PRACIS: Privacy-preserving and aggregatable cybersecurity information sharing

Cooperative cyberdefense has been recognized as an essential strategy to fight against cyberattacks. Cybersecurity Information Sharing (CIS), especially about threats and incidents, is a key aspect in this regard. CIS provides members with an improved situational awareness to prepare for and respond to future cyberthreats. Privacy preservation is critical in this context, since organizations can be reluctant to share information otherwise. This is particularly critical when CIS is facilitated through an untrusted infrastructure provided by a third party (e.g., the cloud). Despite this, current data formats and protocols for CIS do not guarantee any form of privacy preservation to participants. In this paper we introduce PRACIS, a scheme for CIS networks that guarantees private data forwarding and aggregation. PRACIS leverages the well-known Structured Threat Information Expression (STIX) standard data format. Remarkably, PRACIS can be seamlessly integrated with existing STIX-based message brokering middleware such as publish-subscribe architectures. PRACIS achieves these goals by combining standard format-preserving and homomorphic encryption primitives. We discuss experimental results obtained with a prototype implementation developed for a subset of STIX. Results show that entities may create up to 689 incidents per minute, far beyond the estimated average of 81. Moreover, aggregation of 104 incidents can be carried out in just 2.1 s, and the transmission overhead is just 13.5 kbps. Overall, these results suggest that the costs incurred by PRACIS are easily affordable in real-world scenarios.This work was partially supported by the MINECO grant TIN2013-46469-R (SPINY); the CAM grant S2013/ICE-3095 (CIBERDINE), which is co-funded by European FEDER; J. M. de Fuentes and L. Gonzalez were also supported by the Programa de Ayudas para la Movilidad of Carlos III University of Madrid, Spain

Virtual Radicalisation: Challenges for Police

Recent advances in communications technology are providing a medium for individuals or groups to subscribe to extremist worldviews and form networks, access training and obtain information, whilst remaining virtually undetected in the online world. Whilst the Internet is facilitating global virtual communities like Second Life, MySpace and Facebook it is also providing an anonymous meeting place for disenfranchised individuals to gather, share ideas, post and exchange information regarding their particular ideology. This virtual community provides a sense of belonging to a global cause in which the actions of an individual can be aligned to, and seen to contribute towards something more significant than their own lives. Membership of this virtual community can facilitate the indoctrination of individuals, thereby negating psychological barriers that would normally inhibit particular types of behaviour. Terrorist groups operate as amorphous, fluid networks providing them significant advantages over rigidly structured state and nation based law enforcement agencies. In addition terrorist groups are exploiting the combination of rapidly evolving technology and incommodious legislation to prevent detection

A Security Analysis of Cyber-Physical Systems Architecture for Healthcare

This paper surveys the available system architectures for cyber-physical systems. Several candidate architectures are examined using a series of essential qualities for cyber-physical systems for healthcare. Next, diagrams detailing the expected functionality of infusion pumps in two of the architectures are analyzed. The STRIDE Threat Model is then used to decompose each to determine possible security issues and how they can be addressed. Finally, a comparison of the major security issues in each architecture is presented to help determine which is most adaptable to meet the security needs of cyber-physical systems in healthcare

The Cooperative Defense Overlay Network: A Collaborative Automated Threat Information Sharing Framework for a Safer Internet

With the ever-growing proliferation of hardware and software-based computer security exploits and the increasing power and prominence of distributed attacks, network and system administrators are often forced to make a difficult decision: expend tremendous resources on defense from sophisticated and continually evolving attacks from an increasingly dangerous Internet with varying levels of success; or expend fewer resources on defending against common attacks on "low hanging fruit," hoping to avoid the less common but incredibly devastating zero-day worm or botnet attack. Home networks and small organizations are usually forced to choose the latter option and in so doing are left vulnerable to all but the simplest of attacks. While automated tools exist for sharing information about network-based attacks, this sharing is typically limited to administrators of large networks and dedicated security-conscious users, to the exclusion of smaller organizations and novice home users. In this thesis we propose a framework for a cooperative defense overlay network (CODON) in which participants with varying technical abilities and resources can contribute to the security and health of the internet via automated crowdsourcing, rapid information sharing, and the principle of collateral defense

A comparative analysis of cyber-threat intelligence sources, formats and languages

