Please describe your proposed solution.

Growth in Illicit Activity in Crypto Ecosystems

According to the 2022 Chainalysis Crypto Crime Report illicit transaction activity reached an all-time high in value in 2021. Illicit addresses received $14B over the course of the year, up from $7.8B in 2020. Even more startling is the rapid increase in attacks on DeFi protocols, a 516% increase over 2020, as shown in the figure below from that report.

Developers in this community are increasingly up against highly skilled advanced persistent threat (APT) actors like the Lazarus Group (a.k.a., APT38, BlueNoroff, Stardust Chollima) and many others. The Lazarus Group, Hidden Cobra, and TraderTraitor are all threat actor groups that have heavily targeted the crypto communities over the past few years.

For example, TraderTraitor has been observed targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs).

The Cross-Chain Collaboration (C3) Challenge offers the Cardano community an opportunity to get out ahead of the threat landscape that spooks investors, repels potential collaborators and has triggered a massive cryptocurrency sell-off.

Although the protocols of the Cardano ecosystem have been built with security in mind (e.g., Ouroboros, Plutus, Marlowe), users accessing their wallets and/or platforms are still using Web2 network technologies. These networks and systems have been shown to have various technical weaknesses that reveal potential attack surfaces. Examples of threats to users include:

• Domain Name System (DNS) abuse
• Man-in-the-Middle (MiiM) attacks
• Autonomous System Network (ASN) hijacks
• Distributed Denial of Service (DDoS) attacks
• Two-factor Authentication (2FA) bypass
• Disinformation campaign weaknesses through social media platforms.

All of the blockchains and all of the users on the Internet are vulnerable to these types of attack vectors which are, for the most part, external to the specific blockchain ecosystem. One of the most effective means of countering these threats is through the use of information sharing and analysis organizations (ISAOs). One of the key tools for an ISAO is a threat intelligence platform (TIP).

.

Phase 1: Stand-up a Threat Intelligence Platform (TIP)

OpenCTI is an open source TIP allowing organizations to manage their cyber threat intelligence knowledge and observables. It has been created in order to structure, store, organize and visualize technical and non-technical information about cyber threats.

The structure of the data is performed using a knowledge schema based on the STIX2.1 standards. It has been designed as a modern web application including a GraphQL API and an UX oriented frontend.

Structured Threat Information Expression, Version 2.1 (STIX2.1™) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX enables organizations to share CTI with one another in a consistent and machine-readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see. With this knowledge they can anticipate and/or respond to attacks faster and more effectively. STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more. The objects and features provided in STIX 2.1 formats represent an iterative approach to fulfilling basic consumer and producer requirements for CTI sharing.

Phase 2: Build a Web-Based Portal for Easy Access to the TIP

Another key element for successful sharing of cyber threat observables is the build-out of an Information Sharing and Analysis Organization (ISAO). During this phase we will seek to implement the best practices for standing up an ISAO including establishing a web portal for registration and onboarding to the TIP.

Once the TIP is up and accessible our team will configure easy connectivity through this web-based portal. A preliminary website has been built at ISAO-Intel.com for the web access. This portal will manage the registration and on-boarding to the TIP and will also provide links to the CTIN Training Center for learning about cyber threat intelligence tradecraft.

Phase 3: Build a Training Module on Using the TIP

A self-directed online training module delivered through the CTIN Training Center website would be developed for sharing with the Cardano Catalyst community and any of the other communities that seek to develop and use cross-chain applications. An example of the look-and-feel of such a training module can be viewed by pressing the 'Launch' button at the CTIN Training Center site. This example will also give the viewer an overview of the underlying data model (i.e., STIX2.1) used for cyber threat hunting using the OpenCTI TIP.

Phase 4: Build an Awareness Video on Cyber Threats to Crypto Communities for YouTube

A 10-minute awareness video will be developed and produced by Royally Good Digital, LLC as an overview on cyber threat hunting using the Catalyst OpenCTI Platform. This task will involved storyboarding the video theme, developing the motion graphics, acquiring primary and secondary audio/video sources, ensuring copyrights and licenses are in order for clips used, producing the video and displaying the video on YouTube.

Please describe how your proposed solution will address the Challenge that you have submitted it in.

The Cross-Chain Collaboration (C3) Challenge seeks to fund projects that align with the following three strategic goals for Fund9:

• Prepare a group of people willing and able to make contributions to the ecosystem
• Turn Cardano into an open source project
• Accelerate the growth and evolution of the developer and app ecosystem.

The following describes how this project will assist in achieving those strategic goals.

1. Through CTIN's network of analysts, architects and developers we will expose the broader cyber threat intelligence community to the Cardano ecosystem and the array of solutions under development here.
2. The STIX2.1 standard that provides the underlying data model for this project has been published by one of the most important open source international technical standards bodies since its founding in 1993. This is OASIS-Open. Furthermore, STIX2.1 was developed over the course of 8+ years by a community of stakeholders from industry, banking, government agencies, academic institutions, think tanks, and NGOs. Well over 250 individuals and over 70 organizations from throughout Europe, the US and Canada, Japan, Australia and New Zealand have participated in helping to design the data model.
3. Developers and users in the 21 chains and protocols listed in the C3 challenge will benefit from the TIP developed for the Cardano ecosystem.

