Secure and Efficient Exchange of Threat Information Using Blockchain Technology
- How does the threat information sharing platform support secure communication between diverse participants?
- What are the trade-offs between trust, immutability and privacy in the process of sharing CTI and how can these needs be addressed effectively in a single solution?
- What is the overhead the involved parties would incur due to the deployment of the developed solution?
- The developed solution addresses trust issues associated with the CTI exchange on two levels: (1) the dependability of a publisher; (2) the reliability of shared information.
- The solution records the hash of threat information immutably instead of the actual CTI, thus it complies with the General Data Protection Regulation (GDPR)  right to be forgotten.
- An implementation is entirely built on open-source software including the official TAXII framework, Hyperledger Fabric and Quorum.
- The solution is thoroughly assessed in two different ways: A quantitative evaluation using indicators such as resource utilisation and latency and a qualitative evaluation considering attack vectors.
2.1. Blockchain Technology
2.2. Cyber Threat Information Sharing
2.2.1. Blockchain-Based Cyber Threat Information Sharing
2.2.2. Evaluation Criteria for Cyber Threat Information Sharing
- Integrity: the authenticity of CTI is preserved while exchanging amongst organisations.
- Performance: a CTI sharing platform optimises the performance merits such as throughput and latency.
- Trust: only authorised organisations can participate in the threat-sharing process.
- Privacy: the platform does not expose any personal data to unauthorised parties.
- Automation: Upon publishing new threat information, all organisations that are subscribed to the respective incident should automatically receive the information.
3. Secure and Efficient Threat Information Sharing
- Discovery: A Security Expert (SE) in Organisation A discovers a cyber incident. t and represent the threat information and the related metadata, respectively. , which comprises the CTI identifier, collection ID and version of the object, is mainly used to identify the CTI object uniquely. According to , a CTI identifier is generated in form of object-type–UUIDv4 where object-type specifies the value of a certain type of CTI object and the UUIDv4 is generated based on RFC 4122 . The collection ID also determines to which collection the information belongs. SE computes the hash of the information, ht, using the hash function . In the next steps, the hash value would be utilised for the integrity check.
- Publish: SE publishes the new threat information t to the SETS framework where t is stored in the database to satisfy the performance criterion. On the other hand, the expert writes along with the (the tuple ) in the private blockchain where only authorised partners can execute transactions (i.e., the trust criteria). Despite several advantages of storing threat information in the private blockchain, this approach has some shortfalls such as lower throughput and immutable records compared to the database. Thereby, this solution leverages the database and the blockchain simultaneously to achieve better performance while protecting the data integrity against unsolicited malicious activities. Furthermore, the rationale behind choosing the private blockchain over the public one is to avoid the high cost of transaction executions in terms of fee and time in the public blockchain.
- Admission: Upon reception of a CTI object, the SETS framework first ensures that the information has not been published before. Then it retrieves the respective hash from the private blockchain using the information’s metadata . Next, it computes the hash of CTI with the use of and checks against the hash value from the blockchain. The SETS framework stores the tuple in the database after the successful integrity check i.e., if .
- Rejection: if the CTI object either has been received before or the hash values are mismatched (i.e., ), the TAXII framework rejects the CTI submission from SE. However, it does not take any further action to notify SE about the incident. In the latter case, the hash mismatch implies that the CTI object has been altered while being sent to the SETS framework.
- Distribution: Apart from the integrity check and persisting t in the database, the SETS framework also distributes the threat information to the interested organisations via the pub-sub module. Since response time is crucial in effectively mitigating cyberattacks, the CTI object is forwarded to the pub-sub module immediately after receiving the SE’s submission. Therefore, the SETS framework does not wait for the completion of the integrity check which might take a longer time due to interaction with the blockchain. Therefore, at the time of distribution, it is quite likely that the authenticity of t is not validated yet. Additionally, the content of the CTI object in transition is potentially the attackers’ alteration target. Thereby, the organisation on the receiving end needs to check the integrity of the CTI object upon reception.
