Cyber-Threat Intelligence in the Financial Sector Focus Group

Digital transformation and technological development bring with them new cyber-threats and risks in the financial sector.  The scale and complexity of these cyber-threats require organizations to collaborate in order to help build resilience and leads to collective action.  Collaborating, financial entities will be able to identify them and react faster.  That is a fact for several sectors, but financial services sector can benefit from Cyber Threat Intelligence (CTI) in additional aspects.  CTI sharing allows banks and CERTs to react and properly respond to:

  • Potential cybersecurity attacks,
  • Financial fraud & crime information.    

However, there are some challenges to be solved in CTI for the financial sector.  The ones discussed in the session were:

  • Trust: The lack of trust on the platforms and the reluctancy of the institutions to share data, especially when it is not their own data but sensitive data from their customers (for fraud prevention activities).
  • Heterogeneity: The different tools, data formats, and even the application of regulation on different member states makes the interoperability between platforms and the collaboration more difficult. 
  • Data sensitivity: Sharing very sensitive data, from the entities and their customers, makes the financial institutions even more reluctant to share. 
  • Highly regulated sector: Financial services sector is highly regulated sector, not just because of the amount of regulations about data management and business continuity but also in the strict and continuous control that the regulators apply to the entities. 
  • Data volume: To store more sensitive data means, on the one hand, more risk and on the other hand, more work on evaluating this data. Automation in CTI data processing is needed. 

On the other hand, there are a great number of opportunities identified in the exploitation of CTI data in the financial services that will provide a high added-value to the financial institutions.  A summary was presented in the session, and mentioned hereafter:

  • Build more secure financial institutions: Secure the entity infrastructure and the clients by building the security controls, mechanisms and procedures based not only on the individually collected data, but on the data, experience and knowledge of other institutions collaborating within the sector.  More data analysed with a broader perspective allows institutions to identify the attacks earlier and react faster.
  • Entities can also have additional revenues in sharing information, building a CTI information market in which entities can be incentivized to share more information and help others to improve their security. 

CTI interoperability issues:

CTI can be defined as “any information that can help an organization to identify, assess, monitor and respond to cyber threats”. Therefore, the type of formation that is shared includes, among others:

  • Log entries and alerts,
  • Measurable actions,
  • Identified vulnerabilities.

Nowadays, the number of CTI sources is increasingly yearly as do the number of tools that can consume the data.  This includes multiple actors, ranging from public institutions to industry-focused groups. This shows how different sources and types of information can be shared, and therefore the issues it may have according to each set of data. 

In this sense, as the main goal for CTI is to share openly and automatically information, there are several barriers that make it very difficult to achieve, ranging from technical to legal ones.  More specifically, 4 main barriers are identified that need to be covered before a true and really useful CTI platform can be created:

  • Legal
    • Different legal frameworks for the organizations sharing data
    • Issues with sharing data that includes personally identifiable information
    • Sharing in different countries (from where the data is generated) also has legal implications
  • Policies and procedures
    • Each organization that wants to share data must follow a series of procedures and policies (why to share, whom to, what, etc.)
    • Organizations may consider adopting a cybersecurity sharing framework
  • Semantic and syntactic
    • Standards help to harmonize the sharing of information (e.g. MISP or STIX)
    • Each organization adapts, alters or create the one they want to use
    • Some standards can easily be transformed to others (but only some)
  • Technical interoperability
    • Solutions for supporting automated exchange of information
    • Protection of information and anonymisation

CTI sharing:

The realization of the CTI sharing process in the financial context involves security and privacy concerns to be considered, such as the sensitive information disclosure, unauthorized access to shared data and manipulation of exchanged information.  To address such issues, our proposal envisages the application of mechanisms designed to enable proper protection of shared CTI data, while the privacy of involved organizations is still preserved.  Accordingly, the proposed solution is composed of:

  • fully distributed CTI sharing network.  Every financial organisation owns an MISP instance to enable the exchange of CTI.  However, it should be pointed out that the CTI sharing network is agnostic to TIPs, so that other technologies could be further employed.
  • A permissioned blockchain network, which allows to audit all CTI transactions among involved organizations, thus guaranteeing reliability in the CTI sharing process.
  • A distributed federated identity manager (IdM). Every financial organization owns an IdM instance to enable authentication of its users.
  • The TATIS(Trustworthy APIs for Threat Intelligence Sharing)  entity, which represents a fully distributed component presented in every financial entity responsible for: 
    • Granting access to the use of CTI platforms prior authentication in the IdM.
    • Protecting and enabling access control to sensitive data by the application of the Ciphertext-Policy Attribute-Based Encryption (CP-ABE) encryption scheme, in order to establish what shared data can be accessed and by whom. 
    • Auditing shared CTI data on a permissioned blockchain to ensure their integrity and verify their provenance. 
  • The Privacy-Preserving component, which is responsible for supporting Privacy Enhancing Technologies (PETs) mechanisms, such as k-anonymity, to prevent sensitive information leaks that could harm involved organizations.
  • CTI Producer/Consumers components represent the end entities of the scenario. Producers are in charge of creating CTI events by grouping Indicators of Compromise (IoCs), while Consumers retrieve those events. Note that both entities have to be authenticated through the IdM.

