Trusted and Anonymized Threat Sharing Using Blockchain Technology

Feb 19, 2019

Dr. Yair Allouche

IBM Cyber Security Center of Excellence, Beer Sheva

2 IBM Security

Agenda

Blockchain hype cycle Visibility

Source: Gartner

3 IBM Security

Agenda

• Vision: Next generation threat sharing network

• Current Barriers for Threat Sharing

• Blockchain-based threat sharing platform

• Summary and Q&A Blockchain hype cycle Visibility

Source: Gartner

4 IBM Security

Vision: Next Generation Threat Sharing Network

• Global and flexible

• Trusted and reliable

• Automated and well integrated within existing workflow

• Built in anonymity

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

CERT

CERT

CERT

ISAC

ISAC

ISAC

5 IBM Security

Vision: Next Generation Threat Sharing Network

• Global and flexible

• Trusted and reliable

• Automated and well integrated within existing workflow

• Built-in anonymity

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

MI

CERT

CERT

CERT

ISAC

ISAC

ISAC

6 IBM Security

Next Generation Threat Sharing Network, Example 1

SIEM network

SIEM

SIEM

SIEM

SIEM

SIEM

SIEM

configuration

configurationconfiguration

7 IBM Security

Next Generation Threat Sharing Network, Example 1

SIEM network

SIEM

SIEM

SIEM

SIEM

SIEM

SIEM

rulesrules

8 IBM Security

Next Generation Threat Sharing Network, Example 1

SIEM network

SIEM

SIEM

SIEM

SIEM

SIEM

SIEM

regex for PII

regex for PII

9 IBM Security

Next Generation Threat Sharing Network, Example 1

SIEM network

SIEM

SIEM

SIEM

SIEM

SIEM

SIEM

IoC

IoC

IoC

10 IBM Security

Next Generation Threat Sharing Network, Example 1

SIEM network

SIEM

SIEM

SIEM

SIEM

SIEM

SIEM

IoC

IoC

11 IBM Security

Next Generation Threat Sharing Network, Example 1

SIEM network

SIEM

SIEM

SIEM

SIEM

SIEM

SIEM

IoCIoC

12 IBM Security

Next Generation Threat Sharing Network, Example 1

SIEM network

SIEM

SIEM

SIEM

SIEM

SIEM

SIEM

mitigation

strategies

mitigation

strategies

mitigation

strategies

13 IBM Security

Next Generation Threat Sharing Network, Example 2

• Leveraging collective knowledge, experience, and capabilities

IMDDOS

THLD

TrafficIMDDOS

IMDDOS

Threat

Actor

IMDDOS

Botnet’

report

IMDDOS

Infected Host

IMDDOS C2

Traffic

IMDDOS

THLD

Collective STIX report

14 IBM Security

Next Generation Threat Sharing Network, Example 2

Different views according to trust level

IMDDOS

THLD

TrafficIMDDOS

IMDDOS

Threat

Actor

IMDDOS

Botnet’

report

IMDDOS

Infected Host

IMDDOS C2

Traffic

IMDDOS

THLD

Collective STIX report

15 IBM Security

Next Generation Threat Sharing Network, Example 2

IMDDOS

IMDDOS

Threat

Actor

IMDDOS

Botnet’

report

IMDDOS

Infected Host

IMDDOS C2

Traffic

Collective STIX report

Different views according to trust level

16 IBM Security

Next Generation Threat Sharing Network, Example 2

IMDDOS

THLD

TrafficIMDDOS

IMDDOS

Threat

Actor

IMDDOS

Botnet’

report

IMDDOS

Infected Host

IMDDOS

THLD

Collective STIX report

Different views according to trust level

17 IBM Security

Current Barriers for Threat Sharing (Source: NIST SP 800-150)

• Establishing trust

• Achieving interoperability and automation

• Safeguarding sensitive info

• Protecting classified info

• Enabling information consumption and publication

Model 2:

Rely on Personal relationshipsModel 1:

Trusted Third Party

Threat Sharing Today: What are the Trust Models?

18 IBM Security

Why Blockchain

Provides anonymity with trust

Enable dynamic and flexible data exchange between any two organizations in the network

Uses smart contracts to enforce data exchange agreement

Automatic, objective and immutable audit of exchanged information

Transparency

19 IBM Security

Our Approach

• Blockchain is used to supervise access management

• Cyber Threat Intelligence is exchanged of chain

Blockchain Network

Org A Org B Org C

Org D Org E Org F

Access Permission

TokenCTI Server(s)

20 IBM Security

Our Approach

Org profile

• Issuer: I-Cert

• Role: CISO

• Sector: Finance

• Headquarter: New York

• FS-ISAC Member

• Splunk costumer

• Reputation score….

Blockchain Network

21 IBM Security

Our Approach

Consumption/ Sharing policy

• Issuer white/black list

• Reputation higher than …

Blockchain Network

22 IBM Security

Our Approach

Consumption/ Sharing policy

• ISAC members

• Geo white/blacklist

Blockchain Network

23 IBM Security

Our Approach

Consumption/ Sharing policy

• Splunk costumers

• white/black list of user

rule

Blockchain Network

24 IBM Security

Our Approach

Blockchain Network

CTI producer CTI Consumer

Producer Profile

Access

Permission

Token

Consumer

Consumption

Policy

Consumer Profile Producer Sharing

Policy

25 IBM Security

Our Approach

Sharing policy

• Issuer white/black list

• Reputation higher than …Blockchain Network

26 IBM Security

Our Approach

Sharing policy

• ISAC members

• Geo white/blacklistBlockchain Network

27 IBM Security

Our Approach

Sharing policy

• Splunk costumers

• white/black list of user

ruleBlockchain Network

28 IBM Security

Summary: The Next Generation Threat Sharing Platform

• Blockchain can provide real benefits for threat sharing

• Reaching a critical mass is the key challenge

• IBM is running pilots with several stake holders

• Working with partners to promote the solution globally

Contact information: yair@il.ibm.com

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,

express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products

and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service

marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your

enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.

No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,

products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products

or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

FOLLOW US ON:

THANK YOU