Sogei’s CERT and Service Ledger integration

8th June, 2023

Authors Giampaolo Darelli and Gilberto Zanfino


In the previous blog post, we provided a high-level overview of what CTI data are and how Sogei’s CERT collects them from reliable CTI feeds via OpenCTI. In this article, we detail how Sogei’s CERT sends this information to Service Ledger (SL), according to STIX/TAXII standards, to share it securely with other CERTs and/or SMEs.

At Sogei’s CERT, this collect-and-share process takes place in three phases:

  1. Retrieving CTI data from OpenCTI;
  2. Registering with SL;
  3. Uploading CTI data to SL.

Practically, these phases are carried out by an in-house software component, called CTI Integrator, which connects and interfaces with both OpenCTI and SL.

CTI data retrieval

As first step, the CTI Integrator fetches CTI data from OpenCTI in STIX format. OpenCTI allows to configure the feed to extract data from, the STIX parameters of interest, and also the time range. Because of the flexibility of STIX,  the CTI Integrator can be easily modified on a needs basis.

The figure below shows how the CTI Integrator connects with the “AlienVault” feed and obtains compromised IP addresses or Hash files with a timestamp of 28 March 2023.

Retrieving CTI data from OpenCTI

Sign up and authentication with SL

As described in a previous blog post, SL exposes APIs to interact directly with its servers. The CTI Integrator uses these APIs to first register the Sogei’s CERT organization in SL and then to login with user-defined credentials. When the login API is called, SL returns a Bearer authentication token in response. This token is a session token that determines the authorizations a user has either within its organization or with others in SL. The token must be attached in any subsequent API request to SL for writing and reading data to/from it.

The figure below shows the output of CTI Integrator after calling the SL’s login API with some preset username and password. Note that t­he domain name of the URL and the authentication token are blacked.

Authentication with SL via API

Secure storage of CTI data into SL

Once authenticated in SL, the CTI integrator creates a STIX bundle containing different STIX objects selected from phase one (i.e., from the OpenCTI feeds). Then, the STIX bundle is sent, according to TAXII protocol, to SL via API to be securely stored. The figure below shows the transmission of a POST API to SL with a STIX bundle as a payload. The STIX bundle contains an identity, a marking definition and an indicator. Note that t­he domain name and the TAXII path of the URL are blacked.

Storing a bundle of STIX objects in SL via API

Upon delivery of the STIX bundle, SL first checks whether the user has write permissions. If authorised, for each STIX object in the bundle SL encrypts its content, distributes the ciphertext over a IPFS network, and finally generates a corresponding Non-Fungible Token (NFT) into the Algorand blockchain. For a more detailed explanation of how this process takes place in SL check out our previous article . The figure below shows the SL response to the above API request. It lists the blockchain transaction IDs of the NFTs representing the STIX objects in the bundle. Note that each STIX object has its own unique NFT.

SL’s response to the API request for storing STIX objects

Authors

Giampaolo Darelli (Sogei), Gilberto Zanfino (University of Southampton – Cyber Security)

, gdarelli@sogei.it Darelli Giampaolo g.zanfino@soton.ac.uk Zanfino Gilberto