The project aims to facilitate the widespread adoption of innovative and effective cybersecurity solutions, specifically targeting key challenges in the prevention of phishing attacks, by addressing the following objectives.
The ThreatChase platform will consist of three core components: 1) Data Collector, 2) Analysis and Detection Module, and 3) Mitigation and Notification Service. These services will be accessible through both user and programming interfaces.
The Data Collector aims to systematically gather suspicious URLs and domain names from diverse sources, including open feeds, to support the investigation of phishing, spam, and malware distribution activities. Given the vast volume of data involved, it's crucial to ensure that the collection process is traceable and scalable.
To achieve this, the collected data will be organized into structured, aggregated, and searchable datasets using the Malware Information Sharing Platform (MISP) format. Recognizing that standard MISP attributes may not encompass all necessary data points, we will extend the format by introducing new metadata attributes. These enhancements will facilitate comprehensive analysis and attribution of malicious events, providing valuable insights for users and administrators of compromised or abused resources.
Furthermore, to address complex threat scenarios, we will develop advanced MISP objects. These objects will enable the expression of intricate relationships within threat intelligence, enhancing the platform's capability to model and share detailed security information effectively.
The Analysis and Detection Module for the ThreatChase platform is designed to leverage advanced algorithms, such as machine learning (ML) and deep learning (DL), to effectively identify and categorize phishing URLs and domains, as well as those related to malware distribution. The classification process, which addresses the challenge of distinguishing between fraudulent and legitimate websites, will employ automated learning algorithms and will be rigorously tested using ground-truth data.
A key focus will be on identifying disguised malicious URLs, such as slight variations in domain names that resemble legitimate ones (e.g., "G0ogle" instead of "Google"). The system will create a comprehensive domain dataset based on frequently searched URLs, essential services, and critical infrastructures. This dataset will be continuously updated with active DNS monitoring to detect variations and anomalies.
Once suspicious domains are identified, a second-level analysis will be performed to reduce false positives. This analysis will involve both passive and active measurements, such as validating the integrity of URLs, inspecting digital signatures, IP addresses, AS numbers, and other relevant metadata. Depending on the results of this analysis, domains will be categorized as:
Each category will trigger specific mitigation actions, such as blocking registration for malicious domains or requesting hosting organizations to remove harmful content. This multi-layered approach ensures comprehensive and adaptive detection and analysis of phishing and other cyber threats.
The primary goal of the Mitigation and Notification Service is to proactively combat phishing attacks and prevent the exploitation of compromised credentials. This service builds on the lessons learned from the Orange Plumber application, which previously focused on protecting systems against cyberattacks using leaked credentials.
Traditionally, administrators only receive alerts about cyberattacks after they occur, typically through notifications of failed login attempts. This reactive approach leaves systems vulnerable to attack. In contrast, the Mitigation and Notification Service allows administrators to predict and prevent cyberattacks by identifying compromised credentials before they are exploited.
The service monitors global data leaks and identifies whether corporate or personal email addresses have appeared in these leaks, providing users with early warnings. By subscribing to this service, companies, particularly SMEs and other B2B customers, can receive alerts if their corporate email addresses are detected in leaked databases. This enables rapid action to mitigate the risk of unauthorized access and secure accounts before they are compromised.
Additionally, individuals can subscribe to notifications to monitor their personal email addresses for signs of credential leaks. If any compromised email addresses are identified, the system immediately notifies the appropriate system administrators, enabling them to take swift, predefined actions such as blocking access until passwords are changed or notifying end-users directly.
The service works by continuously scanning publicly available databases of leaked credentials from phishing and other cyberattacks. It analyzes the data, checking for any compromised email addresses and matching them against known domains (e.g., company domains like "orange.com"). Alerts are then sent to administrators to prompt immediate actions in line with internal company procedures, such as password resets or user notifications.
To ensure compliance with GDPR, all email addresses are anonymized within the system, protecting users' personal data while still delivering crucial security alerts.
The ThreatChase platform offers two key interfaces for users:
Additionally, the platform includes a dedicated interface for checking if an email address has appeared in leaked databases. Companies can also subscribe to an alert service to be notified if their corporate email addresses are found in such leaks.