A large and vibrant cybersecurity community has developed multiple tools for addressing these threats. A TIP is one of the most important tools used for threat characterization, modeling, reporting and sharing. A TIP for C3 would greatly improve communications and the potential for remedial action when threats arise during protocol, platform, DApp, or DEX roll-out.

What are the main risks that could prevent you from delivering the project successfully and please explain how you will mitigate each risk?

The main risks that could prevent us from successful completion include:

1. Loss of a key project team member
2. Loss of a key infrastructure element
3. Inability to recruit cyber threat hunters with technical skills

Each of these risks will be addressed systematically, below.

<u>Loss of project team member</u>

CTIN has developed an extensive network of cyber threat hunters, software developers, data architects and others to address a range of cybersecurity use cases. We seek to staff our projects with the right capability at the right time. We do, however, have redundancy and depth in our bench. We also have a collegial work environment that supports work/life balance. Therefore, we feel we will not likely see a team member leave for an alternative work venture.

<u>Loss of key infrastructure element</u>

We maintain a VPS on a top-line hosting service that will serve as the user interface for the website/portal for the tool. We have a regular cadence of full VPS snapshots to allow for a roll-back if needed. We will build out the OpenCTI platform on a cloud infrastructure with regular back-ups. Our cloud provider incorporates best practices for fail-over and redundancy. Therefore we do not anticipate loss of the infrastructure we are building out.

<u>Inability to recruit cyber threat hunters with technical skills</u>

Since 2016 CTIN has supported the Cyber Resilience Institute, a US non-profit that has developed the c-Watch training program for cyber threat hunters. We have trained over 100 individuals since that time, many of whom are now working in government agencies and private companies, including critical infrastructure owner/operators. CTIN can draw upon this network of professionals to identify and recruit individuals for cyber threat hunting.

Please provide a detailed plan, including timeline and key milestones for delivering your proposal.

Below is a screenshot of the Four Phases and the Subtasks within each Phase.

Below is a summary of the Four Phases of the Proposed Project:

Project Award

September 21, 2022

Kick-off Meeting

September 23, 2022

Phase 1: Stand up a Threat Intelligence Platform

September 27, 2022 - November 1, 2022

Phase 2: Develop On-Boarding Portal & Process

October 23, 2022 - November 18, 2022

Phase 3: Develop Training Module

October 23, 2022 - November 29, 2022

Phase 4: Develop Video

October 23, 2022 - December 5, 2022

Develop Project Reporting

November 30, 2022 - December 6, 2022

Project Close-out

December 7, 2022

GANTT Charts Given Below

(Too small to read, but the graphics give you a sense of the sequence)

Phase 1

Phase 2

Phase 3

Phase 4

Please provide a detailed budget breakdown.

Budget Request Given by Phase Below:

Kick-off and Planning Meeting

$1,994.00

Phase 1: Stand-up OpenCTI TIP

$10,492.00

Phase 2: Develop Web Portal

$9,196.00

Phase 3: Develop Training Module

$10,408.00

Phase 4: Develop Video

$6,484.00

Close-out Documentation

$3,184.00

<u>TOTAL LABOR:</u>

$41,758.00

<u>TOTAL OTHER DIRECT COSTS:</u>

$1,748

TOTAL PROJECT:

$43,506

Please provide details of the people who will work on the project.

Jane Ginn, MS Information Assurance, Co-Founder, CTIN

<https://www.linkedin.com/in/janeginn/>

Ms. Ginn has over 30 years of international business experience in engineering consulting, information technology, and cybersecurity/threat intelligence. She has broad experience in security management, network architecture, systems integration, cloud services and threat assessment.

· Co-founder of the Cyber Threat Intelligence Network (CTIN).

· Adjunct Faculty member for the Computer and Information Science Department at Gannon University

· Secretary of the OASIS Threat Actor Context Technical Committee (TAC TC) at OASIS Open international standards body.

· Was the Secretary of the Cyber Threat Intelligence (CTI TC) Secretary on STIX/TAXII standards development for eight years.

· She currently serves on the Board of Directors of the Cyber Resilience Institute

· Co-founder of Sports-ISAO which has been providing security operations support for major global sporting events since 2016.

· Member of an expert panel reviewing 2020 presidential election results for Arizona.

In the public sphere she served from 1994 through 2001 as an adviser to five Secretaries of the US Department of Commerce on international trade issues. She also served five years on the Washington District Export Council. She also served for 4 years as a member of the European Union's ENISA Threat Landscape Stakeholders' Group.

She holds a Master of Science in Information Assurance (MSIA) from Norwich University. She also holds a Master of Environmental Science & Regional Planning (MRP) degree from Washington State University.