- Subscribe: A security expert in Organisation B subscribes to a certain type of threat information (e.g., an indicator of compromise) which is shared with the SETS framework by different organisations. Then it will receive the relevant CTI from the SETS framework when any threat information is published in the respective channel. Similarly to the SETS framework, SE computes the hash of CTI using and compares it with the hash value that is retrieved from the blockchain. If , SE accepts the CTI object and takes it into use for further actions (step 4.a), otherwise it rejects the SETS’ submission (step 4.b) since the hash mismatch implies that the CTI object has been altered while transporting.
- Inquiry: In addition to the publish-subscribe communication paradigm, the SETS framework provides a specific CTI object in response to the SE’s request. In this communication model, the SETS framework retrieves the queried threat information t from the database. Next, it computes the hash of CTI and checks it against which is obtained from the blockchain. Like the distribution phase, the SETS framework does not wait for the completion of the integrity check and sends back t immediately after retrieval from the database. The SETS framework marks the CTI record as valid if (step 5.a), otherwise the record is marked as invalid (step 5.b), implying the CTI object in the database has been altered. Therefore, the SETS framework will reject future queries about the same CTI record.
- Inquiry Response: SE upon reception of a response to the queried CTI, retrieves the hash of data from the blockchain and checks it against the hash value that is computed using . Like the subscribe phase, if matches , SE accepts the CTI object (step 6.a), otherwise, it rejects the SETS’ reply (step 6.b), implying the CTI object has been modified either in the database or in transition.
4. The Implementation
4.1. TAXII Client
- WriteCTIHash: this function stores the tuple , which is given as input in the dedicated blockchain.
- ReadCTIHash: this function retrieves the hash value , which is mapped to the given metadata from the blockchain.
4.2. TAXII Server
- Publish: the server passes the threat information to the pub-sub middleware where CTI objects would be written to pre-defined channels. The server component uses the pub-sub middleware which was implemented in  on basis of the RabbitMQ messaging platform.
- Persist: the server stores the CTI object in the backend plugin. However, it is most likely that the validity of the record has not confirmed when the Persist task was finalized. Therefore, the status of the CTI record is marked as pending before receiving the integrity check outcomes.
- Integrity check: the server retrieves the hash of the CTI object from the blockchain. To this end, like the client component, the blockchain-specific adapters are added to the server implementation and used to invoke the ReadCTIHash function from the DataStorage contract. The server also computes the hash of the object and checks it against the hash value acquired from the blockchain. If the hash values match, the status of the corresponding record sets to finalized. On contrary, for mismatching values, the status is set to invalid. The integrity check is typically completed after the Publish task, thus the CTI consumers always check the authenticity of the received information independently.
4.3. Blockchain-Specific Interface
5.1. Testing Environment and Setup
5.2. Latency, Throughput and Resource Utilisation in SETS framework
6.1. Potential Attacks
- General public: Anyone from an organization, state or hacker may play the role of an adversary in a general public category. A malicious actor is motivated by financial rewards, which it may gain directly or indirectly from mounting a certain attack, and would alter the message describing the respective incident with the hope that either a CTI consumer or the CTI sharing platform would receive the invalid information and would further act upon it. In both cases, the SETS framework and potential CTI consumers, before taking into use the threat information, need to examine the integrity of data using the hash persisted on the private blockchain by a CTI provider. Thereby, they can easily spot any changes in the received data and discard them. To modify the hash stored on the private blockchain in a way that would match the changes in the message, an adversary would need the same permission level as the CTI provider, which would be difficult considering the nature of the private blockchain. Furthermore, all transactions would be logged on the blockchain and later could be utilized for tracking down the blockchain breach.An attacker can also target the authenticity of data records in the SETS platform. To achieve this, the attacker needs to take over control of the backend plugin and subsequently modify the content of the records. The platform, however, would find out about the incident as soon as it retrieves the record in response to a consumer’s query since it checks the integrity of data after each retrieval against the hash on the private blockchain and invalidates the data record in case any hash mismatch observed.