Furthermore, the main interactions and processes in the proposed solution are the following:

  • A CTI Producer creates a new event including cyber-threat information related to the attack (eg. a new phishing campaign has been detected).
    • TATIS enables the Producer to protect access to certain shared data by CP-ABE encryption, thus ensuring data confidentiality.
    • After a successful  authentication process through the IdM, TATIS grants the Producer access to share CTI through the TIP.
    • TATIS derives the event to the Privacy-Preserving component to obfuscate sensitive information related to the organization by applying PET mechanisms, so that its privacy is ensured.
    • TATIS audits the CTI transaction through the permissioned blockchain and also publishes such CTI information on the TIP (eg. MISP) for its further dissemination towards the interested organizations.
  • A CTI Consumer contacts TATIS to retrieve the event including CTI data from the TIP. This process requires a prior Consumer authentication in the IdM.
    • The Consumer is able to decrypt protected data if it complies with the CP-ABE access policy employed during the encryption process 


Figure 1: Cross Pilot Conclusions

In summary, the proposed system enables a decentralized trusty environment intended to foster the CTI sharing process in the financial sector, with the aim of helping build resilience and collective actions against further cyber-attacks.  Additionally, the proposal integrates privacy-preserving and encryption approaches that allow to properly protect shared CTI, addressing potential security risks that could damage the reputation of involved organizations. Finally, the objective of this proposal is to identify technical gaps and challenges for potential improvements, as well as to collaborate with other pilots to create a cross-pilot approach.

  • Challenges and Opportunities for CTI Financial Sector
  • CTI interoperability and Data Exchange
  • Privacy-preserving Approach in CTI Exchange Models


Dr Ramón Martín de Pozuelo, CONCORDIA

Ramón Martín de Pozuelo received B.Sc. and M.Sc. degrees in Telecommunications Engineering and a Ph.D. in ICT and its Management (all with honours) at La Salle School of Engineering from Universitat Ramon Llull (URL), Barcelona in 2007, 2010, and 2017 respectively. As a researcher in La Salle he participated in several European research and innovation projects related to different fields, especially in the design of heterogeneous data networks and information systems for smart grids and smart cities, and the definition of network architectures, ICT and security solutions. In 2018 he joined as a Project Manager for Technical Fraud Prevention and Security Innovation and Transformation in which he has been managing the participation of CXB in several H2020 projects. Ramón is a Certified Fraud Examiner (CFE, since 2018).

Jose Francisco Ruiz, CONCORDIA

Jose Francisco Ruiz is a senior cybersecurity consultant and technical project manager at Atos. He obtained his bachelor degree and Master thesis degree in Computer Engineering from the University of Malaga in 2008 and 2012 respectively and is currently finishing his Ph.D. focused on cybersecurity engineering. He has been working in European research projects for more than twelve years in different organisations across Europe. He has led cybersecurity research activities and acted as technical project manager in many different projects, among others in: FP6 Serenity (security and dependability for AmI), FP7 SecFutur (security engineering for systems of systems) and Coco Cloud (security in the cloud). He is involved in several H2020 projects as technical project coordinator of VisiOn (security and privacy for public administrations) and project coordinator of FISHY (cybersecurity for supply chain). Previously he was project coordinator of SMESEC (cybersecurity for SMEs) and led the research and creation of a cybersecurity agenda for collaboration of Europe and Japan in EUNITY. His interests include cybersecurity engineering, cybersecurity in the cloud, data protection, and distributed systems. He also has several publications in national and international conferences, journals and books and has served on organisation committees and as a reviewer at different conferences and workshops. Finally, he is a member of the Atos cybersecurity expert community and ECSO’s  scientific and innovation committee  as well as co-chair of the cybersecurity for verticals sub-working group.

Dr Antonio Skarmeta, CyberSec4Europe

Antonio Skarmeta received a M.S. degree in Computer Science from the University of Granada and B.S. (Hons.) and the Ph.D. degrees in Computer Science from the University of Murcia. Since 2009 he has been Full Professor in the same University.department. Antonio has worked on different national and international research projects in the networking, security and IoT areas, like ENABLE, DAIDALOS, SWIFT, SEMIRAMIS, SMARTIE, SOCIOTAL and IoT6 and is now involved in CyberSec4Europe and BIECO. He coordinates the H2020 project IoTCrawler focusing on IoT advanced discovery on IPv6 networks and OLYMPUS on privacy preserving identity management His main interest is in the integration of IPv6, security services, identity, IoT and smart cities. He has been head of the research group ANTS since its creation on 1995. He is also advisor to the vice-rector of research of the University of Murcia for international projects and head of the International Research Project Office. Since 2014 until 2010 he has been Spanish National Representative for the MSCA within H2020. He has published over 200 international papers and is member of several program committees. He has also participated in several standardisation for the like of IETF, ISO and ETSI and has been nominated as IPv6 Forum Fellow. Dr. Skarmeta it is owner of several patents on telemonitoring-based IoT solutions. He is also CTO of the spin-off company Odin Solution S.L. (OdinS) in the area of IoT and smart infrastructure.