Judo Threat Intelligence
Frank Angiolelli
Director of Security Operations
Threat Intelligence
Strategy
Photo Courtesy of Wikipediahttps://en.wikipedia.org/wiki/Kan%C5%8D_Jigor%C5%8D
Jigorō Kanō
• Founder of Judo
• Intelligent
• Small Physique
• Lost often
• Studied the Attacker
“Usually it had been him that threw me. Now, instead of being
thrown, I was throwing him with increasing regularity.
…it was the result of my study of how to break the postureof the opponent.
Three Principles of Judo Threat Intelligence
• Use the attackers energy against them
• Maximum effect, minimum effort
• Break their posture, execute the throw
Path
to
Ju
do
Th
reat
In
telli
gen
ce
Automatic Action on TTP
Automatic TTP Identification
Manual Action on TTP
Manual TTP Identification
Patterns in Alarms
Actionable Alarms
Signal to Noise
Transparency
Foundational
Analytical
Operational
Judo Threat IntelligenceIn Action
Web Attacks
Threat IP Address
All Signatures
Regression Test Signatures
Find 100% True Positive Signatures
Find All IPs That Fired
Collect All Metadata
Gives you:• User Agents• Bad IP Addresses• Web Requests• Layer 7 Data
Begin to Build a Profile• What the recon looks like• How they behave• Collisions in data
Stage 1: Jumping Off
Collected Metadata
Create Custom Signatures
Regression Test
Find 100% True Positive Signatures
Find All IPs That Fired
Collect All Metadata
• Creates a Lifecycle
• Maintain Quality Control
• Finds Adaptation & Improvisation on the Attackers Part
Stage 2: Feedback Loop
Identify Meaningful Data
User Agent Alarms
Bad URL RequestsIPS Signatures
Anomalous Volumes WAF Alarms
Recon Scans
The Feedback Loop in Action
Tactical: ActionQuarantine Track Long Term
Strategic: Risk Analysis
Judo Threat IntelligenceIn Action
@ d&b
Tactical Results
Tracking 120,000+ IP Addresses Auto-quarantine 150,000 times in 2015, 0 FPs
Information is Aged Out Automatically
Alarms on Meaningful Data
Strategic Results
• Protect Customer Trust
• Protect Shareholder Value
• Transcends IP address reputation feeds
• Process for building custom enterprise signatures
• Prioritize investments
Funny Stuff Comes Out of the Woodwork
• Associates that run scanners from their home systems.
• Vendor connectivity anomalies.
• Threats to revenue
• Married TTPs which you would not expect
LPT: You can be selective about what you consider an important ‘attack’
Storytime
Example – Anomalous User Agents
• Identify normal user agent patterns• Baseline abnormal user agents• Identify thresholds
Blackspider IPs
Web Request Unique IP Addresses Making This Request
HEAD /admin/fckeditor/ 11HEAD /ckeditor/ 11
HEAD /common/fckeditor/ 11HEAD /images/upload/FCKeditor/ 11
HEAD /editor/ 11HEAD /includes/fckeditor/ 11
HEAD /editor/fckeditor/ 11
HEAD /fckimg/ 11HEAD /editor1/ 11
HEAD /images/upload/fckediter/ 11HEAD /editorold/ 11
HEAD /images/upload/fckimg/ 11HEAD /admin/fck/ 11
HEAD /include/fckeditor/ 11
HEAD /manage/fckeditor/ 11HEAD /js/fckeditor/ 11
HEAD /scripts/fckeditor/ 11HEAD /upload/FCKeditor/ 11
HEAD /sysadmin/fckeditor/ 11
HEAD /system/fckeditor/ 11
The story of 91.200.12.11
One matching pattern from Chinese IP Address:211.149.192.45
Tool Overlap by IP and URL Request
Source IPs
URL Overlap
Conclusion
“The easy way is the hard way &
the hard way is the easy way.”
- Msgr. Walsh
References/Sources
• http://www.networkworld.com/article/2983243/security/challenges-around-operationalizing-threat-intelligence.html
• http://www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767
• http://www.isightpartners.com/wp-content/uploads/2014/07/iSIGHT_Partners_What_Is_20-20_Clarity_Brief1.pdf
• http://www.fierceitsecurity.com/story/threat-intelligence-problem/2014-10-13
• http://www.csoonline.com/article/2969275/data-protection/threat-intelligence-needs-to-grow-up.html
• http://www.securityweek.com/building-narrative-driven-security-model
• http://www.isalliance.org/presentation/1_ISA_Overview_Presentations/2006_12_00_Larry_Clinton_Commerce_Department_Presentation.pdf
Abstract
SOC and Threat Intel teams are tasked with protecting shareholder value and customer trust while facing attackers of limitless stamina, varying ingenuity and considerable resources. Internal Threat Intelligence can generate value through effective strategies. By combining Security Operations principles with Judo principles, we can generate meaningful and efficient results. This presentation tells the results of applying these principles to dun & bradstreet.
Top Related