First release of Service Ledger tool for sharing Cyber Threat Intelligence
5th July, 2022
Author Gilberto Zanfino
The Service Ledger (SL) is a blockchain-based platform that provides secure-by-design data storing and sharing functionalities. Differently from traditional repositories based on centralised solutions, SL employs the InterPlanetary File System (IPFS) as decentralised protocol to store data over a peer-to-peer network. The key characteristic of IPFS is to assign a file with a unique identifier, called Content Identifier (CID), and then cryptographically split the file into smaller chunks distributed on the network nodes. As privacy-preserving property, SL maintains a list of users’ public keys and encrypts any file before sending it to the IPFS network. Once a file is stored on IPFS, SL relies on the Algorand blockchain to represent its corresponding CID as a Non-Fungible Token (NFT), making it tamper-proof, verifiable and traceable.
Sharing CTI data on SL
SMEs and MEs can use the SL tool of CyberKit4SME to securely share their CTI data. The first release of SL allows to insert a STIX object through a post-API, and to retrieve a STIX object through a get-API. The following screenshot shows how a user can insert a STIX object on SL. In this example the CTI data represents an indicator of compromise concerning a file hash of a variant of the Poison Ivy malware.
The following screenshot shows the result of the previous post-API request. The response body contains three fields:
- the identifier that is the STIX object id, i.e. the name of the bundle;
- the version that is the timestamp of when the STIX object is stored on the IPFS network;
- the message that is the the transaction identifier of the corresponding NFT on the Algorand network.
By using a blockchain explorer, such as Dappflow, it is possible to search for the transaction identifier and explore its details. In our example we copied and pasted the message field of the post-API response, and we then obtained the details of the associated NFT.
The URL field of the NFT points to the CID stored on the IPFS network. By clicking on it, users are redirected on IPFS and can retrieve the associated STIX object. The following screenshot shows the CID on IPFS. Specifically, the CID comprises two JSON files:
- the metadata.json that records the main details of a STIX object, e.g. its identifier and timestamp;
- the object.json that records the encrypted STIX object.