Standards-based Cyber Threat Intelligence sharing using private Blockchains
Kimon-Antonios Provatas, Ioannis Tzannetos, Vassilios Vescoukis
DOI: http://dx.doi.org/10.15439/2023F6880
Citation: Proceedings of the 18th Conference on Computer Science and Intelligence Systems, M. Ganzha, L. Maciaszek, M. Paprzycki, D. Ślęzak (eds). ACSIS, Vol. 35, pages 649–656 (2023)
Abstract. As cyber-attacks become more and more sophisticated, sharing information that helps organizations design and implement efficient defense measures, is of critical importance. Such information can be shared using any service available, such as plain-old mailing lists, forums, etc. More mature systems use standards that facilitate the structural and semantic organization of information about cyber threats, which enables both automated processing and interpretation of such info, such as indexing, cross-referencing, updating, and more. However, even systems sharing cyber-attack info are themselves vulnerable, not only to typical and easily detectable attacks such as DoS, but also to content poisoning. Implementing such systems using decentralized architectures such as blockchain, could overcome many of the deficiencies of centralized cyber-threat information sharing systems. This paper presents the specification, design, and implementation of such a decentralized system using two popular standards for cyber threat intelligence sharing, namely STIX for representing and TAXII for sharing such info using a REST API. The system, implemented on Hyperledger Fabric, faces the challenge of adhering to standards designed for a centralized world and offering a transparent way for implementing all the backend on a blockchain.
References
- Cobb, M. and Wigmore, I. (2021) What is threat intelligence (cyber threat intelligence)? – definition from whatis.com, WhatIs.com. Available at: https://www.techtarget.com/whatis/definition/threat-intelligence-cyber-threat-intelligence
- What is STIX? (2020) Introduction to stix. Available at: https://oasis-open.github.io/cti-documentation/stix/intro.
- (2020) Introduction to taxii. Available at: https://oasis- open.github.io/cti-documentation/taxii/intro.html.
- Private data (2017) hyperledger. Available at: https://hyperledger-fabric.readthedocs.io/en/release-2.2/private-data/private-data.html.
- (2017) Ledger. Available at: https://hyperledger-fabric.readthedocs.io/en/release-2.2/ledger.html.
- Hyperledger fabric network (2017) hyperledger. Available at: https://hyperledger-fabric.readthedocs.io/en/release-1.2/network/network.html.
- Hyperledger Fabric model (2017) hyperledger. Available at: https://hyperledger-fabric.readthedocs.io/en/latest/fabric_model.html.
- TAXII specification (2020) TAXII Version 2.1. Available at: https://docs.oasis-open.org/cti/taxii/v2.1/os/taxii-v2.1-os.html.
- Registering and enrolling identities with a CA (2017) hyperledger. Available at: https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/use_CA.html.
- Smart contracts and chaincode (2017) hyperledger. Available at: https://hyperledger-fabric.readthedocs.io/en/latest/smartcontract/smartcontract.html.
- STIX specification (2020) STIXTM Version 2.1. Available at: https://docs.oasis-open.org/cti/stix/v2.1/csprd01/stix-v2.1-csprd01.html.
- A new network model for cyber threat intelligence sharing using blockchain (2019). Available at: https://arrow.tudublin.ie/cgi/viewcontent.cgi?article=1003&context=nsdcon
- Traffic Light Protocol (TLP) Definitions and Usage (2022). Available at https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-and-usage
- Collaborative Cyber Attack Defense in SDN Networks using Blockchain Technology (2020). Available at: https://www.researchgate.net/publication/343616521_Collaborative_Cyber_Attack_Defense_in_SDN_Networks_using_Blockchain_Technology.
- Secure exchange of cyber threat intelligence using TAXII and distributed ledger technologies - application for electrical power and energy system (2021). Available at: https://dl.acm.org/doi/10.1145/3465481.3470476
- Secure and Efficient Exchange of Threat Information Using Blockchain Technology (2022). Available at: https://www.mdpi.com/2078-2489/13/10/463