Judo Threat Intelligence

Frank Angiolelli

Director of Security Operations

Threat Intelligence

Strategy

Photo Courtesy of Wikipediahttps://en.wikipedia.org/wiki/Kan%C5%8D_Jigor%C5%8D

Jigorō Kanō

• Founder of Judo

• Intelligent

• Small Physique

• Lost often

• Studied the Attacker

“Usually it had been him that threw me. Now, instead of being

thrown, I was throwing him with increasing regularity.

…it was the result of my study of how to break the postureof the opponent.

Three Principles of Judo Threat Intelligence

• Use the attackers energy against them

• Maximum effect, minimum effort

• Break their posture, execute the throw

Path

to

Ju

do

Th

reat

In

telli

gen

ce

Automatic Action on TTP

Automatic TTP Identification

Manual Action on TTP

Manual TTP Identification

Patterns in Alarms

Actionable Alarms

Signal to Noise

Transparency

Foundational

Analytical

Operational

Judo Threat IntelligenceIn Action

Web Attacks

Threat IP Address

All Signatures

Regression Test Signatures

Find 100% True Positive Signatures

Find All IPs That Fired

Collect All Metadata

Gives you:• User Agents• Bad IP Addresses• Web Requests• Layer 7 Data

Begin to Build a Profile• What the recon looks like• How they behave• Collisions in data

Stage 1: Jumping Off

Collected Metadata

Create Custom Signatures

Regression Test

Find 100% True Positive Signatures

Find All IPs That Fired

Collect All Metadata

• Creates a Lifecycle

• Maintain Quality Control

• Finds Adaptation & Improvisation on the Attackers Part

Stage 2: Feedback Loop

Identify Meaningful Data

User Agent Alarms

Bad URL RequestsIPS Signatures

Anomalous Volumes WAF Alarms

Recon Scans

The Feedback Loop in Action

Tactical: ActionQuarantine Track Long Term

Strategic: Risk Analysis

Judo Threat IntelligenceIn Action

@ d&b

Tactical Results

Tracking 120,000+ IP Addresses Auto-quarantine 150,000 times in 2015, 0 FPs

Information is Aged Out Automatically

Alarms on Meaningful Data

Strategic Results

• Protect Customer Trust

• Protect Shareholder Value

• Transcends IP address reputation feeds

• Process for building custom enterprise signatures

• Prioritize investments

Funny Stuff Comes Out of the Woodwork

• Associates that run scanners from their home systems.

• Vendor connectivity anomalies.

• Threats to revenue

• Married TTPs which you would not expect

LPT: You can be selective about what you consider an important ‘attack’

Storytime

Example – Anomalous User Agents

• Identify normal user agent patterns• Baseline abnormal user agents• Identify thresholds

Blackspider IPs

Web Request Unique IP Addresses Making This Request

HEAD /admin/fckeditor/ 11HEAD /ckeditor/ 11

HEAD /common/fckeditor/ 11HEAD /images/upload/FCKeditor/ 11

HEAD /editor/ 11HEAD /includes/fckeditor/ 11

HEAD /editor/fckeditor/ 11

HEAD /fckimg/ 11HEAD /editor1/ 11

HEAD /images/upload/fckediter/ 11HEAD /editorold/ 11

HEAD /images/upload/fckimg/ 11HEAD /admin/fck/ 11

HEAD /include/fckeditor/ 11

HEAD /manage/fckeditor/ 11HEAD /js/fckeditor/ 11

HEAD /scripts/fckeditor/ 11HEAD /upload/FCKeditor/ 11

HEAD /sysadmin/fckeditor/ 11

HEAD /system/fckeditor/ 11

The story of 91.200.12.11

One matching pattern from Chinese IP Address:211.149.192.45

Tool Overlap by IP and URL Request

Source IPs

URL Overlap

Conclusion

“The easy way is the hard way &

the hard way is the easy way.”

- Msgr. Walsh

Frank Angiolelliangiolellif@dnb.com

914-589-4474

Thank you.

References/Sources

• http://www.networkworld.com/article/2983243/security/challenges-around-operationalizing-threat-intelligence.html

• http://www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767

• http://www.isightpartners.com/wp-content/uploads/2014/07/iSIGHT_Partners_What_Is_20-20_Clarity_Brief1.pdf

• http://www.fierceitsecurity.com/story/threat-intelligence-problem/2014-10-13

• http://www.csoonline.com/article/2969275/data-protection/threat-intelligence-needs-to-grow-up.html

• http://www.securityweek.com/building-narrative-driven-security-model

• http://www.isalliance.org/presentation/1_ISA_Overview_Presentations/2006_12_00_Larry_Clinton_Commerce_Department_Presentation.pdf

Abstract

SOC and Threat Intel teams are tasked with protecting shareholder value and customer trust while facing attackers of limitless stamina, varying ingenuity and considerable resources. Internal Threat Intelligence can generate value through effective strategies. By combining Security Operations principles with Judo principles, we can generate meaningful and efficient results. This presentation tells the results of applying these principles to dun & bradstreet.