Seal in one or more categories. CAM helps prevent malvertising, while threat-sharing via the TAG TX ensures both effective remediation and prevention by virtue of finding and neutralizing threat actors.

Fifth, TAG facilitates coordination between the digital ad industry and law enforcement when a threat rises to the level of an industry-wide takedown. As information is developed among members about high-level ad fraud conspirators and networks, TAG ensures that companies are able to coordinate their information exchange with law enforcement.

Automating Defense Collaboration

TAG’s model represents an important model for the future. Why? While it is well known that fraudsters and criminals collaborate, it is less well known that they are automating their capabilities too. Bad actors have discovered the value of “infrastructure as code”, which means they are automating fraud, eliminating manual processes requiring human intervention. TAG’s model represents a paradigm shift to automating defense collaboration alongside human analysis. Their singular focus on bringing together diverse players applying a common standard to address a specific class of attacks using automated intelligence workflows is groundbreaking. 

If you are interested in contributing to this series on collaborative defense, please submit an abstract here. All contributions must focus on collaboration and profiles that demonstrate how the private sector is coming together to share information on how to battle problems in cyberspace.

 ^{1.TAG Today, “Changing the Criminal Calculus: Best Practices in Fighting Against Malvertising”., 2020}