Cryptology ePrint Archive: Report 2021/1260

Compare Before You Buy: Privacy-Preserving Selection of Threat Intelligence Providers

Jelle Vos and Zekeriya Erkin and Christian Doerr

Abstract: In their pursuit to maximize their return on investment, cybercriminals will likely reuse as much as possible between their campaigns. Not only will the same phishing mail be sent to tens of thousands of targets, but reuse of the tools and infrastructure across attempts will lower their costs of doing business. This reuse, however, creates an effective angle for mitigation, as defenders can recognize domain names, attachments, tools, or systems used in a previous compromisation attempt, significantly increasing the cost to the adversary as it would become necessary to recreate the attack infrastructure each time.

However, generating such cyber threat intelligence (CTI) is resource-intensive, so organizations often turn to CTI providers that commercially sell feeds with such indicators. As providers have different sources and methods to obtain their data, the coverage and relevance of feeds will vary for each of them. To cover the multitude of threats one organization faces, they are best served by obtaining feeds from multiple providers. However, these feeds may overlap, causing an organization to pay for indicators they already obtained through another provider.

This paper presents a privacy-preserving protocol that allows an organization to query the databases of multiple data providers to obtain an estimate of their total coverage without revealing the data they store. In this way, a customer can make a more informed decision on their choice of CTI providers. We implement this protocol in Rust to validate its performance experimentally: When performed between three CTI providers who collectively have 20,000 unique indicators, our protocol takes less than 6 seconds to execute. The code for our experiments is freely available.

Category / Keywords: cryptographic protocols / private set union, mpsu-ca, indicator of compromise, threat intelligence

Original Publication (in the same form): IEEE Workshop on Information Forensics and Security 2021

Date: received 21 Sep 2021

Contact author: J V Vos at tudelft nl

Available format(s): PDF | BibTeX Citation

Note: This is a pre-print of our work that is accepted at the IEEE Workshop on Information Forensics and Security 2021.

Version: 20210921:115522 (All versions of this report)

Short URL: ia.cr/2021/1260


[ Cryptology ePrint archive ]