Kelsie Nabben April 24, 2024

The Most Attractive Target

Crypto has proven to be an attractive target for sophisticated cyber criminals around the world. Threat intelligence suggests that nation-states rely on hacking into crypto accounts as a source of revenue for the government. Law enforcement lists crypto as one of the largest sources of financial loss in the past three years. Indeed, individual hacks can lead to over $100 million in lost funds.

While a hack is not necessarily an indication of poor security, the state of security in the crypto industry is lacking, according to SEAL-ISAC lead developer and Head of Security at Scroll protocol, Ryan Wegner:

“It varies a lot from project to project. It seems poor because it’s easy to find the projects that aren’t doing well because they lack basic security processes and practices and these mistakes are public on the blockchain for everyone to see.”

In an earlier effort to help identify security controls, Ryan contributed alongside a group of security researchers to develop the “Rekt Test”, as a simple and widely applicable evaluation of security controls to help teams assess security posture and measure progress. While these measures may seem simple, they are not always practiced.

The nature of public cryptocurrency projects is that they are permissionless, meaning that anyone can build an application or even launch a cryptocurrency exchange. Yet, most are unprepared.

"Because the bar is so low to actually deploy a project, they don’t think about security until much further down the track. Unlike Web2, Web3 startups are often responsible for protecting millions in TVL [total value locked] of retail funds, and security professionals are forced to reverse engineer products in production to retroactively apply security best practices...like adding seat belts to a plane that's already in flight”, states Ryan.

Enter, The Security Alliance (SEAL)

The recently launched Web3 Security Alliance (SEAL) initiative is making haste to develop the infrastructure required to mature cybersecurity in the crypto industry and to share threat intelligence about threat actors.

Spanning both regulatory coordination and practical tooling, SEAL’s cornerstone initiatives include:

• SEAL 911, a 24/7 emergency Telegram chat channel where anyone can report an incident, disclose a vulnerability, or report a security problem,

• The Whitehat Safe Harbor Agreement, a framework to establish legal protections and incentives between white hat hackers and protocols or DAOs ahead of time, so rights are clear when engaging in a rescue against an active exploit, and

• SEAL Wargames, attack simulation exercises (known as “red teaming”), to help protocol security teams practice and improve their processes, tooling, and responses in the case of a real exploit.

As a largely volunteer-led effort that is funded by grants and donations, SEAL has already been involved in the rescue of around 50 million dollars, according to their own statistics.

“Our actions involve identifying root causes, tracing stolen funds, pointing to resources on best practice responses, and recovering stolen social media accounts” states one of the SEAL 911 responders.

For example, SEAL 911 helped lead the negotiations with a hacker, using on-chain messages to their cryptocurrency wallet address to strike a deal, resulting in over 90% of the stolen funds being returned to Dolomite, a margin trading protocol on Arbitrum. In another event, SEAL 911 responders helped save $200,000 being drained mid-hack from a smart contract in one exploit, and $2.3 million in another negotiation. SEAL whitehat hackers have also helped identify vulnerabilities using community reporting to responsibly disclose and preemptively prevent attacks. As the participants in the network of SEAL contributors grows, additional real time assistance will help others avoid attacks, or quickly mitigate those under way.

One auditing team lead reported on “X”:

“Today I messaged the SEAL911 hotline with a bug I found in production. 15 minutes later, the CEO of the project was informed. 50 minutes later, the code was patched and no longer exploitable. I cannot recommend SEAL911 enough”.

The question is, what can be done with all of this insider information and experience to improve security throughout the crypto ecosystem?

Having proved their chops in incident response, the next SEAL initiative to launch is ‘SEAL-ISAC’, an Information Sharing and Analysis Centre to coordinate and respond to cyber security information at scale across the cryptocurrency ecosystem.

Why an Information Sharing and Analysis Centre (ISAC)?

An ISAC is not a novel idea. It is a framework for real-time inter-organizational information sharing and collaboration, commonly utilized across various industries to enhance cyber security resilience.

The idea is based on the original Financial Services ISAC (FS-ISAC); an international, 7,000 member not-for-profit industry consortium, dedicated to reducing cyber-risk in the financial system.

Upon joining a call with the initiating team where the initial product demo was presented, one asked, “are we sure we want to call it an ISAC? Some people think ISAC’s are not very useful”.

“Yeah, we do”, replied whitehat hacker and Founder of SEAL, Samczsun, "it helps to explain what it is in a straightforward way”.

The comment points to the paradox of any coordination mechanism that could be perceived as centralizing in an industry predicated on decentralization. The initial FS-ISAC was founded in 1999 as a response to a Presidential Directive from the US government. ISACs are trusted entities that collect, analyze, and disseminate actionable threat information to their members, as well as providing members with tools to mitigate risks. These include threat intelligence reports, crisis and incident support, security alerting and automated information feeds, and running security exercises.

What is different about SEAL is their ability to get the right people, in the right place, at the right time. Leading by “shipping” a threat intelligence platform, SEAL is focusing on engineering and infrastructure support, combined with gathered a number of high-profile and data rich stakeholders as the ground zero members for SEAL-ISAC.

An ISAC Tailored to the Cryptocurrency Ecosystem

Given the unique challenges and the rapidly evolving nature of blockchain technology and digital assets, such an ISAC would focus on the specific needs and vulnerabilities of the cryptocurrency sector. With more money flowing into the market, the types of threats which the SEAL911 team observes do change and evolve. According to one of the SEAL 911 expert white hat hackers, the majority of tickets are phishing scams (people losing their cryptocurrency tokens via malicious approvals and compromised private keys), and romance scams that involve investing in cryptocurrency (known as “pig butchering” scams). The remainder are responsible disclosures by other whitehats regarding potential vulnerabilities (such as re-entrancy attacks where there is a bug in smart contract code and access control issues), or projects reaching out for help once being hacked.

