How do you get 29 organizations to collaborate to disrupt multiple threat actors’ operational infrastructure? (see the list below) What is not stated is that this group is the known TLP: RED group. There is a larger TLP: AMBER community of supporting individuals and organizations. These groups all exist and will continue to put pressure on threat actors. Law enforcement is at work doing their part. Journalists (people like Brian Krebs) will continue to report.
Reality – this level of collaboration does not just “happen.” You cannot “snap your fingers” and bring these competing interests together to collaborate on collective action.
The March 19, 2026, operation is a result of individual, community, institution, and government investment in “operational trust.” Operational trust is different from “normal trust.” This level of trust starts with individuals who have the “top cover” leadership support from their organization to work with their competitors – trusting each other to focus on a joint threat. A few individuals start reaching out to their peers. The group gets larger. Side groups break off working on a focused task. Over time, you build an operational cybersecurity network of trust with peers, all working toward common goals: disrupt, mitigate, remediate, and push back against threat actors. In some cases, this would lead to legal proceedings (criminal and civil).
How are these operational trust groups created?
I get asked this often. The problem is that you cannot just “invite your way” into these groups. You cannot say “I’m from the government” and be trusted. You cannot say, “I’m the head of security in my organization, and you have to trust me.” These expectations do not work.
Some would say, “I’ll join this ISAC or this other security group, and people will trust me.” That does not work. Notice the long list of organizations part of this take-down (below). You do not see cybersecurity organizations.
So what works?
Spend some time and take one of these operational security trust groups and read through the details. The Conficker working group was intentionally documented post-mortem to explore how a community can collaborate effectively.
Conficker Working Group – Archive of Materials
My recommendation:
- Make an internal decision. Intentionally have leadership, from the CEO to the CISO, all commit to being A-OK with their operations and security teams, to slow work with communities and build trust through action.
- Make sure everyone understands that operational trust is built by contributing. Lurking and watching on a mailing list or Slack channel is not contributing.
- Create a budget to send your team members to the core meet-ups where these communities gather. “Operational Trust” is not something you can do with 100% remote or virtual connection. Trust is HUMAN. Peers need to meet, talk, share meals, and get to know each other.
Once you commit to these three things, enter the community through three organizational paths. Each of them is a group that helps your team learn how to contribute, benefit your organization through what they learn, and build trust with peers in these groups through their actions and contributions.
- FIRST (Forum of Incident Response and Security Teams). Your team does NOT have to be a member of FIRST to be part of the multitude of Special Interest Groups (SIGs). FIRST is the oldest cybersecurity forum on the Internet. The first “joining incident response” and “operational takedowns” started in FIRST. Today, FIRST is the place where a security trust group would take the lessons learned and ask a FIRST SIG to work on new industry recommendations, guidelines, and technology. If you are interested in DDoS, check out FIRST NetSec SIG (https://www.first.org/global/sigs/netsec/)
- M3AAWG (Messaging, Malware, and Mobile Anti-Abuse Working Group. M3AAWG requires corporate membership. But their membership model opens the door for your whole organization to participate in functional and operational SIGs. Like FIRST, M3AAWG is working in parallel with many active threat actor investigations. That means the people in the working groups and SIGs are among those in the “TLP: RED” trust circle, working on operational takedowns. People you work with in FIRST and M3AAWG are the ones whom you can call upon when your organization needs help from peers against a threat actor.
- Shadowserver Foundation is the action forum. Organizations can become part of the Shadowserver Alliance and join efforts with peers to rapidly detect and communicate risk to the entire Internet. The Shadowserver Alliance is the community that finds ways to scan for risk, deploys sensors to detect threat-actor activity, processes malware to understand what is happening with the latest versions, and then pushes out FREE attack-surface, exposure, and risk notifications to organizations all over the world. If you are a CISO and want your team to learn how to take action, become a Shadowserver Partner. Get your team into the workflow, contribute to Shadowserver’s work, team up with other Alliance Partners, and make a difference.
Finally, do you really have a need to know?
Do you really need to be inside an operational security trust group? NO – YOU DO NOT! I’ve been participating in these sorts of groups for over 40 years. Learning to trust your peers to take action, and to stand by them to support their action is powerful and supportive. At any one time, I’ll know of three or four active operations. I do not need to know the details. I’ll support my peers when needed. I will be called if they need my set of skills, contacts, or experience. The community has learned the hard way that Dunbar’s number is real, has an impact, and leads to “too many cooks spoil the soup.” In these cybersecurity operations, “spoil the soup” means cybersecurity harm to our massively interconnected digital society.
Don’t wait for others to collaborate against the threat actors. CxOs – provide the top cover to clear the path for your team. Then open the door for your team through FIRST, M3AAWG, and the Shadowserver Alliance. Finally, give your team the opportunity to work with their peers, contribute, and build that cybersecurity operational trust that will – possibly – save your business.
How can I get help working with my organization to get them plugged in?
First, you can download this presentation and use it inside your organization. Sometimes, crafting the conversation and then knocking on doors inside the organization is 90% of the work needed. The key is that this must come from inside the organization. Second, contact barry@qubitcyber.com (my Qubit Cyber email) if you are looking for people to speak, pitch, explain, and highlight the benefits of active participation in the Operational Security Trust Groups. Finally, if you think a YouTube video would help you, ping me and let me know. I can get one done (or a webinar) where you can invite key decision-makers in your organization.
Known groups are part of the #Aisuru, #KimWolf, #JackSkid, and #Mossad operation:
USDOD DoDIG DCIS, FBI Anchorage Field Office, Bundeskriminalamt (BKA) Cyber, Public Prosecutor’s Office in Cologne (ZAC NRW), the Royal Canadian Mounted Police (RCMP), Ontario Provincial Police (OPP), Sûreté du Québec (SQ), Akamai Networks, Amazon Web Services, Cloudflare, DigitalOcean, Epieos, Google, Hydrolix, Lumen, Nokia, Okta, Oracle, PayPal, Registrar of Last Resort, The Shadowserver Foundation, Sony Interactive Entertainment, SpyCloud, Synthient, Team Cymru, Unit 221B, XLAB and Netherlands Politie and EUROPOL’s PowerOFF team.
#Kimwolf #AWS #Amazon #threatintelligence #DDoS #Botnet #security #TeamCymru #ThreatIntelligence #DDoS #PowerOFF #CyberSecurity #DefendersFirst
By the way – Remember the DDoS Attack Preparation Workbook
I strongly recommend that organizations work through all the core DDoS Resiliency best common practices (BCPs) first. To many organization buy/subscribe to DDoS Protection Services without going through the basics. We have weeks’ worth of tutorials, guidelines, and anti-DDoS materials that will save your organization from “DDoS Grief” and help you be more successful working with anti-DDoS vendors/services.