The sharing of cyber-threat intelligence is an essential part of multi-layered tools used to protect systems and organisations from various threats. Structured standards, such as STIX, TAXII and CybOX, were introduced to provide a common means of sharing cyber-threat intelligence and have been subsequently much-heralded as the de facto industry standards. In this paper, we investigate the landscape of the available formats and languages, along with the publicly available sources of threat feeds, how these are implemented and their suitability for providing rich cyber-threat intelligence. We also analyse at a sample of cyber-threat intelligence feeds, the type of data they provide and the issues found in aggregating and sharing the data. Moreover, the type of data supported by various formats and languages is correlated with the data needs for several use cases related to typical security operations. The main conclusions drawn by our analysis suggest that many of the standards have a poor level of adoption and implementation, with providers opting for custom or traditional simple formats

Towards an Evaluation Framework for Threat Intelligence Sharing Platforms

Threat intelligence sharing is an important countermeasure against the increasing number of security threats to which companies and governments are exposed. Its objective is the cross-organizational exchange of information about actual and potential threats. In recent years, a heterogeneous market of threat intelligence sharing platforms (TISPs) has emerged. These platforms are inter-organizational systems that support collaborative collection, aggregation, analysis and dissemination of threat-related information. Organizations that consider using TISPs are often faced with the challenge of selecting suitable platforms. To facilitate the evaluation of threat intelligence sharing platforms, we present a framework for analyzing and comparing relevant TISPs. Our framework provides a set of 25 functional and non-functional criteria that support potential users in selecting suitable platforms. We demonstrate the applicability of our evaluation framework by assessing three platforms: MISP, OTX and ThreatQ. We describe common features and differences between the three platforms

Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives

In the last couple of years, organizations have demonstrated an increased willingness to exchange information and knowledge regarding vulnerabilities, threats, incidents and mitigation strategies in order to collectively protect against today’s sophisticated cyberattacks. As a reaction to this trend, software vendors started to create offerings that facilitate this exchange and appear under the umbrella term “Threat Intelligence Sharing Platforms”. To which extent these platforms provide the needed means for exchange and information sharing remains unclear as they lack a common definition, innovation in this area is mostly driven by vendors and empirical research is rare. To close this gap, we examine the state-of-the-art software vendor landscape of these platforms, identify gaps and present arising research perspectives. Therefore, we conducted a systematic study of 22 threat intelligence sharing platforms and compared them. We derived eight key findings and discuss how existing gaps should be addressed by future research

Hacker Combat: A Competitive Sport from Programmatic Dueling & Cyberwarfare

The history of humanhood has included competitive activities of many different forms. Sports have offered many benefits beyond that of entertainment. At the time of this article, there exists not a competitive ecosystem for cyber security beyond that of conventional capture the flag competitions, and the like. This paper introduces a competitive framework with a foundation on computer science, and hacking. This proposed competitive landscape encompasses the ideas underlying information security, software engineering, and cyber warfare. We also demonstrate the opportunity to rank, score, & categorize actionable skill levels into tiers of capability. Physiological metrics are analyzed from participants during gameplay. These analyses provide support regarding the intricacies required for competitive play, and analysis of play. We use these intricacies to build a case for an organized competitive ecosystem. Using previous player behavior from gameplay, we also demonstrate the generation of an artificial agent purposed with gameplay at a competitive level

Tactics, Techniques and Procedures (TTPs) to Augment Cyber Threat Intelligence (CTI): A Comprehensive Study

Sharing Threat Intelligence is now one of the biggest trends in cyber security industry. Today, no one can deny the necessity for information sharing to fight the cyber battle. The massive production of raw and redundant data coupled with the increasingly innovative attack vectors of the perpetrators demands an ecosystem to scrutinize the information, detect and react to take a defensive stance. Having enough sources for threat intelligence or having too many security tools are the least of our problems. The main challenge lies in threat knowledge management, interoperability between different security tools and then converting these filtered data into actionable items across multiple devices. Large datasets may help filtering the massive information gathering, open standards may somewhat facilitate the interoperability issues, and machine learning may partly aid the learning of malicious traits and features of attack, but how do we coordinate the actionable responses across devices, networks, and other ecosystems to be proactive rather than reactive? This paper presents a study of current threat intelligence landscape (Tactic), information sources, basic Indicators of Compromise (IOCs) (Technique) and STIX and TAXII standard as open source frameworks (Procedure) to augment Cyber Threat Intelligence (CTI) sharing