Cyber threats domain

Context: Threat actors are becoming more advanced over the years, introducing new, more sophisticated techniques. By sharing Cyber Threat Intelligence (CTI) related to those threats, organizations can leverage and combine knowledge, experience, and capabilities to gain a more complete understanding about those threats, which can increase the cybersecurity awareness and resilience. Several CTI sharing communities have emerged in the last years. Such communities can be private and may require some payment, or public. For example, cybersecurity companies sell subscriptions to CTI feeds that include data from machines from all over the world. Additionally, several public CTI feeds also exist, with some of them being also integrated to CTI sharing platforms, such as MISP. CTI data spaces, that include data collected from the systems (such as servers, databases, security systems, etc.) of several organizations and the CTI extracted from them, can help organizations correlate and analyse intelligence from different sources to make threat-informed decisions regarding the defensive capabilities, detection techniques, and mitigation strategies. For the CTI data spaces to be effective, classified and personal data may need to be included. Such data can include IPs, emails, usernames, etc. Thus, there is a need for CTI data space to support running algorithms for the extraction of insights from those data but at the same time to not give access to the classified and private information. The ENCRYPT platform will be demonstrated on a cross-border use case, where the data providers EXUS (Greece), DBC (Belgium), and 8BELLS (Cyprus) will combine data and logs from their systems for the extraction and enrichment of the contained CTI in a secure and privacy preserving manner. The data to be used include, but are not limited to, server, system and database logs, network logs, security alerts, and more. CERTH will provide the necessary tools for the extraction of CTI from the data for each organisation and the correlation and enrichment of all the CTI extracted via combining the different data of the data providers (i.e., EXUS, DBC, and 8BELLS). These tools will be adjusted to work with the ENCRYPT privacy preserving framework, and their output will be a CTI dataspace. Finally, security experts from each data provider will use the CTI data space to extract better insights about cyber threats and update their security measures, as opposed to using only the CTI that was extracted from their organisation.

Missed Opportunities and potential negative impacts due to cybersecurity risks: Changing the tools that adversaries use, and the Tactics, Techniques, and Procedures (TTPs) that they follow is costly. Thus, adversaries prefer to reuse the methods and tools that they have to different targets. Additionally, adversaries may attack multiple targets in a short period of time, using the same techniques. Organisations that use only their logs and security alerts might not be able to identify and defend against threats in time. Additionally, it is not always easy to identify malicious activities in complex networks. Thus, attackers might stay undetected for a prolonged period of time. Thus, by sharing CTI related to those threats, organizations can leverage and combine knowledge, experience, and capabilities to gain a more complete understanding about those threats, which can increase the cybersecurity awareness and resilience. However, organisations avoid sharing their data and CTI because of the private and sensitive information that they might include. Sharing the data or CTI as is (i.e., without any privacy preserving techniques) can have devastating results on the organisation in regard to disclosing confidential information or information about their internal networks. Avoid participating to the CTI data space can result in reduced cybersecurity awareness and resilience, which might result in considerable losses from cyberattacks that could have been avoided.

Infrastructure: The infrastructure of the data providers (EXUS, DBC, and 8BELLS) will be used for the collection of the data. CERTH’s servers that host the tools for the extraction, and enrichment of CTI will be used and combined with the ENCRYPT platform.

Expected ENCRYPT impact: Security expert wants to participate in the CTI data space to increase the cybersecurity awareness and resilience of his/her organisation through correlating and combining their logs and CTI with data and CTI included in the data space using the privacy preserving tools provided by ENCRYPT. This will allow them to get a better picture of the threat actors landscape and to update their security measures.