Cyber Intelligence Professionals and Enthusiasts Now Have the Ability to Report Threats Anonymously

Imagine a landscape where cybersecurity professionals, enthusiasts, or whistleblowers can anonymously report new clusters of malicious cyber activity without enduring extensive and formal disclosure procedures. This vision is being pursued by a collective of cybersecurity professionals in Europe through a newly launched platform, Draugnet. Built on the Malware Information Sharing Platform (MISP), Draugnet is an open-source cyber threat intelligence sharing initiative designed for seamless threat reporting.

The platform is co-founded by Trey Darley, a senior security manager at Accenture Belgium, and Alexandre Dulaunoy, who leads the Computer Incident Response Center Luxembourg (CIRCL). They plan to unveil Draugnet at FIRSTCON in Copenhagen on June 24.

Originally named ‘Abracadabra’ due to its user-friendly nature, Draugnet enables users to report various pieces of threat intelligence, ranging from indicators of compromise to detailed vulnerability reports, without the need for account registration or login. Reports are submitted in a straightforward, machine-readable JSON format, making them accessible for all users.

Democratizing Cyber Threat Intelligence Reporting

Draugnet aims to support “quiet defenders, rotating trust groups, and individuals managing the balance between responsible stewardship and unmanageable risk,” as outlined in its mission statement. Darley illustrates its functionality with an example: if he wishes to collect vulnerability reports regarding connected coffee makers, Draugnet can facilitate a simple web form for researchers to submit vulnerabilities, redirecting these anonymized reports to his MISP environment for analysts to assess, while providing submitters with a follow-up token.

This token, a string of random characters, is stored in the browser cache, allowing users to reuse it or share it with others for updates on their reports. Draugnet’s architecture separates the front and back end, ensuring that those with access to the back end cannot trace submissions back to the reporting individual.

The overarching goal is to democratize cyber threat intelligence reporting, inviting participation not just from cybersecurity experts but also from individuals outside traditional security circles, such as quality assurance professionals inspired by popular podcasts. Darley expresses concern that while vulnerability reporting is on the rise, the trend seems to be veering towards a less open society, rather than one that encourages sharing. Draugnet seeks to counter this by streamlining the threat reporting process.

Challenges and Use Cases for Draugnet

Despite its ambitious goals, Darley acknowledges the challenges Draugnet may face. Achieving total anonymity online is inherently difficult, as interactions between users and systems can leave detectable traces. Moreover, the platform currently lacks robust mechanisms to prevent false or malicious reporting.

Nevertheless, Darley envisions Draugnet as an essential component of the cybersecurity toolkit. Organizations might consider employing this platform within restricted environments, such as Information Sharing and Analysis Centers (ISACs) or other trusted groups. For example, a national cybersecurity agency might utilize a Draugnet-enabled reporting system hosted in a secure computing environment, allowing a vetted group of researchers to contribute to cyber threat intelligence naturally and without cumbersome processes.

By empowering community-driven reporting, Draugnet aims to enhance the collective defense against cyber threats while making participation accessible to a broader audience.