Security Intelligence (Task 4) 

The demonstrator is based on a conceptual platform, meant for gathering and managing threat information from different data sources with the twofold objectives of

  1. improving the accuracy of threat intelligence services such as TDSs (threat detection systems) in detecting and characterising incoming attacks; and
  2. enabling the sharing of trusted, reliable and relevant threat information (e.g., discovered by TDSs or gathered by means of honeypots) among organisations and threat detection algorithms.


In a proposed general framework of interaction and cooperation with threat intelligence services, three specific use cases are provided where these services can cooperate. Tangible software assets have been integrated into joint proof-of-concepts, illustrating the practical feasibility of a modular cybersecurity platform able to provide key information about the status of a system to monitor. Three possible integration scenarios culminate in a variety of videos, online demonstrators and scientific publications. These scenarios illustrate how such cooperation can

  1. improve the performances of the threat prevention and detection systems and minimise the attack surface by strengthening the robustness of machine learning and deep learning models, making them more robust to new threats, false positives and lowering the time to threat detection; and
  2. enable more robust threat intelligence by allowing to better contextualise threat data and devise flexible strategies, methodologies and data formats for collaborative threat intelligence.
Scenario 1:
Sharing cyberthreat intelligence in a confidential and privacy-preserving manner

The focus of the first scenario is on the sharing of cyber threat intelligence (CTI) within and across communities, as this is a key enabler for cooperation between threat intelligence services and to trigger the deployment of adaptive honeypots. By sharing cyber threat information, other stakeholders or systems can leverage the shared information and collaborate to further analyse the data, increase the confidence in the shared intelligence, or to augment it with additional information such as the reputation and trustworthiness of the reporting entities. Additionally, the information can be leveraged in an adaptive honeypot that aims to deploy software vulnerable against reported threats as a way to lure adversaries and gather more intelligence while they attack the reported vulnerabilities. The sharing capability within and across communities is already present within state-of-practice CTI platforms, though due to the sensitive nature targets of cyberthreats are not always willing to share this information unless they are obliged to be compliant with mandatory incident reporting regulations.

This scenario demonstrates how we address this concern. As we are dealing with sensitive information about threat targets and detailed information about vulnerabilities, the information should never end up in the wrong hands, e.g., malicious adversaries that aim to exploit the intelligence. This scenario builds upon state-of-practice and open-source threat intelligence tools for storing and sharing information to further strengthen the security and privacy posture of intelligence sharing. The main objectives of this scenario are to mitigate privacy concerns by

  1. pre-processing threat intelligence with well-known privacy enhancing technologies and data anonymisation techniques before the intelligence is shared; and
  2. cryptographically protecting the shared threat intelligence in a fine-grained manner so that only authorised entities can decrypt and act upon it.

The following scenarios about enriching CTI and adaptive honeypots can leverage the capabilities offered by this scenario to request access to privatised and protected information, or to protect their own information before sharing within and across the community.

TATIS: Trustworthy APIs for Threat Intelligence Platforms

Scenario 2:
Enriching the information on detected threats via TDS cooperation and gathered by means of honeypot instances

The main idea consists in enriching the information on detected threats with further details provided by different TDSs. In addition, the honeynet allows further attack instances to be gathered which will be used in the learning phase of the machine learning-based TDSs to improve their effectiveness.

A typical flow within the proposed scenario includes the following steps:

  1. An IDS (intrusion detection system) documents an attack and updates its corresponding MISP (malware information system platform) with threat intelligence (events and attributes) describing the attack.
  2. The information concerning the attack is shared between entities, possibly after enhancing its confidentiality and privacy, and an operator, using TIP (threat intelligence platform) information, deploys a honeypot configured to enrich information concerning the new attack.
  3. Further information concerning the uploaded events or external events potentially relevant for the monitored network infrastructure can be collected by exploiting the data enrichment platforms. In addition, when the information on a new intrusion is gathered by the honeynet, this data is once again shared with the MISP via a custom MISP object.

TIE: Threat Intelligence Integrator

Scenario 3:
Adaptive deployment

Gathering relevant information on attack strategies and sharing precious IoCs (indicators of compromise) to improve the security degree of the entities belonging to the MISP network is the main objective of this use case. In more details, this scenario aims at demonstrating how internal information gathered by means of a pool of honeypots can be used in the context of the security of an infrastructure.

Two assets collaborate to achieve this aim:

  1. Briareos, a HIDS (host-based intrusion detection system) capable of launch honeypots in any Linux system; and
  2. Roce, a system devoted to evaluating the fundamental problems of the software contained in a device.

The information extracted by Briareos and data from a public APT (advance packaging tool) database are combined by Roce and exploited to yield the probability of compromise of the monitored systems.

Briareos*: A honeypot approach for HIDS

For further information the corresponding GitHub entry has details of online proof-of-concept demonstrators and repositories, videos and a listing of dissemination in scientific journals and articles.

* One of the three-hundred armed giants (Hecatoncheiries), the sons of Uranus and Gaia; fought with Zeus against the Titans but also summoned by Thetis to save Zeus from being put in chains by the other Titans.