Sogei’s CERT and Service Ledger integration
8th June, 2023
Authors Giampaolo Darelli and Gilberto Zanfino
In the previous blog post, we provided a high-level overview of what CTI data are and how Sogei’s CERT collects them from reliable CTI feeds via OpenCTI. In this article, we detail how Sogei’s CERT sends this information to Service Ledger (SL), according to STIX/TAXII standards, to share it securely with other CERTs and/or SMEs.
At Sogei’s CERT, this collect-and-share process takes place in three phases:
- Retrieving CTI data from OpenCTI;
- Registering with SL;
- Uploading CTI data to SL.
Practically, these phases are carried out by an in-house software component, called CTI Integrator, which connects and interfaces with both OpenCTI and SL.
CTI data retrieval
The figure below shows how the CTI Integrator connects with the “AlienVault” feed and obtains compromised IP addresses or Hash files with a timestamp of 28 March 2023.
Sign up and authentication with SL
As described in a previous blog post, SL exposes APIs to interact directly with its servers. The CTI Integrator uses these APIs to first register the Sogei’s CERT organization in SL and then to login with user-defined credentials. When the login API is called, SL returns a Bearer authentication token in response. This token is a session token that determines the authorizations a user has either within its organization or with others in SL. The token must be attached in any subsequent API request to SL for writing and reading data to/from it.
Secure storage of CTI data into SL
Once authenticated in SL, the CTI integrator creates a STIX bundle containing different STIX objects selected from phase one (i.e., from the OpenCTI feeds). Then, the STIX bundle is sent, according to TAXII protocol, to SL via API to be securely stored. The figure below shows the transmission of a POST API to SL with a STIX bundle as a payload. The STIX bundle contains an identity, a marking definition and an indicator. Note that the domain name and the TAXII path of the URL are blacked.
Upon delivery of the STIX bundle, SL first checks whether the user has write permissions. If authorised, for each STIX object in the bundle SL encrypts its content, distributes the ciphertext over a IPFS network, and finally generates a corresponding Non-Fungible Token (NFT) into the Algorand blockchain. For a more detailed explanation of how this process takes place in SL check out our previous article . The figure below shows the SL response to the above API request. It lists the blockchain transaction IDs of the NFTs representing the STIX objects in the bundle. Note that each STIX object has its own unique NFT.
Giampaolo Darelli (Sogei), Gilberto Zanfino (University of Southampton – Cyber Security)