Released
October 11, 2022
Language
Python
license
Apache License 2.0
The Secure Aggregator of Cyber Threat Intelligence (SACTI) facilitates anonymized sharing of “sightings” and impact information through the MISP platform.
CONTEXT AND BACKGROUND

The Malware Information Sharing Platform (MISP), developed and maintained by CIRCL, allows organizations to report and share cyber threat information. It is widely used to share so called Indicators of Compromise (IoCs) that represent particular threats, thus helping organizations to discover breaches, infections or other malicious activity in their native infrastructures.

A known challenge of CTI communities is that parties can be reluctant to share particular threat information, especially when this information suggests the occurrence of an actual incident. Thus it is often hard to establish a structural exchange of “sightings” (i.e. actual observations of a particular IoC) and impact information (e.g. the financial damage that an organization incurred from a certain threat). Such (arguably sensitive) insights could, however, greatly enhance the community’s situational awareness and would thus be valuable to include in the information exchange. The SACTI component provides a secure and anonymous mechanism to facilitate this in communities that employ the MISP platform.

SACTI employs MPC (Multi Party Computation) technology to share sightings and impact information in an aggregated and anonymised form. It only compiles an aggregated outcome if sufficiently many parties supplied the required source information. As an example, if only a single party observed a particular IoC, reporting this sighting to the community would likely come with sensitivities. If several parties report a similar sighting, however, SACTI can compile an aggregated result that cannot be traced back to the individual organizations but still provides the community with a valuable insight.

SOFTWARE

In the SACTI protocol the aggregator (central party) requests all participants to report a number for each of the listed cyber threats. The participants respond by sending each other participant a Shamir secret shared list of sightings. In a joint computation the parties check both the validity of the inputs and that the number of zero-sightings per thread does not exceed the threshold. If so, the responses are jointly reconstructed and published on MISP via the aggregator. The software was written in Python and developed in TNO’s MPC Lab.

SOURCE PROJECT

The SACTI software was developed by TNO in the European Prometheus project, which received funding from the European Union’s Horizon 2020 Research and Innovation program under Grant Agreement No. 780701.

Skip to content