The vision of the ThreatChase project is to improve cybersecurity capabilities and raise the level of cyber security across the EU with a platform providing protection against phishing. We consider that uptake of cybersecurity solutions greatly depends on the data about malicious activities, its accurate analysis, and on providing an open platform for cybersecurity solution adopters. The proposed innovative platform will contribute to improved cybersecurity preparedness by offering two services: i) the service of structured data on malicious URLs and domain names used in phishing and ii) the service for phishing mitigation and notification of credentials (email addresses and passwords) stolen for instance as a result of phishing that have appeared in data leaks.
The objective of the project is to identify URLs (and collect comprehensive metadata) used in phishing attacks across all accessible open sources on the Internet through both passive and active scanning methods. The ThreatChase phishing service will be available to all interested parties in the form of a blacklist and made available through the MISP server for storing, distributing, and sharing phishing threat indicators. The proposed service can play a crucial role in contributing to market uptake and dissemination of innovative cybersecurity solutions. In fact, any cybersecurity solution depends on vulnerability and abuse data to provide protection services and their effectiveness relies to a large extent on the freshness and accuracy of this kind of information. The ThreatChase service will provide organizations with valuable information about known and newly identified malicious URLs and domains, allowing them to identify and corelate security threats and take proactive measures to protect their networks and systems by blocking spam emails, phishing websites and resolutions of malicious domain names.
In addition to the proactive measures for fighting phishing, the platform will provide a service for companies and victims of phishing attacks that notifies companies and Internet users about their credentials (email addresses and password) appeared in leaked databases along with enabling a risk assessment of whether a password change is needed. Many organizations already experienced the situation in which, as soon as new leaked datasets with credentials have been published in the Internet, new cyber attacks started on the companies' web portals. One of the reasons of the attacks is that it is not a common practice among Internet users of having different passwords for different web applications they use. Because of that, cyber-criminals try to check leaked credentials, heavily expecting benefits from taking over user accounts for various Internet services (telco, financial, social media, etc).
The ThreatChase project will contribute in several ways to support the adoption of innovative cybersecurity solutions, provide tools and services to organisations, and improve the security of ICT solutions.
The use of an open data platform will significantly contribute to the market uptake and dissemination of innovative cybersecurity solutions along the following lines:
The proposed platform will improve cybersecurity capabilities across the EU, notably for SMEs and public organizations by providing the essential information needed to identify and block malicious traffic before it reaches their networks. It can help organizations to detect and respond to cyberattacks more quickly based on real-time threat intelligence, allowing them to identify when their systems are being targeted by attackers and take appropriate action. This can include shutting down compromised systems, isolating infected machines, and implementing incident response procedures. The service will provide data for various cybersecurity protection services or investigation tools. It may also support incident response tools that fit into general operational and management cybersecurity strategies. Thanks to the MIPS representation format, the ThreatChase platform can be used to support Coordinated Vulnerability Disclosure. As any open-source software may take advantage of the data provided by the service, its capacity of cybersecurity tools and applications to detect and analyse security incidents will be improved.
A part of the project effort will be devoted to raising awareness of the service and its capacity to improve cybersecurity across the EU. Our ultimate goal is to make the ThreatChase platform a pivot place for supporting interaction between suppliers and adopters of cybersecurity solutions.
The ThreatChase Consortium consists of 4 participants from 3 EU member states (France, Poland, and Portugal):
KOR Labs SAS is a university spin-off dedicated to combating cyber threats, helping the Internet community collectively increase barriers to abuse as well as companies to increase the effectiveness of their network protection and countermeasures. The team comprises security researchers with a strong academic track record and world-class expertise in cyber security and Internet technologies. The main focus of KOR Labs activities is on domain name and Domain Name System (DNS) abuse. The founders of KOR Labs are Prof. Maciej Korczyński and Prof. Andrzej Duda.
ORANGE Polska SA is a leader on the Polish market of fixed telephony, Internet, and data transmission. As the only operator, it offers comprehensive telecommunications solutions available throughout the country. Cybersecurity is one of key areas continuously developed in OPL. OPL CERT has already been operating for 25 years and it provides cybersecurity services to a wide range of customers protecting them against identified modern cyberthreats (DDoS, malware, phishing, applications vulnerabilities).
PDMFC LDA is an SME from Portugal, with a strong focus on the area of Information Security, having developed software that help dozens of large customers (including Governments) to detect fraud, money laundering, tax evasion, among many other things. It provides the Identity and Access Management framework (called SPA) that includes Real Time Risk Assessment, Segregation of Duties, Cryptographic fingerprinting of operations. PDMFC has experience in the Information Security-related area, manages several CSIRTs at national level (consultancy work), and develop Identity and Access Management Intelligence tools.
NovaForensic (legal name: Stability Bubble LDA) is a start-up from Portugal, founded by a former Law enforcement Agency crime investigator with a focus on the development of tools for Digital Forensics. Its tools are used by all LEA in Portugal to obtain relevant digital evidence for the crime (cyber-incident) under investigation. The NovaForensic objective is the evolution of digital forensic expertise through the adoption of the Forensic as a Service (FaaS) paradigm, which consists of the provision of forensic software in cloud computing enhanced by an artificial intelligence federated learning system.
The project funded by the European Union under Grant Agreement No. 101128042 is supported by the European Cybersecurity Competence Centre. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the European Cybersecurity Competence Centre can be held responsible for them.