ENCRYPT Blog Series #14: Enhancing CTI Extraction Using Privacy-Preserving Techniques

The need for effective Cyber Threat Intelligence (CTI) has never been greater, with cyber-threats evolving at an unprecedented rate, targeting individuals and organizations. CTI is crucial for the identification, assessment and mitigation of cyber threats. Understanding security threats allows organization to improve their defences and fight cyberattacks more efficiently. It is well known that the latter do not have much data and also the data captured are not diverse. So, the extracted CTI does not reflect the range of possible cyber attacks scene and because of this, the defence policies they make may not be adequate. One core issue is that Cybersecurity data contains private information that cannot be shared. Extracting CTI from these data could lead to significant privacy breaches and security risks.

However, the application of Fully Homomorphic Encryption (FHE), and Trusted Execution Environments (TEE), can provide a solution to the need for secure, privacy-preserving CTI sharing and extraction. FHE and TEE represent cutting-edge solutions for preserving the privacy of individuals. FHE allows computations on encrypted data, offering results without ever exposing the underlying data. TEEs provide secure areas within processors to execute code confidentially and securely, ensuring that sensitive data is processed in an isolated and protected environment.

These techniques can also be used for maintaining the privacy of a CTI sharing and extraction procedure. Implementing FHE in CTI extraction process, involves several key steps. Initially, data must be encrypted, ensuring that sensitive information is protected. Secure analysis then takes place on the encrypted data, with the assurance that the privacy of the underlying data is maintained. Finally, results can be decrypted and utilized, all without ever compromising data privacy. On the other hand, TEE can provide its secure environment to host both the datasets of the data providers as well as the functions used for CTI extraction. Furthermore, it can act as a trusted environment where the extracted CTI of the data providers can be stored and correlated, producing enriched CTI. Then these enriched CTI can be shared between the data holders. Given the privacy and security guarantees of these two techniques, actionable CTI can be extracted without any privacy violation.

In ENCRYPT, the combination of CTI, HE, and TEE will be tested on the CTI use case provided by CERTH as the service provider (i.e., CTI extractor) and EXUS, DBC, and 8BELLs as the cybersecurity data providers. The data of EXUS and 8BELLs contain IP-related attacks while the data of DBC email-related attacks. This will give the chance for the extraction and correlation of different data in a private format.