- Security expert: A security expert may produce information about the launched attacks, attack patterns and attacker behaviours. On the other hand, the expert may also subscribe to threat information generated by other organizations. As stated in Section 4.2, only authorized experts can interact with the SETS platform. Additionally, an expert would need the appropriate permissions to be able to read or store hashes associated with CTI data on the private blockchain. Thereby, it is relatively challenging for an adversary to masquerade as a genuine expert and thus would be given the permissions for accessing the SETS platform and the private blockchain. Alternatively, compromising the expert’s system would take place on two levels: stealing credentials for authorization on the SETS platform and acquiring cryptographic primitives for accessing the private blockchain, which would not be easy to achieve.
- Platform operator: In this work, it is assumed that all decisions regarding membership and access rights would be made by a trustworthy third party designated as a platform operator who is responsible for governing the SETS platform. Additionally, the operator is legitimized by a group of trusted third parties such as EU FI-ISAC . Consequently, CTI providers and consumers could simply verify the authenticity of the platform operator from the consortium of trusted third parties before initiating any data exchange. Alternatively, an attacker trying to impersonate a genuine operator would need to compromise most parties in the consortium which would not be an easy task considering the stringent security measures placed in such organizations .
6.2. Qualitative Assessment of The Evaluation Criteria
Data Availability Statement
Conflicts of Interest
- DHS, US. Critical Infrastructure Sectors. 2019. Available online: https://www.cisa.gov/critical-infrastructure-sectors (accessed on 10 April 2022).
- Digital Agenda for Europe, COM(2010)245 Final. 2010. Available online: https://www.eumonitor.eu/9353000/1/j9vvik7m1c3gyxp/vikqhod6cfud (accessed on 10 February 2022).
- Onyeji, I.; Bazilian, M.; Bronk, C. Cyber security and critical energy infrastructure. Electr. J. 2014, 27, 52–60. [Google Scholar] [CrossRef]
- Kokkonen, T.; Hautamäki, J.; Siltanen, J.; Hämäläinen, T. Model for sharing the information of cyber security situation awareness between organizations. In Proceedings of the 2016 23rd International Conference on Telecommunications (ICT), Thessaloniki, Greece, 16–18 May 2016; pp. 1–5. [Google Scholar]
- Leszczyna, R.; osiński, M.; Małkowski, R. Security information sharing for the polish power system. In Proceedings of the 2015 Modern Electric Power Systems (MEPS), Wroclaw, Poland, 6–9 July 2015; pp. 1–6. [Google Scholar]
- Johnson, C.; Badger, L.; Waltermire, D.; Snyder, J.; Skorupka, C. Guide to cyber threat information sharing. NIST Spec. Publ. 2016, 800, 150. [Google Scholar]
- Martínez, M.M.; Marin-Tordera, E.; Masip-Bruin, X. Scalability analysis of a blockchain-based security strategy for complex IoT systems. In Proceedings of the 2021 IEEE 22nd International Conference on High Performance Switching and Routing (HPSR), Paris, France, 7–10 June 2021; pp. 1–6. [Google Scholar]
- Allouche, Y.; Tapas, N.; Longo, F.; Shabtai, A.; Wolfsthal, Y. TRADE: TRusted Anonymous Data Exchange: Threat Sharing Using Blockchain Technology. arXiv 2021, arXiv:2103.13158. [Google Scholar]
- Pahlevan, M.; Voulkidis, A.; Velivassaki, T.H. Secure exchange of cyber threat intelligence using TAXII and distributed ledger technologies-application for electrical power and energy system. In Proceedings of the 16th International Conference on Availability, Reliability and Security, Vienna, Austria, 17–20 August 2021; pp. 1–8. [Google Scholar]
- Tokarski, M. Protection of Individuals in the light of EU Regulation 2016/679 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of such Data. Saf. Def. 2020, 6, 63–74. [Google Scholar] [CrossRef]
- Wang, X.; Zha, X.; Ni, W.; Liu, R.P.; Guo, Y.J.; Niu, X.; Zheng, K. Survey on blockchain for Internet of Things. Comput. Commun. 2019, 136, 10–29. [Google Scholar] [CrossRef]
- Kuo, T.T.; Kim, H.E.; Ohno-Machado, L. Blockchain distributed ledger technologies for biomedical and health care applications. J. Am. Med. Inform. Assoc. 2017, 24, 1211–1220. [Google Scholar] [CrossRef]
- Mendez Mena, D.; Yang, B. Decentralized Actionable Cyber Threat Intelligence for Networks and the Internet of Things. IoT 2021, 2, 1. [Google Scholar] [CrossRef]
- Bissell, K.; Lasalle, R.M.; Dal Cin, P. The Cost of Cybercrime—Ninth Annual Cost of Cybercrime Study. Ponemon Institute and Accenture Security. 2019, Volume 50. Available online: https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf (accessed on 10 August 2022).
