“Data sharing is an important part of system protection, as it can help other entities prepare for similar attacks.
Thanks to CyberSANE‘s PrivacyNet component, we make sure that all shared data is correctly anonymised, complying with national and international confidentiality and data protection laws for sensitive incident-related information.”CyberSANE project
Read the article below by PDMFC to gain a better understanding of how this would function.
You have learned a hard-fought lesson after a tough cybersecurity incident. A new zero-day was uncovered by your team, a sneaky one that took you, the team, dozens of weeks to correctly identify and detect. Those weeks exhausted your body and soul, and now management tasked you to share, whatever was discovered, with other CERT teams. As of late, your organization is now part of the national CERT network, whose policy mandates early sharing. Management is uncomfortable with sharing data as is, they fear for their lives, that some customer data might leak unintentionally. You cringe at the prospect of having to scrub hundreds of fields in either the PCAP artefacts or on the metadata for attack signatures.
Time to put the thinking cap on, you remember that project your team is working on that has some tool that would automate data sharing with MISP through STIX2.0 format. You get open the documentation and read the PrivacyNET OpenAPI and find the right web method to anonymize the metadata from detected anomalies.
And you come up with the following pipeline:
Let’s break it down bonnie style, the rules come down to:
Which when applied to the following input (resumed for relevance only):
Produces the magical:
Going by field to explain what happened.
destination IP, source IP, host IP, and observer IP were masked with a 255.0.0.0 value, which in practice means all least significant octets are replaced with 0. Making it impossible to identify the source values, but still providing some indication of where the traffic is from. This can be best explained with an analogy for location generalization. Where if you live in Brooklyn, NY, your address is now replaced with US. In practice, your address is now hidden from all other USA residents. But from the outside, it’s still possible to infer that you are not from Europe.
source mac: the most significant values are scrubbed and replaced with an _.
The day is long, the deed is done, and you can march your way home, with the satisfaction of another successful day. Have a good rest, we will see you again tomorrow, on the internet near you.
👉 Learn more about the European Project CyberSANE at www.cybersane-project.eu