Skip to content

Home

Jump to bottom
Brandon Dixon edited this page Jan 10, 2017 · 2 revisions

Blockade's Analyst Toolbench attempts to simplify the process of uploading indicators to the Blockade cloud node. It does this by providing analysts with a set of tools that pre-screen, clean-up and cache indicators as they are sent out. All of these processes are abstracted away from the analyst and ensure that their only focus is being able to contribute indicators in a timely manner.

Indicator Storage

Indicators sent to Blockade are hashed using the MD5* algorithm prior to being sent to the cloud service. This means that the true value of the indicator is unlikely to be known by any of the other analysts or end-users who receive them. We did this for two reasons:

  1. Sharing the exact indicator value is not always possible due to security concerns. By hashing the indicator, the true value is never directly shared, yet the meaning is still retained.
  2. These indicators are stored locally inside of the browser for every Blockade user. A large factor in hashing is that we can achieve a unique, fixed-length key that may describe something of great length. Hashing saves storage and obfuscates the true indicator values.

* MD5 is cryptographically insecure, but was chosen due to local client storage size limitations inside of localstorage. A smaller key size means that we can ultimately fit a significantly larger set of indicators into the client.

Behind the Scenes

Based on indicators sent in from analysts, Blockade will block traffic to those websites for end-users. It's important that analysts volunteering their time avoid making mistakes. The analyst toolbench takes indicators passed in and performs a number of processes on them before sending them out. Specifically, the following takes place:

  1. Indicators are cleaned of all bad characters
  2. Indicators are stripped down to just the core hostname value
  3. Indicators are de-duplicated
  4. Indicators are checked against hundreds of thousands of popular websites (Alexa and Cisco) using the base domain
  5. Indicators that were previously been sent and written to the cloud node are removed

Once the indicators are processed, requests are generated and queued up for sending. A time delay is placed between each submission of indicators to ensure that everything is working properly and to not hit the rate limit of the cloud node.

Questions

Have any other questions about the toolbench or how Blockade works? Send us a message at [email protected].

Clone this wiki locally