Creating Denied & Allowed Lists using ThreatSTOP policies

What

ThreatSTOP is a cloud-based automated threat intelligence platform that converts threat intelligence data into enforcement policies. ThreatSTOP leverages the company’s comprehensive and authoritative database of IP addresses, domains and the network infrastructure used in cyberattacks to develop best-in-class threat intelligence.

The ThreatSTOP-Bandura integration enables mutual customers to easily integrate threat intelligence and enforcement policies from the ThreatSTOP platform into the Bandura platform. The ThreatSTOP plugin enables the simple and automated creation of IP and domain-based block lists based on ThreatSTOP threat intel and enforcement policies. The integration enables mutual customers to leverage the Bandura platform to use to detect and block IP and domain-based threats using threat intelligence at a scale that far exceeds the capabilities of existing network security controls.

How

To leverage the Bandura platform to detect and block IP and domain-based threats, you can create and enable IPv4 or Domain Denied or Allowed Lists based on policies created with ThreatSTOP. 

When creating a policy with ThreatSTOP, you will need to ensure the policy is enabled under “SIEM Integration Settings”. You will also want to ensure “All IoCs in single file” is chosen as the IoC format and note the IoC Type selected (IPs only, Domains only, or All IoCs).

After creating the policy with ThreatSTOP, you will need to navigate to the “SIEM Integration” page on ThreatSTOP. In the “Flat file format (CSV)” block, ensure the feature states that it is enabled. Make sure to note the Username shown (which should be the same as your ThreatSTOP Org ID). Under “Threatlist Settings”, Standard should be selected as the Threatlist Format. 

Finally, you will need to create an SSH Key (using either RSA or OpenSSH). The Public SSH Key must be uploaded in the “Flat file format (CSV)” block. The Private SSH Key will be entered later when setting up a Denied or Allowed list in Bandura.

After a policy has been created and configurations are set with ThreatSTOP, you can then create your Denied or Allowed lists in Bandura. In order to create a list, you will need the following information:

• User Name - As mentioned above, this is found in the “Flat file format (CSV)” block on the “SIEM Integration” page on ThreatSTOP. 
• SSH Key - This is your Private SSH Key that pairs with your Public SSH Key that you uploaded with ThreatSTOP.
• SSH Passphrase - If your SSH Key created is encrypted (highly recommended), a password to accompany the SSH Private Key is required.
• Policy - The exact name of the Policy to be used in the creation of the list.
• Indicator of Compromise - The IoC Type as established for the Policy in ThreatSTOP.

To create a list, log into the Bandura console and select either Denied or Allowed from the left menu, then choose either IPv4 or Domain. Click the green plus icon in the top right corner. In the Create Denied or Allowed List modal that opens, Choose “ThreatSTOP [IPv4 or Domain] Denied List” as the Type. Give your list a name (required) and add a description if you wish (optional). Our recommended Interval in Minutes is 60, this represents how often we will check for updates to the ThreatSTOP policy list.

To complete the setup of your list, you’ll need to reference those fields mentioned above. Please note that each of these fields is case sensitive and must match to the values in ThreatSTOP exactly. For the SSH Key field, you will need to enter the Private SSH Key exactly as was created, including any leading and trailing lines (such as “-----BEGIN OPENSSH PRIVATE KEY-----”, “-----END RSA PRIVATE KEY-----”, etc.).

After you have filled out the left side of the modal, click on “Create” to add your new list. You will see the newly created entry on your list. Please note that it may take 10-15 minutes to begin pulling the indicators from ThreatSTOP. Also, for newly created ThreatSTOP policies, the file pulled from ThreatSTOP can take up to 2 hours to be created and become available for Bandura to pull.

If you have any questions or need assistance in setting up ThreatSTOP Denied or Allowed Lists, please contact the Bandura Support team at support@banduracyber.com or by calling +1-855-765-4925.