- Luiijf, H.; Kernkamp, A. Sharing Cyber Security Information: Good Practice Stemming from the Dutch Public-Private-Participation Approach; TNO: The Hague, The Netherlands, 2015. [Google Scholar]
- Brown, S.; Gommers, J.; Serrano, O. From cyber security information sharing to threat management. In Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security, Denver, CO, USA, 12 October 2015; pp. 43–49. [Google Scholar]
- Dandurand, L.; Serrano, O.S. Towards improved cyber security information sharing. In Proceedings of the 2013 5th International Conference on Cyber Conflict (CYCON 2013), Tallinn, Estonia, 4–7 June 2013; pp. 1–16. [Google Scholar]
- Haass, J.C.; Ahn, G.J.; Grimmelmann, F. ACTRA: A case study for threat information sharing. In Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security, Denver, CO, USA, 12 October 2015; pp. 23–26. [Google Scholar]
- Skopik, F.; Settanni, G.; Fiedler, R. A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing. Comput. Secur. 2016, 60, 154–176. [Google Scholar] [CrossRef]
- Jasper, S.E. US cyber threat intelligence sharing frameworks. Int. J. Intell. Counterintell. 2017, 30, 53–65. [Google Scholar] [CrossRef]
- Tounsi, W.; Rais, H. A survey on technical threat intelligence in the age of sophisticated cyber attacks. Comput. Secur. 2018, 72, 212–233. [Google Scholar] [CrossRef]
- Wagner, C.; Dulaunoy, A.; Wagener, G.; Iklody, A. Misp: The design and implementation of a collaborative threat intelligence sharing platform. In Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security, Vienna, Austria, 24 October 2016; pp. 49–56. [Google Scholar]
- Grønberg, M. An Ontology for Cyber Threat Intelligence. Master’s Thesis, University of Oslo, Oslo, Norway, 2019. [Google Scholar]
- Mandiant. OpenIOC. 2010. Available online: http://www.openioc.org/ (accessed on 10 February 2022).
- MITRE. Cyber Observable eXpression. 2011. Available online: https://cybox.mitre.org/about/ (accessed on 10 February 2022).