David Richards, MS Information Security, SOC Lead, Grand Canyon University

<https://www.linkedin.com/in/davidarichards/>

Solid experience in information technology and operations including customer support and infrastructure design.

• Completion of major technology projects: conversions of school management software and learning management systems, set-up of new school sites, website development, network and telecommunication system upgrades
• Effective communication with team members to establish rapport and provide continuous support
• Collaboration with schools to create a technology plan and budget, and to provide training in educational technology
• Experience with Agile, Scrum and Kanban project management methodologies

Marko Jotovic, BS Mechanical Engineering, ibDesignStudio

<https://www.linkedin.com/in/marko-jotovic-3b0721242/>

A full stack developer with experience in CMS (WordPress), E-Commerce (WooCommerce and Shopify), React, NodeJS, Python, and modern mobile app technologies. I've worked on Single Page Applications (SPA) mostly using React and NodeJS.

3 years in the Blockchain technology space like building a traditional Web App, launching an ICO, Minting an NFT, building a blockchain DAPP.

· HTML5, CSS3 with SASS, SVG, canvas, animation

· WordPress, WooCommerce and Shopify

· Material UI, Bootstrap, Semantic-UI, Materialize

· JavaScript (ES5/ES6/ES7+, Babel), Python

· React, Redux, Angular, Vue, Vuex

· NodeJS, ExpressJS, Flask, Django

· Android & iOS(React Native and Flutter)

· MongoDB, MySQL, PostgreSQL, Firebase

· Blockchain & NFT Development (Web3.js, Ethereum.js, Solidity)

· Webpack, Parcel, npm, yarn, etc…

Marko has served as a technical trainer at various institutes.

Mike Taib, AA Graphic Arts, Royally Good Digital

<https://royallygooddigital.com/>

Creative artist specializing in video editing and motion graphics. Some of his accomplishments include:

• Award-winning documentary filmmaker for his film Home in Time for War*,* a newsreel with commentary about the Libyan civil war.
• Film editor for YouTube cryptocurrency and blockchain analyst CryptoStache
• Video production and motion graphics for the Verge currency
• Developer of a Polygon-based NFT Collection on OpenSea: Non-Fungible Covfefe
• Trainer on the basics of NFT Collection design and development.
• Distiller at a Seattle-based boutique distillery

If you are funded, will you return to Catalyst in a later round for further funding? Please explain why / why not.

This Proposal is designed for standing up the OpenCTI threat intelligence platform (TIP) instance, developing the APIs with key intelligence feeds for enriching the data and socializing the idea of threat intelligence for the Cardano community.

A subsequent phase would be for maintenance of the TIP over time with updates issued by the Luatix authors of the platform. We also want to expose the Cardano Catalyst community to additional open source tools like Kestrel, developed by IBM under the auspices of the Open Cybersecurity Alliance (OCA). This subsequent phase would also allow the team the opportunity to build out a multi-level training program for helping threat analysts mature their workflows and processes.

Please describe what you will measure to track your project's progress, and how will you measure these?

Several Key Performance Indicators (KPIs) will be established to gauge how effective this project is. These include:

• Number of people that register accounts on the OpenCTI platform
• Number of hits to the online training page for the Overview of the platform
• Number of hits to the online training page for the Overview of threat intelligence models
• Number of hits to the online training page for the Introduction to STIX2.1
• Views of the YouTube video about the platform and why threat hunting is important in a community using crypto DApps, DeFi portals and/or publishing NFTs.

What does success for this project look like?

Adoption of a routine process for monitoring threats and assessing risk to ecosystem assets will be critical for the long-term success of all of the elements of the Cardano ecosystem. Success will be gauged by our ability to collectively avert cyber threats. In the term-of-art used by the cybersecurity community, we want to be

> LEFT OF BOOM!

What this means is that there is a commonly understood process that threat actors use to gain access to their victim's computers and networks. It is called "The Cyber Kill Chain"… The purpose of deploying a cyber threat intelligence program is to stop the threat actors before they gain access to the systems through their reconnaissance activities. If not then, we need to stop them when they are weaponizing their tools. If not there, we need to stop them when they are installing their malware. If not there, we need to stop them before they establish persistence. If not there, we need to stop them before they move laterally within the target network. If not there, we need to stop them before they establish a back-door into the system. If not there, we need to stop them before they take command and control of the victim machine or network. If not there, we need to stop them before they achieve their action-on-objectives.

That is, in essence, the Cyber Kill Chain.

Our objective with this project is to show the Cardano Catalyst community how to stop the threat actors at the Recon stage of the Cyber Kill Chain. But, to accomplish this, we need to be able to stand up the tool for investigation and collaboration and sharing. Then, we need to be able to train willing community members on the techniques for cyber threat hunting.

Please provide information on whether this proposal is a continuation of a previously funded project in Catalyst or an entirely new one.

This is the first proposal this team has submitted to the Catalyst community.