The Malware Information Sharing Platform (MISP), developed and maintained by CIRCL, allows organizations to report and share cyber threat information. It is widely used to share so called Indicators of Compromise (IoCs) that represent particular threats, thus helping organizations to discover breaches, infections or other malicious activity in their native infrastructures.
A known challenge of CTI communities is that parties can be reluctant to share particular threat information, especially when this information suggests the occurrence of an actual incident. Thus it is often hard to establish a structural exchange of “sightings” (i.e. actual observations of a particular IoC) and impact information (e.g. the financial damage that an organization incurred from a certain threat). Such (arguably sensitive) insights could, however, greatly enhance the community’s situational awareness and would thus be valuable to include in the information exchange. The SACTI component provides a secure and anonymous mechanism to facilitate this in communities that employ the MISP platform.
SACTI employs MPC (Multi Party Computation) technology to share sightings and impact information in an aggregated and anonymised form. It only compiles an aggregated outcome if sufficiently many parties supplied the required source information. As an example, if only a single party observed a particular IoC, reporting this sighting to the community would likely come with sensitivities. If several parties report a similar sighting, however, SACTI can compile an aggregated result that cannot be traced back to the individual organizations but still provides the community with a valuable insight.
In the SACTI protocol the aggregator (central party) requests all participants to report a number for each of the listed cyber threats. The participants respond by sending each other participant a Shamir secret shared list of sightings. In a joint computation the parties check both the validity of the inputs and that the number of zero-sightings per thread does not exceed the threshold. If so, the responses are jointly reconstructed and published on MISP via the aggregator. The software was written in Python and developed in TNO’s MPC Lab.