Orchestrating Collaborative Cybersecurity: A Secure Framework for Distributed Privacy-Preserving Threat Intelligence Sharing

TL;DR

This paper introduces a secure, privacy-preserving framework for distributed Cyber Threat Intelligence sharing that enhances data control, reduces bias, and improves threat detection without relying on centralized databases.

Contribution

It presents a novel federated framework combining privacy technologies for distributed CTI sharing, addressing data bias and confidentiality issues in threat intelligence exchange.

Findings

Effective CTI extraction from distributed data sources.

Improved threat detection accuracy in practical scenarios.

Enhanced privacy and control for participating organizations.

Abstract

Cyber Threat Intelligence (CTI) sharing is an important activity to reduce information asymmetries between attackers and defenders. However, this activity presents challenges due to the tension between data sharing and confidentiality, that result in information retention often leading to a free-rider problem. Therefore, the information that is shared represents only the tip of the iceberg. Current literature assumes access to centralized databases containing all the information, but this is not always feasible, due to the aforementioned tension. This results in unbalanced or incomplete datasets, requiring the use of techniques to expand them; we show how these techniques lead to biased results and misleading performance expectations. We propose a novel framework for extracting CTI from distributed data on incidents, vulnerabilities and indicators of compromise, and demonstrate its use in several practical scenarios, in conjunction with the Malware Information Sharing Platforms (MISP). Policy implications for CTI sharing are presented and discussed. The proposed system relies on an efficient combination of privacy enhancing technologies and federated processing. This lets organizations stay in control of their CTI and minimize the risks of exposure or leakage, while enabling the benefits of sharing, more accurate and representative results, and more effective predictive and preventive defenses.