Master Block List: Protecting Against Cyber Threats

In an increasingly technical world, people can communicate and instantly connect with others at any time. Mobile devices and social networking have become the norm rather than the exception for both business and personal interactions. However, the data that is shared and stored online as a result of virtual interconnectedness is also a target for cyber criminals who seek to exploit technological and human vulnerabilities for personal gain. To combat growing cyber threats, LLNL’s Cybersecurity Program created the Master Block List (MBL) in collaboration with the LLNL-led DOE Focused Advanced Persistent Threat Group (FAPT). MBL allows applications to automatically share malicious Web sites, hashes, and spear phishers with all the sites that participate in the service. By using MBL and similar tools, DOE is better able to leverage the intelligence of its collective parts and more effectively prevent attacks on its computers and networks. MBL was named one of the top 25 most important cybersecurity innovations of 2012 by a panel of cybersecurity experts.

Initially, MBL was created for LLNL to easily and automatically share malicious Uniform Resource Locators (URLs) and Internet Protocol (IP) addresses with Sandia National Laboratories. The steady increase in cyberattacks had made it difficult to share cyber threat data among trusted partners using traditional methods, prompting a need for a new tool that could restore security between the laboratories. The working prototype between LLNL and Sandia quickly garnered the attention of other laboratories and evolved into a much larger information-sharing framework. MBL originally aggregated malicious URLs and IPs into a single list. Today, MBL has expanded to include three lists that are also used to share MD5 hashes—cryptographic checksums for fingerprinting malicious files—and e-mail addresses or e-mail server IPs for sharing spear phishing details. Spear phishing is the preferred mechanism of skilled, persistent attackers.

MBL leverages a lightweight and agile custom threat-sharing protocol that was developed based on command-and-control techniques LLNL learned from its persistent adversaries. This protocol allows virtually any application to be easily modified to automatically share threat intelligence despite the disparate tools and sophisticated networks used throughout the DOE complex. While other sharing models within DOE use complicated XML schemas and structures, MBL’s success is largely attributed to its simplicity.

MBL continues to evolve, but its focus remains on providing a mechanism that enables threat data to be easily and automatically shared among DOE institutions. The number of DOE laboratories and plants sharing data is growing, and other government agencies have also expressed interest in participating in the framework. Recently, MBL was implemented to allow LLNL to share cyber threat information with private industry partners participating in the Bay Area Advanced Persistent Threat Special Interest Group.

For more information, contact Matthew Myrick.

Relevant links

Lab technology tapped as one of most important cyber security innovations