- Barnum, S. Standardizing cyber threat intelligence information with the structured threat information expression (stix). Mitre Corp. 2012, 11, 1–22. [Google Scholar]
- Connolly, J.; Davidson, M.; Schmidt, C. The Trusted Automated Exchange of Indicator Information (Taxii); The MITRE Corporation: McLean, VA, USA, 2014; pp. 1–20. [Google Scholar]
- Yli-Huumo, J.; Ko, D.; Choi, S.; Park, S.; Smolander, K. Where is current research on blockchain technology?—A systematic review. PLoS ONE 2016, 11, e0163477. [Google Scholar] [CrossRef] [PubMed]
- Taylor, P.J.; Dargahi, T.; Dehghantanha, A.; Parizi, R.M.; Choo, K.K.R. A systematic literature review of blockchain cyber security. Digit. Commun. Netw. 2020, 6, 147–156. [Google Scholar] [CrossRef]
- Homan, D.; Shiel, I.; Thorpe, C. A new network model for cyber threat intelligence sharing using blockchain technology. In Proceedings of the 2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Canary Islands, Spain, 24–26 June 2019; pp. 1–6. [Google Scholar]
- Thummavet, P. Demystifying Hyperledger Fabric (1/3): Fabric Architecture. 2019. Available online: https://medium.com/coinmonks/demystifying-hyperledger-fabric-1-3-fabric-architecture-a2fdb587f6cb (accessed on 14 April 2022).
- Purohit, S.; Calyam, P.; Wang, S.; Yempalla, R.; Varghese, J. DefenseChain: Consortium Blockchain for Cyber Threat Intelligence Sharing and Defense. In Proceedings of the 2020 2nd Conference on Blockchain Research & Applications for Innovative Networks and Services (BRAINS), Paris, France, 28–30 September 2020; pp. 112–119. [Google Scholar]
- Hajizadeh, M.; Afraz, N.; Ruffini, M.; Bauschert, T. Collaborative cyber attack defense in SDN networks using blockchain technology. In Proceedings of the 2020 6th IEEE Conference on Network Softwarization (NetSoft), Ghent, Belgium, 29 June–3 July 2020; pp. 487–492. [Google Scholar]
- Kreutz, D.; Ramos, F.M.; Verissimo, P.E.; Rothenberg, C.E.; Azodolmolky, S.; Uhlig, S. Software-defined networking: A comprehensive survey. Proc. IEEE 2014, 103, 14–76. [Google Scholar] [CrossRef]
- Magdziarczyk, M. Right to Be Forgotten in Light of Regulation (Eu) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/Ec. In Proceedings of the 6th International Multidisciplinary Scientific Conference on Social Sciences and Art SGEM 2019, Vienna, Austria, 24 August–2 September 2019; pp. 177–184. [Google Scholar]
- Büber, E.; Şahingöz, Ö.K. Blockchain Based Information Sharing Mechanism for Cyber Threat Intelligence. Balk. J. Electr. Comput. Eng. 2020, 8, 242–253. [Google Scholar] [CrossRef]
- Wu, Y.; Qiao, Y.; Ye, Y.; Lee, B. Towards improved trust in threat intelligence sharing using blockchain and trusted computing. In Proceedings of the 2019 Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS), Granada, Spain, 22–25 October 2019; pp. 474–481. [Google Scholar]
- Cha, J.; Singh, S.K.; Pan, Y.; Park, J.H. Blockchain-Based Cyber Threat Intelligence System Architecture for Sustainable Computing. Sustainability 2020, 12, 6401. [Google Scholar] [CrossRef]
- OASIS. STIX TM Version 2.0. Part 1: STIX Core Concepts. 2017. Available online: http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html (accessed on 15 March 2022).
- Leach, P.; Mealling, M.; Salz, R. A Universally Unique Identifier (uuid) urn Namespace; Technical Report; The Internet Society: Reston, VA, USA, 2005. [Google Scholar]
- OASIS. cti-taxii-server. 2017. Available online: https://github.com/oasis-open/cti-taxii-server (accessed on 10 February 2022).
- OASIS. cti-taxii-client. 2017. Available online: https://github.com/oasis-open/cti-taxii-client (accessed on 10 February 2022).
- Baliga, A.; Subhod, I.; Kamat, P.; Chatterjee, S. Performance evaluation of the quorum blockchain platform. arXiv 2018, arXiv:1809.03421. [Google Scholar]
- Project, P. Flask-Web Development, One Drop at a Time. 2010. Available online: https://flask.palletsprojects.com/en/1.1.x/ (accessed on 15 April 2022).
