Abstract
In their pursuit to maximize their return on investment, cybercriminals will likely reuse as much as possible between their campaigns. Not only will the same phishing mail be sent to tens of thousands of targets, but reuse of the tools and infrastructure across attempts will lower their costs of doing business. This reuse, however, creates an effective angle for mitigation, as defenders can recognize domain names, attachments, tools, or systems used in a previous compromisation attempt, significantly increasing the cost to the adversary as it would become necessary to recreate the attack infrastructure each time. However, generating such cyber threat intelligence (CTI) is resource-intensive, so organizations often turn to CTI providers that commercially sell feeds with such indicators. As providers have different sources and methods to obtain their data, the coverage and relevance of feeds will vary for each of them. To cover the multitude of threats one organization faces, they are best served by obtaining feeds from multiple providers. However, these feeds may overlap, causing an organization to pay for indicators they already obtained through another provider. This paper presents a privacy-preserving protocol that allows an organization to query the databases of multiple data providers to obtain an estimate of their total coverage without revealing the data they store. In this way, a customer can make a more informed decision on their choice of CTI providers. We implement this protocol in Rust to validate its performance experimentally: When performed between three CTI providers who collectively have 20,000 unique indicators, our protocol takes less than 6 seconds to execute. The code for our experiments is freely available.
Original language | English |
---|---|
Title of host publication | 2021 IEEE International Workshop on Information Forensics and Security, WIFS 2021 |
Subtitle of host publication | Proceedings |
Publisher | IEEE |
Pages | 44-49 |
Number of pages | 6 |
ISBN (Electronic) | 978-1-6654-1717-4 |
ISBN (Print) | 978-1-6654-1718-1 |
DOIs | |
Publication status | Published - 2021 |
Event | 2021 IEEE International Workshop on Information Forensics and Security (WIFS) - Montpellier, France Duration: 7 Dec 2021 → 10 Dec 2021 |
Publication series
Name | 2021 IEEE International Workshop on Information Forensics and Security, WIFS 2021 |
---|
Workshop
Workshop | 2021 IEEE International Workshop on Information Forensics and Security (WIFS) |
---|---|
Country/Territory | France |
City | Montpellier |
Period | 7/12/21 → 10/12/21 |
Bibliographical note
Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-careOtherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.
Keywords
- private set union
- mpsu-ca
- indicator of compromise
- threat intelligence