Key Takeaways:

• NIST's Cybersecurity Framework 2.0 adds a new "Govern" function to support the five core functions

• MITRE introduces ADAPT (Adversarial Actions in Digital Asset Payment Technologies) to track crypto-specific attack patterns

• Blockchain security requires specialized frameworks beyond traditional IT security approaches

• Clear taxonomy of stakeholders is essential for effective information sharing

• BGIN is working toward a standardized framework that could become an ISO standard

Breaking Down the Silos

The BGIN Block #12 session in Tokyo unveiled a crucial truth about blockchain security: traditional cybersecurity frameworks aren't enough. As attackers develop sophisticated techniques specifically targeting digital assets, the ecosystem needs specialized frameworks for information sharing.

"The borderless nature of blockchain demands a collaborative, global approach to security," noted one participant. "When major hacks occur, the impact ripples across jurisdictions, exchanges, and protocols."

NIST's Evolving Cybersecurity Framework

The National Institute of Standards and Technology (NIST) presented updates on its Cybersecurity Framework (CSF), which recently celebrated its 2.0 version's first anniversary. The framework has evolved significantly to address emerging threats:

The New "Govern" Function

CSF 2.0 added a sixth core function—"Govern"—which surrounds and supports the original five functions:

• Identify

• Protect

• Detect

• Respond

• Recover

This addition acknowledges that effective cybersecurity requires organizational governance that spans all operational areas.

Community Profiles

A particularly relevant aspect of NIST's work is the development of "community profiles"—templates that help specific sectors address their unique security challenges. These profiles:

• Establish common taxonomy and shared goals

• Align with multiple standards

• Pool expertise to reduce individual burden

• Create consistent approaches to shared risks

"Profiles have been developed for sectors facing specific threats like ransomware," the NIST representative explained. "This approach could be particularly valuable for the blockchain ecosystem, which faces unique security challenges."

MITRE's ADAPT Framework: A Breakthrough for Crypto Security

Perhaps the most significant development presented was MITRE's new ADAPT framework (Adversarial Actions in Digital Asset Payment Technologies), which applies the successful ATT&CK methodology to blockchain and digital assets.

"Unlike traditional cybersecurity, blockchain attacks often involve unique vectors like smart contract manipulation, flash loan exploits, and oracle manipulation," explained the MITRE representative. "ADAPT is designed to track and categorize these techniques."

Crypto-Specific Attack Patterns

ADAPT documents techniques unique to Web3, including:

• Smart contract logic manipulation

• Flash loan exploits

• Price oracle manipulation

• Cross-chain swaps for fund obfuscation

• Exploitation of gasless RPC endpoints

• Layering funds through privacy tools and bridges

Real-World Application: The Bybit Hack

The MITRE team demonstrated ADAPT's utility by mapping a recent high-profile attack against Bybit, which resulted in a $1.5 billion loss:

1. Initial Access: Attacker crafted a malicious transaction altering logic in a smart contract wallet

2. Social Engineering: A Bybit executive approved the transaction, likely after being manipulated

3. Execution: Funds were moved to an attacker-controlled contract

4. Defense Evasion: The attacker obfuscated the trail using chain-hopping and layering tactics

"By breaking down complex attacks into documented techniques, ADAPT provides a common language for security teams across organizations," the presenter noted. "This is crucial when attacks span multiple parties—wallets, protocols, and exchanges."

Defining the Players: Who's Who in Blockchain Security

A significant portion of the session was dedicated to developing a taxonomy of stakeholders in the blockchain security ecosystem. This taxonomy is essential for effective information sharing, as different entities have varying roles, incentives, and challenges.

Layer-Based Model

Participants proposed a layer-based taxonomy inspired by the CFTC TAC DeFi report:

• Protocol layer: Layer 1 foundations, core blockchain developers

• Network layer: Validators, RPC nodes, infrastructure providers

• Application layer: DeFi platforms, wallet providers, VASPs, exchanges

Security Experts

Security firms play a crucial role in the ecosystem:

• Roles: Ingesting threat intelligence to inform security assessments and services

• Incentives: Access to broader threat intelligence to develop better security solutions

• Challenges: Navigating service providers' reluctance to share sensitive information

Academia

Academic researchers contribute valuable insights:

• Roles: Training the next generation of security professionals and contributing technical expertise

• Challenges: Limited access to real-world data and balancing rigor with response speed

• Conflicts of Interest: Potential bias when funded by industry players

Law Enforcement and Regulators

Government entities face unique challenges:

• Challenges: Privacy concerns (both consumer and enterprise), jurisdictional limitations

• Observations: Difficulty separating cybersecurity risk from financial risk in digital asset incidents

Crypto-focused ISACs

Information Sharing and Analysis Centers specific to crypto face adoption hurdles:

• Challenges: Lack enforcement power, relying on voluntary participation

• Observations: Need for common security assessment methodologies across different types of applications

Building a Standardized Format

A critical technical need that emerged from the discussion was the development of a standardized format for sharing crypto-specific security information:

"The expansion of a common format for cryptocurrency fields that are STIX compatible is something that ISACs need to be successful," noted one participant, referencing the Structured Threat Information Expression standard widely used in traditional cybersecurity.

SEAL, a security initiative, is working to define common formats for storing information such as cryptocurrency addresses and has joined the OASIS Cyber Threat Intelligence Technical Committee to upstream those changes.

From Discussion to Action

The session concluded with concrete next steps toward developing a foundational document for information sharing in blockchain cybersecurity:

1. Compile input into a document focused on taxonomy and ecosystem modeling

2. Create a high-level framework (5-10 pages) explaining roles, responsibilities, and interactions

3. Target April for the first draft completion

4. Consider submission as an ISO standard if successful

"This represents a monumental opportunity for BGIN and the broader blockchain community," emphasized the session moderator. "By establishing a common framework for information sharing, we can significantly enhance the security posture of the entire ecosystem."

The Path Forward

The collaboration between NIST, MITRE, and BGIN marks a significant milestone in blockchain security. By adapting proven frameworks to address the unique challenges of digital assets, the community is moving toward a more resilient ecosystem.

As one participant noted: "The attackers are sharing information and collaborating effectively. If the defenders don't do the same, we'll always be at a disadvantage."

Get Involved

BGIN is seeking volunteers to help draft the information sharing framework document. If you have expertise in blockchain security and want to contribute to this industry-shaping initiative, join the next working group session or reach out through the BGIN forum.

This blog post is based on discussions from BGIN Block #12, Tokyo, Japan, March 3, 2025.

For more information about BGIN and upcoming events, visit BGIN.

Join the conversation on our forum & Working Group Calls.