Description
Cyber attacks are becoming increasingly complex, as can be seen from attacks on digital
supply chains. One strategy to counter this trend is the sharing of Cyber Threat
Intelligence (CTI). The aim of this work is to present a novel decentralized concept for
Cyber Threat Intelligence sharing. To achieve this, current barriers that prevent the
dissemination of CTI sharing were identified through a literature review, and a concept for
their solution was developed. Subsequently, this concept was tested for its plausibility and
feasibility. The result is a concept for Decentralized Anonymous Cyber Threat Intelligence
Exchange, abbreviated as DACTIE, which aims to enable timely, privacy-preserving, and
trusted exchange of CTI. It allows users to securely exchange Cyber Threat Intelligence
within a closed community. An authority validates the identities of the participants. CTI
can be exchanged in the network both publicly via a publisher-subscriber model or in
private groups. Certain archive peers serve as long-term storage and support offline caching
of private messages. All members have the option to remain completely anonymous when
sending and receiving messages. To create trust in the network, DACTIE uses a threshold
group signature scheme, which allows messages to be deanonymized in rare cases using
a majority procedure. All messages are exchanged in encrypted form; for this purpose,
the efficient group encryption method Messaging Layer Security is used. The anonymity
of the participants is achieved through the use of a modified GossipSub protocol. The
sender is protected by the inherent anonymity property of gossip algorithms. For receiver
anonymity, a technique called Partitioned Channels is used, where multiple topics are
exchanged over a single channel, thereby obscuring the interests of the individual. The
evaluation and the proof of concept show that the proposed concept is suitable for solving
the identified barriers.
Keywords: CTI Sharing, Anonymity, P2P, GossipSub, MLS, Threshold Group Signatures
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching