Demonstrator 1: Threat intelligence generation and sharing between local authorities
Partners: In this demonstrator, two local authorities, one from the Aragon region of Spain and one from the Veneto region of Italy participate. The technical development is supported by S2 Grupo, a Spanish technology company, specialising in Cybersecurity.
Problem Description: A threat intelligence sharing scenario between two collaborating European regions (Aragon and Veneto) will be implemented. Governments are one of the main targets for cybercrime attackers and are exposed to great risks, as they provide important services such as health, education and social services. To fight such risks, both regions have significantly large relevant datasets that can be collaboratively exploited using Privacy Preserving Machine Learning (PPML) techniques.
One of the key factors when fighting cybercrime has always been sharing information among different organisations, either public or private. Traditionally, sharing information on cybercriminals new techniques, trends and objectives or even ongoing campaigns has been a common practice in order to prevent attacks or, at least, to detect them at an early stage or mitigate their effects. More recently, the application of Machine Learning, such as Deep Learning algorithms, in cybersecurity has gained significant popularity due to its flexibility and capability to cope, not only with known threats, but also with unknown threats (such as zero-day threats). Since these algorithms require large amounts of data to be trained, their increased popularity has further emphasized the need for data sharing.
However, sharing large amounts of data related to cybersecurity among different entities is often complicated, not only due to the complexity and heterogeneity of the data, but also due to their potential sensitivity. For instance, a neural network could be trained to detect phishing campaigns at a company by inspecting employees’ emails and calculating the degree of similarity to existing phishing campaigns. However, that would require the company (and its employees) to give permission to inspect these emails, which may contain private and sensitive information. Also, companies and individuals are reluctant to share data regarding the ways in which they have been attacked, especially when attacks have been successful, because they do not want their public image to be damaged.
In this demonstrator, both participating organisations (the local governments of Aragon and Veneto) will benefit from the advanced data sharing mechanisms provided by the HARPOCRATES framework which let them share private and sensitive information without damaging their public image or infringing any privacy law. Such a mechanism will help collect and exchange new indicators of compromise and threat intelligence, leveraging cybersecurity to a point in which it can cope with the above-mentioned increase in the degree of intelligence and sophistication of cybercrime.
Planned demonstrator application: The demonstrator will be implemented as follows:
- Dataset building: including (1) selection of the subset of users/hosts in each organisation which will be part of the dataset; (2) recovering data during each organisation’s normal activity and basic anonymisation to allow for the publication of the datasets to the rest of the consortium; (3) injection of malicious logs for threat detection and sharing experiments.
- Threat intelligence platform design and architecture: including (1) design of the demonstrator
platform, utilising HARPOCRATES services, through which threat intelligence will be anonymised and shared; (2) threat modeling design. - ML training using anonymised data, leveraging the PPML services developed by HARPOCRATES.
- Implementation and evaluation of the demonstrator. The evaluation will include (1) analysing the threat landscape before HARPOCRATES; (2) characterisation of threats and the data required to prevent them; (3) comparison of preventable threats with and without HARPOCRATES services.