CERT Pilot

The High Institute of Information and Communication Technologies (ISCOM), which is a Directorate of the Italian Ministry of Economic Development (MISE), hosts the Italian CERT, which is the main public organization in Italy informing private users and companies of novel cybersecurity threats, and fosters the adoption of good practices for system security.  The CERT provides services of custom notification about cybersecurity information, to both large and small companies in Italy, by pairing news about threats and vulnerabilities, with those companies whose have an actual interest in specific subtopics. 
The process of information and news collection, and subsequent delivery to the correct interested party(es) has been done up to now by a human operator in a semi-automated way. This is a limitation to the amount of information that can be processed and introduces the possibility of mistakes. Furthermore, the privacy of exchanged information is at risk, exposing the CERT at legal risks such as those specified in GDPR. 
The introduction of C3ISP in the CERT operations, aims at tackling all these issues by providing a platform able to handle data in a completely privacy aware manner, which gives to data providers tools to define their own security and privacy policies, which will be enforced in a way, which is totally transparent to the CERT. 
Furthermore C3ISP empowers the CERT operative workflow by adding a large set of new operations that can be performed on data, providing cutting-edge, research-based technologies for the analysis of spam emails and traffic, and malware detection . Through C3ISP the CERT becomes able to process automatically larger set of information, delivering new and more accurate information to the interested recipient, with limited to no active user interaction. This also improves the timeliness in which  information is extracted and delivered, in an environment where being faster than the attacker might imply the difference between receiving or not damages, whose recovery and consequences might cost even millions of Euro. 
For this reason, several major companies  have already shown their interest in the C3ISP technologies and in the new services offered by the CERT. 
The main new services offered by the CERT through C3ISP are in a nutshell:

  • Spam email filtering: Automatic analysis of large email sets, which separates good emails (ham) from unsolicited ones (spam).
  • Spam email classification and campaign clustering: Currently spam emails are used to damage recipients in several ways, from distributing malicious software, to steal user credentials by performing phishing attacks. C3ISP  is able to classify  spam email files according to their type, so as to make the user(s) aware of the actual risks contained in received emails.
  • Malware classification: Binary analysis for malware detection, exploiting features which make the system able to identify also new and unknown threat (Zero-day attacks). 

The C3ISP framework is able to operate also on anonymized pieces of information, hence it is possible to use the functionalities offered by the CERT as-a-service, without having to disclose the actual information content to the CERT itself. This would improve the user acceptance of the CERT offered services.