While FS-ISAC charges membership fees, and a number of crypto security firms try to monetize intelligence sharing products and services, the key to SEAL is that it’s a Not-For-Profit and SEAL-ISAC membership is planned to be completely free. Although there are more players to coordinate in a decentralized ecosystem like cryptocurrency, there are even higher incentives to collaborate on industry-wide security to protect users from having their funds drained, to mitigate cascade effects from hacks, and to improve the reputation of the industry.

The types of stakeholders that are relevant members of SEAL-ISAC include cryptocurrency exchanges and trading platforms, blockchain development projects and platforms, wallet providers and crypto storage solutions, mining pools and infrastructure providers, cybersecurity firms and researchers specializing in blockchain and cryptocurrency, and regulatory experts and bodies interested in or working with cryptocurrency projects.

An Information Sharing and Analysis Center (ISAC) tailored for the cryptocurrency industry could play a crucial role in enhancing the security and resilience of the cryptocurrency ecosystem against cyber threats, fraud, and financial crimes. For SEAL, it’s about formalizing the community-run intelligence sharing that is already occurring between whitehats and security firms across numerous online chats to share more effectively in one place and maintain better record keeping.

In response to the security characteristics of the crypto industry, key features and functions of SEAL-ISAC include:

1. Information Sharing: ISACs facilitate the exchange of information regarding vulnerabilities, threats, attacks, and best practices for cryptocurrency industry cybersecurity among their members. This sharing occurs in a secure and confidential manner to protect sensitive information, in accordance with SEAL’s Code of Conduct (noting no personally identifiable information is shared between SEAL 911 initiative and SEAL-ISAC).

2. Threat Analysis and Alerts: Analysis of cybersecurity threats to provide timely threat intelligence and alerts to members. This analysis helps organizations to anticipate, identify, and mitigate potential attacks.

3. Best Practices and Guidelines: ISACs disseminate best practices and guidelines for cybersecurity (known as “playbooks”), to help members implement effective security measures and policies.

4. Incident Coordination and Response: Providing a coordinated response mechanism for major security incidents, such as exchange hacks or network attacks, including facilitating communication between affected parties, law enforcement, and cybersecurity experts.

5. Education and Awareness: Offering educational resources and training programs tailored to various stakeholders in the cryptocurrency ecosystem, including developers, exchanges, wallet providers, and users, to raise awareness about security best practices and the latest threats.

6. Regulatory and Legal Guidance: Connecting the cryptocurrency industry with regulatory experts to ensure that security measures are in line with legal requirements and to advocate for reasonable regulatory approaches to cryptocurrency security.

What this looks like is a way to report information, and a back-end dashboard for analytics and response.

Using the SEAL-ISAC Dashboard

Practically, SEAL-ISAC is a repository of data, based on an Open Source Cyber Threat Intelligence database platform (called OpenCTI). Members can access the platform to input information there according to the data formats presented, including new report, context, external reference (such as a post on “X”), observables (such as cryptocurrency wallet addresses), entities, and relationships. SEAL analysts then organize that data into something useful by building it up into a database to understand how things are related, and other member organizations can consume that data. Some will consume information manually and conduct their own analysis, and others will subscribe for automated information feeds, curated by SEAL analysts. The result is that incidents are not just responded to by SEAL 911, but incidents are recorded, information is added by member organizations, and this leads to an cyber threat intelligence database that can be used by people and projects before an incident occurs, as well as the development of best practice resources, such as incident playbooks to respond.

Success Hinges on High-Quality Data Contributor Members

In an ideal world, the SEAL-ISAC database will be shared with community members that can make use of the actionable intelligence insights being provided. Most of the cybersecurity data collected in crypto events is open source (such as on chain or posted on social media). SEAL-ISAC puts it all together, and adds a layer of analysis and coordination.

SEAL already has commitments for data contributions from major service providers in the cryptocurrency ecosystem, including cryptocurrency exchange Coinbase, Web-browser wallet Metamask, decentralized exchange UniSwap, and Layer 2 protocols Scroll and Polygon.

SEAL-ISAC signifies an important maturing in infrastructure, practices, and coordination of security in the crypto industry. The role of ISACs is increasingly important in the context of the evolving sophistication and frequency of cyber attacks that comes with an up-tick in market value. By fostering a culture of information sharing and collaboration, SEAL-ISAC will help to improve the overall cybersecurity posture of their member organizations and, by extension, the cryptocurrency ecosystem. If SEAL’s ISAC initiative succeeds in aggregating actionable insights that help to protect crypto users and improve the state of security across the industry, it has the potential to represent the security of billions of dollars in assets via its members.

“The ISAC is only as good as the intelligence it receives”, states Ryan. “We just really want folks to participate and share. If people are seeing something that looks malicious, such as an imposter domain, a phishing attack, and so on, submit it”. Unfortunately, the chances are if someone has been victimized by a scammer or hacker, someone else will be victimized too.

END.

Acknowledgments: With thanks to the SEAL-ISAC team for research approval, interviews, and feedback.

Suggested citation: Nabben, K. (2024). “SEALing Crypto Security: A Web3 Information Sharing and Analysis Center (ISAC).” Available online: [link].

Note: Minor edits were made post publishing this article, including editing to read ‘SEAL-ISAC’