The APWG has been sharing threat data for over 12 years to help protect organizations and the all internet users against cyber threats. Initially founded to focus on the phishing, as the threat landscape on the internet has grown so has APWG. Today our vetted member community shares information to fight cybercrime and fraud not only on phishing but numerous other types of threat data including malicious IP addresses and ransomware information. This session will look at the history of sharing these types of data, how sharing has changed over the years and the necessity to automate these process.

1. International Collaborative
Efforts to Share Threat Data in a
Vetted Member Community
Mike D’Ambrogia
Project Lead
Andrew Breksa
Lead Developer

2. Who Are We?
• Founded in 2003 to focus on the emerging new threat called “Phishing”
• Began collecting statistics and data to produce reports and track activity around Phishing
• Gathered together a collection of experts and concerned industry leaders and researchers
• Membership grew to include a collection of cyber-crime fighters:
Financial institutions ISPs
Technology companies Law enforcement agencies
Government agencies Treaty organizations
E-commerce sites and solutions providers
Research partners:
- Country CERTs, universities, industrial laboratories, volunteer responder organizations

3. Since 2003 Cyber-Crime and Fraud have evolved,
APWG has evolved too
• Several areas of influence
• Cyber Policy
• Education / User Awareness
• Tracking Trends and Malicious Activities
• Research
• Sharing Threat Data – the eCrime Exchange

4. eCrime Research Program - US
• Annual Symposium on Electronic Crime Research
• Peer reviewed research paper program
• Two publication tracks
• Theoretical cybercrime academic research
• Applied, industrial cybercrime research
• Accepted papers published via the IEEE.org
• Accepted papers are presented to members and attendees at the annual
meeting
• For the academic research track
• Travel stipends for one author of each paper
• Cash award presented to the two top papers

5. eCrime Research Projects – EU Foundation
• Mostly focused on User Awareness
• Three ongoing Horizon 2020 projects
• VIVET: creation of videos and educational materials on cybersecurity for Vocational
Training (For students and educational institutions, but also for refugees and
unemployed people) Organize 4 seminars
• TRUESSEC.EU (Trust-Enhancing Certified Solutions for Security and Protection of Citizens'
rights in digital Europe) will develop requirements to achieve the RETEL
(Recommendations for a European Trust-Enhancing Label).
• Cyber-volunteer Networking Tool: A simple platform to support the establishment
and organization of networks of cyber-volunteers for training and education

6. APWG’s eCrime Exchange
• A warehouse of threat intelligence data
• Free service for APWG members
• eCX Mission:
• Limit access to a trusted and diverse community of companies and users
• Handle sharing of any type of threat data
• Make data available nearly instantly
• Drive data to users
• Don’t force business rules on others, instead integrate cleanly into existing
business processes

7. How We Share Data - The 2 Sides of eCX
• Side 1 - Web User Interface
• Side 2 - High Performance REST API
• Built on a Lambda style LAMP stack
• PHP 5.6 and 7
• AMQP Messaging using RabbitMQ
• MySQL
• ElasticSearch ELK stack (ES, Logstash, Kibana) with Filebeats and ElastAlert
• SphinxSearch
• Memcache
• Distributed

8. eCX – Side 1, Web User Interface
• Threat intelligence data is held in Modules or Workgroups
• Pick the data you are interested in and request access
• Consistent searching/filtering in all modules
• Data driven to users with real time Alerts
• All API documentation in Swagger/OpenAPI
• While eCX is complex behind the scenes, the bootstrap interface
keeps things simple and quick for the web user

9. eCX – Side 2, High Performance REST API
• GET, POST, PATCH
• A single interface for the entire platform with individual endpoints
per module
• The user is validated via a unique API token
• 38 query filtering and ‘ranging’ options on GET
• Fast. Handling the query from start to finish averages < 200ms
• A testing “sandbox” is available for new script development
• Data output samples at https://ecrimex.net/samples.zip (3.9Mb)

10. eCX - High Performance REST API
• Submitting data, 4 fields
• Date first seen, an epoch data type
• The brand the phish is attacking
• The URL
• A confidence factor
• 100, 90, or 50
• Same 4 fields since 2003
• Validates user, receives data, normalizes, inserts in < 75ms
• Robust result codes and messaging to know what happened instantly

22. Workgroups
• Securely store and share any kind of threat intelligence data
• Files, images, pdfs, notes of analysis, IP’s, etc – anything
• Share this data with other users
• Full membership control
• Approve, deny, revoke
• Workgroup can be visible to others, or completely invisible
• Access the workgroup using the eCX API
• Live demonstration of setting up and using an eCX workgroup

23. Get Involved with the APWG
• Memberships for various access levels
• eCrime Exchange 10 day trial
• Share your threat intelligence data
mike@ecrimex.net
andrew@ecrimex.net
support@ecrimex.net