Abstract
Threat intelligence platforms offer cyber emergency teams and security stakeholders access to sightings of cyberthreats and indicators of compromise. Given the sensitivity of the information, access may be restricted to certain members within an organization, offered to the general public, or anything in between. Service providers that host such platforms typically expose APIs for threat event producers and consumers, and to enable interoperability with other threat intelligence platforms. Not only is API security a growing concern, the implied trust by threat event producers and consumers in the platform provider remains a non-trivial challenge. This paper addresses these challenges by offering protection against honest but curious platform providers, and putting the access control back into the hands of the owner or producer of the threat events. We present TATIS, a solution for fine-grained access control to protect threat intelligence APIs using User Managed Access (UMA) and Ciphertext-Policy Attribute-Based Encryption (CP-ABE). We test the feasibility of our solution using the Malware Information Sharing Platform (MISP). We validate our contribution from a security and privacy point of view. Experimental evaluation on a real-world OSINT threat intelligence dataset illustrates our solution imposes an acceptable performance overhead on the latency of API requests.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
References
Bellare, M., Ristenpart, T., Rogaway, P., Stegers, T.: Format-preserving encryption. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 295–312. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-05445-7_19
Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: 2007 IEEE Symposium on Security and Privacy (SP 2007), pp. 321–334, May 2007
ENISA: Exploring the opportunities and limitations of current threat intelligence platforms. Technical report, December 2017. https://www.enisa.europa.eu/publications/exploring-the-opportunities-and-limitations-of-current-threat-intelligence-platforms
Iklody, A., Wagener, G., Dulaunoy, A., Mokaddem, S., Wagner, C.: Decaying indicators of compromise. CoRR abs/1803.11052 (2018)
van de Kamp, T., Peter, A., Everts, M.H., Jonker, W.: Private sharing of IOCs and sightings. In: Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security, WISCS 2016, pp. 35–38. ACM, New York (2016)
Kellaris, G., Kollios, G., Nissim, K., O’Neill, A.: Generic attacks on secure outsourced databases. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1329–1340. ACM, New York (2016)
Mokaddem, S., Wagener, G., Dulaunoy, A., Iklody, A.: Taxonomy driven indicator scoring in MISP threat intelligence platforms. CoRR abs/1902.03914 (2019)
Qamar, S., Anwar, Z., Rahman, M.A., Al-Shaer, E., Chu, B.T.: Data-driven analytics for cyber-threat intelligence and information sharing. Comput. Secur. 67(C), 35–58 (2017)
Rissanen, E.: eXtensible Access Control Markup Language (XACML) Version 3.0. OASIS Standard, January 2013. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
Sandall, T.: Open policy agent (2019). https://www.openpolicyagent.org/
Sauerwein, C., Sillaber, C., Mussmann, A., Breu, R.: Threat intelligence sharing platforms: an exploratory study of software vendors and research perspectives. In: Leimeister, J.M., Brenner, W. (eds.) Towards Thought Leadership in Digital Transformation: 13. Internationale Tagung Wirtschaftsinformatik, WI 2017, St. Gallen, Switzerland, 12–15 February 2017 (2017)
Tounsi, W., Rais, H.: A survey on technical threat intelligence in the age of sophisticated cyber attacks. Comput. Secur. 72, 212–233 (2018)
Wagner, C., Dulaunoy, A., Wagener, G., Iklody, A.: MISP: the design and implementation of a collaborative threat intelligence sharing platform. In: Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security, WISCS 2016, pp. 49–56. ACM, New York (2016)
Wang, J.: Java realization for ciphertext-policy attribute-based encryption (2012). https://github.com/junwei-wang/cpabe/
Acknowledgments
This research is partially funded by the Research Fund KU Leuven. Work for this paper was supported by the European Commission through the H2020 project CyberSec4Europe (https://www.cybersec4europe.eu/) under grant No. 830929.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Preuveneers, D., Joosen, W. (2020). TATIS: Trustworthy APIs for Threat Intelligence Sharing with UMA and CP-ABE. In: Benzekri, A., Barbeau, M., Gong, G., Laborde, R., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2019. Lecture Notes in Computer Science(), vol 12056. Springer, Cham. https://doi.org/10.1007/978-3-030-45371-8_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-45371-8_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-45370-1
Online ISBN: 978-3-030-45371-8
eBook Packages: Computer ScienceComputer Science (R0)