Securing the Digital Frontier - A Framework for Blockchain Cybersecurity
Cybersecurity Information Sharing Framework BGIN Block #12
Key Takeaways:
NIST's Cybersecurity Framework 2.0 adds a new "Govern" function to support the five core functions
MITRE introduces ADAPT (Adversarial Actions in Digital Asset Payment Technologies) to track crypto-specific attack patterns
Blockchain security requires specialized frameworks beyond traditional IT security approaches
Clear taxonomy of stakeholders is essential for effective information sharing
BGIN is working toward a standardized framework that could become an ISO standard
Breaking Down the Silos
The BGIN Block #12 session in Tokyo unveiled a crucial truth about blockchain security: traditional cybersecurity frameworks aren't enough. As attackers develop sophisticated techniques specifically targeting digital assets, the ecosystem needs specialized frameworks for information sharing.
"The borderless nature of blockchain demands a collaborative, global approach to security," noted one participant. "When major hacks occur, the impact ripples across jurisdictions, exchanges, and protocols."
NIST's Evolving Cybersecurity Framework
The National Institute of Standards and Technology (NIST) presented updates on its Cybersecurity Framework (CSF), which recently celebrated its 2.0 version's first anniversary. The framework has evolved significantly to address emerging threats:
The New "Govern" Function
CSF 2.0 added a sixth core function—"Govern"—which surrounds and supports the original five functions:
Identify
Protect
Detect
Respond
Recover
This addition acknowledges that effective cybersecurity requires organizational governance that spans all operational areas.
Community Profiles
A particularly relevant aspect of NIST's work is the development of "community profiles"—templates that help specific sectors address their unique security challenges. These profiles:
Establish common taxonomy and shared goals
Align with multiple standards
Pool expertise to reduce individual burden
Create consistent approaches to shared risks
"Profiles have been developed for sectors facing specific threats like ransomware," the NIST representative explained. "This approach could be particularly valuable for the blockchain ecosystem, which faces unique security challenges."
MITRE's ADAPT Framework: A Breakthrough for Crypto Security
Perhaps the most significant development presented was MITRE's new ADAPT framework (Adversarial Actions in Digital Asset Payment Technologies), which applies the successful ATT&CK methodology to blockchain and digital assets.
"Unlike traditional cybersecurity, blockchain attacks often involve unique vectors like smart contract manipulation, flash loan exploits, and oracle manipulation," explained the MITRE representative. "ADAPT is designed to track and categorize these techniques."
Crypto-Specific Attack Patterns
ADAPT documents techniques unique to Web3, including:
Smart contract logic manipulation
Flash loan exploits
Price oracle manipulation
Cross-chain swaps for fund obfuscation
Exploitation of gasless RPC endpoints
Layering funds through privacy tools and bridges
Real-World Application: The Bybit Hack
The MITRE team demonstrated ADAPT's utility by mapping a recent high-profile attack against Bybit, which resulted in a $1.5 billion loss:
Initial Access: Attacker crafted a malicious transaction altering logic in a smart contract wallet
Social Engineering: A Bybit executive approved the transaction, likely after being manipulated
Execution: Funds were moved to an attacker-controlled contract
Defense Evasion: The attacker obfuscated the trail using chain-hopping and layering tactics
"By breaking down complex attacks into documented techniques, ADAPT provides a common language for security teams across organizations," the presenter noted. "This is crucial when attacks span multiple parties—wallets, protocols, and exchanges."
Defining the Players: Who's Who in Blockchain Security
A significant portion of the session was dedicated to developing a taxonomy of stakeholders in the blockchain security ecosystem. This taxonomy is essential for effective information sharing, as different entities have varying roles, incentives, and challenges.
Layer-Based Model
Participants proposed a layer-based taxonomy inspired by the CFTC TAC DeFi report:
Protocol layer: Layer 1 foundations, core blockchain developers
Network layer: Validators, RPC nodes, infrastructure providers
Application layer: DeFi platforms, wallet providers, VASPs, exchanges
Security Experts
Security firms play a crucial role in the ecosystem:
Roles: Ingesting threat intelligence to inform security assessments and services
Incentives: Access to broader threat intelligence to develop better security solutions
Challenges: Navigating service providers' reluctance to share sensitive information
Academia
Academic researchers contribute valuable insights:
Roles: Training the next generation of security professionals and contributing technical expertise
Challenges: Limited access to real-world data and balancing rigor with response speed
Conflicts of Interest: Potential bias when funded by industry players
Law Enforcement and Regulators
Government entities face unique challenges:
Challenges: Privacy concerns (both consumer and enterprise), jurisdictional limitations
Observations: Difficulty separating cybersecurity risk from financial risk in digital asset incidents
Crypto-focused ISACs
Information Sharing and Analysis Centers specific to crypto face adoption hurdles:
Challenges: Lack enforcement power, relying on voluntary participation
Observations: Need for common security assessment methodologies across different types of applications
Building a Standardized Format
A critical technical need that emerged from the discussion was the development of a standardized format for sharing crypto-specific security information:
"The expansion of a common format for cryptocurrency fields that are STIX compatible is something that ISACs need to be successful," noted one participant, referencing the Structured Threat Information Expression standard widely used in traditional cybersecurity.
SEAL, a security initiative, is working to define common formats for storing information such as cryptocurrency addresses and has joined the OASIS Cyber Threat Intelligence Technical Committee to upstream those changes.
From Discussion to Action
The session concluded with concrete next steps toward developing a foundational document for information sharing in blockchain cybersecurity:
Compile input into a document focused on taxonomy and ecosystem modeling
Create a high-level framework (5-10 pages) explaining roles, responsibilities, and interactions
Target April for the first draft completion
Consider submission as an ISO standard if successful
"This represents a monumental opportunity for BGIN and the broader blockchain community," emphasized the session moderator. "By establishing a common framework for information sharing, we can significantly enhance the security posture of the entire ecosystem."
The Path Forward
The collaboration between NIST, MITRE, and BGIN marks a significant milestone in blockchain security. By adapting proven frameworks to address the unique challenges of digital assets, the community is moving toward a more resilient ecosystem.
As one participant noted: "The attackers are sharing information and collaborating effectively. If the defenders don't do the same, we'll always be at a disadvantage."
Get Involved
BGIN is seeking volunteers to help draft the information sharing framework document. If you have expertise in blockchain security and want to contribute to this industry-shaping initiative, join the next working group session or reach out through the BGIN forum.
This blog post is based on discussions from BGIN Block #12, Tokyo, Japan, March 3, 2025.
For more information about BGIN and upcoming events, visit BGIN.
Join the conversation on our forum & Working Group Calls.