Objectives

The project will support the market uptake and dissemination of innovative cybersecurity solutions by fulfilling the objectives below.

  1. Objective 1: analyse the state of the art in the uptake of the protection solutions against phishing, the trends and obstacles in their wide-scale adoption, to identify the requirements, provide the details of use cases, define user trials, to design the overall architecture of the proposed platform, and define the required functionalities of the main components and their user interfaces (WP2).
  2. Objective 2: develop the Data Collector component for gathering and integration of various forms of data on phishing, implement the MISP format and provide a unified set of tools that work on properly structured, aggregated, and searchable datasets, and offer a graphical interface and a Restful API (WP3).
  3. Objective 3: develop the Detection and Analysis component for the analysis, detection, and tracing of phishing (WP4).
  4. Objective 4: develop the Mitigation and Notification service for fighting the effects of phishing (WP5).
  5. Objective 5: integrate all components in an operational platform, deploy the proposed cybersecurity solution based on the platform at the testing companies, conduct user trials to test the platform, and provide support for awareness raising and training (WP6).

The ThreatChase platform will include three main components: i⁾ data collector, ii⁾ analysis and detection module, and iii⁾ mitigation and notification service. The services will be accessed through a user and programming interface.

Data Collector

The objective of Data Collector is to gather any kind of suspicious URLs and domain names from different possible sources including open feeds. The investigation of malicious activities requires the collection of a huge amount data in a traceable and scalable way. The relevant data concern the URLs and domain names used for phishing but also spam or malware distribution domains and URLs.

The gathered data will feed a properly formatted, structured, organized, aggregated, and searchable dataset in the MISP representation format. MISP, the format chosen for structuring the service data, is one of the main data formats used for open-source threat intelligence and one of the main methods for sharing this type of data. MISP corresponds to a JSON format used to exchange events and attributes of abusive behaviour (e.g., phishing incidents). Since we expect to collect a large number of attributes that may be useful for analysing and attributing abusive events not defined in the original format, we will define new metadata attributes that can be used by platform users as well as notified users/intermediaries (e.g., administrators of compromised or abused resources). Moreover, as the data we collect often goes far beyond the proposed data format, so we will propose advanced MISP objects that can express and link together threat intelligence.

Analysis and Detection Module

The Analysis and Detection Module will use Machine Learning, Deep Learning, or other types of algorithms to categorize URLs and domain names related to phishing, but also malware distribution. The classification problem is challenging - it will be addressed with the development of learning algorithms that automate the classification and their evaluation on ground truth data. It is known that cyber attackers use counterfeit URLs and known domain techniques as a way of disguising fraudulent actions, e.g., imitation of domain names: G0ogle - Google. By collecting samples, taking into account the criteria such as the most searched URLs and domains in each network, as well as the domains and URLs of essential infrastructures and services, we will construct our domain dataset. Then, we will actively monitor the DNS records with variations to the dataset and if the requirements defined for an action are fulfilled, we will carry out a second-level analysis (reduction of false positives) consisting of passive and active measurements of the URLs and domains as well as their corresponding validation with the dataset. The validation will concern several elements, such as the entire website and/or parts of the website, URLs in hyperlinks, digital signatures, IP addresses, AS numbers, and other metadata that may become relevant for the purpose of the malicious activity detection. Finally, for each observed domain name of a malicious URL, our platform will return one of the following labels: i⁾ maliciously registered domain, ii⁾ compromised legit domain, and iii⁾ legitimate domain. Each of the cases requires different mitigation actions such as blocking registration, or request of the hosting organization to remove malicious content.

Mitigation and Notification Service

The main goal of the Orange Plumber application was to protect information in systems and service platforms against cyber-attacks that use credentials leaked from different web platforms all over the world and published on the Internet. Currently, the administrators of companies' systems accessible from the Internet are informed about cyberattacks on user accounts in their systems only when they already happen, e.g., on the basis of the number of failed login attempts per IP address. As a result of such information, administrators can only undertake reactive actions. The main goal of Plumber was to enable the prediction and prevention of cyberattacks on user accounts in companies' systems.

The development of Plumber was justified by the attacks taking place on Orange Polska (OPL) client portals. Only recently, several dozen thousand attempts of cyber-attacks have been conducted on OPL customers' accounts by using credentials published on the Internet. The attacks were carried out from thousands of IP addresses, which made it difficult to detect them only by the usual rules. As soon as new files with new credentials were published on the Internet by cyber attackers, the files were widely used by many other cybercriminals from all over the world who tried to use them to get access to telco and financial customers' portals, accounts in social media etc. It became clear that it is crucial to enable users to obtain the information about their credentials that appeared on the Internet as quickly as possible.

Within the ThreatChase project, the Plumber application will be enhanced to become the Mitigation and Notification Service that will allow to check whether an email address has appeared in data leaks from various websites around the world and assess the need for changing access passwords. Moreover, the service will offer the possibility of subscribing to alerts and notifications. Companies (SME and other B2B customers) will be able to subscribe to an alert service that will notify about their corporate email addresses in leaked databases. This action, undertaken quickly, will prevent the use of leaked credentials by cyber criminals to overtake of the company accounts. The service in the ThreatChase platform will also allow the subscription to notifications by every Internet user about his/her leaked credentials.

The Mitigation and Notification Service will work on collected, publicly available, databases and files with credentials leaked due to phishing or cyber-attacks and identify which email addresses and passwords have been compromised. The information will be then analysed and if any of the recognized URL domains is found (e.g., orange.com, orange.pl, the domains of B2B/B2C subscribed customers, email addresses of other end users). Then, alerts are sent to proper system administrators to take actions according to the internal company procedures (e.g., urgently notify end-user or directly block login on suspicious accounts until passwords are changed by their users). Since the e-mail address is protected as personal data, the system will be organized in such a way that it will anonymize all emails, ensuring compliance with the GDPR.

User and Programming Interface

The platform will provide two forms of interfaces. First, any user will be able to verify if a URL or a domain name is malicious or not using a real-time classification system as well as review the evidence of abuse collected by the system and contact information of Internet intermediaries that are likely in position to effectively mitigate abuse (e.g., domain name creation date, screenshots, registrar/hosting provider contact details, if available). Users will also be able to enter automatically generated domains to observe compromised machines connecting to a pre-registered domain, which will then inform ISPs and prompt them to clean up end-user machines. Users can also look for the possible leak of their personal information or credentials. Second, the service will provide a RESTful API to any other security application or tool willing to uptake the dataset in the MIPS format.

The platform will also provide the interface for checking if a given email address appeared in leaked databases. Moreover, a different interface will enable subscription of companies to an alert service that will notify about their corporate email addresses in leaked databases.

The project funded by the European Union under Grant Agreement No. 101128042 is supported by the European Cybersecurity Competence Centre. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the European Cybersecurity Competence Centre can be held responsible for them.

Project Details

  • Project number: 101128042
  • Call: DIGITAL-ECCC-2022-CYBER-03
  • Topic: DIGITAL-ECCC-2022-CYBER-03-UPTAKE-CYBERSOLUTIONS
  • Type of action: DIGITAL JU SME Support Actions
  • Project starting date: 1 October 2023
  • Project end date: 30 September 2026

Contact

Coordinating partner: KOR Labs

Email: threatchase@korlabs.io