- Synelixis. Open Source Identity and Access Management for Modern Applications and Services. 2021. Available online: https://www.keycloak.org/ (accessed on 16 March 2022).
- Sollfrank, M.; Loch, F.; Denteneer, S.; Vogel-Heuser, B. Evaluating docker for lightweight virtualization of distributed and time-sensitive applications in industrial automation. IEEE Trans. Ind. Inform. 2020, 17, 3566–3576. [Google Scholar] [CrossRef]
- Pure Python RabbitMQ/AMQP 0-9-1 Client Library. 2022. Available online: https://github.com/pika/pika (accessed on 17 April 2022).
- Boskamp, E. 29 Worrisome Cybersecurity Statistics. 2022. Available online: https://www.zippia.com/advice/cybersecurity-statistics/ (accessed on 10 February 2022).
- Mazzoni, M.; Corradi, A.; Di Nicola, V. Performance evaluation of permissioned blockchains for financial applications: The ConsenSys Quorum case study. Blockchain: Res. Appl. 2022, 3, 100026. [Google Scholar] [CrossRef]
- Satija, S.; Mehra, A.; Singanamalla, S.; Grover, K.; Sivathanu, M.; Chandran, N.; Gupta, D.; Lokam, S. Blockene: A high-throughput blockchain over mobile devices. In Proceedings of the 14th USENIX Symposium on Operating Systems Design and Implementation (OSDI 20), Virtual Event, 4–6 November 2020; pp. 567–582. [Google Scholar]
- European Union Agency for Network and Information Security (ENISA). Information Sharing and Analysis Centres (ISACs) Cooperative Models. 2017. Available online: https://www.enisa.europa.eu/publications/information-sharing-and-analysis-center-isacs-cooperative-models (accessed on 10 February 2022).
- Verizon RISK Team. 2015 Data Breach Investigations Report. 2015. Available online: https://old.iktissadevents.com/files/media/speeches/ACCF-2015-S4-lorenz-kuhlee.pdf (accessed on 10 February 2022).
- Andola, N.; Gogoi, M.; Venkatesan, S.; Verma, S. Vulnerabilities on hyperledger fabric. Pervasive Mob. Comput. 2019, 59, 101050. [Google Scholar] [CrossRef]
- Yamashita, K.; Nomura, Y.; Zhou, E.; Pi, B.; Jun, S. Potential risks of hyperledger fabric smart contracts. In Proceedings of the 2019 IEEE International Workshop on Blockchain Oriented Software Engineering (IWBOSE), Hangzhou, China, 24 February 2019; pp. 1–10. [Google Scholar]
- Gunicorn. Green Unicorn. Available online: https://gunicorn.org/ (accessed on 10 February 2022).
- Christidis, J.; Karkazis, P.A.; Papadopoulos, P.; Leligou, H.C.N. Decentralized Blockchain-Based IoT Data Marketplaces. J. Sens. Actuator Netw. 2022, 11, 39. [Google Scholar] [CrossRef]
|Send Rate (m/s)||Success Rate||Throughput (m/s)||Latency (s)|
|Send Rate (m/s)||Success Rate||Throughput (m/s)||Latency (s)|
|Send Rate (m/s)||CPU (%)||Memory (GiB)|
|Send Rate (m/s)||CPU (%)||Memory (GiB)|
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Pahlevan, M.; Ionita, V. Secure and Efficient Exchange of Threat Information Using Blockchain Technology. Information 2022, 13, 463. https://doi.org/10.3390/info13100463
Pahlevan M, Ionita V. Secure and Efficient Exchange of Threat Information Using Blockchain Technology. Information. 2022; 13(10):463. https://doi.org/10.3390/info13100463Chicago/Turabian Style
Pahlevan, Maryam, and Valentin Ionita. 2022. "Secure and Efficient Exchange of Threat Information Using Blockchain Technology" Information 13, no. 10: 463. https://doi.org/10.3390/info13100463