This document focuses exclusively on Bandura Cyber’s default out-of-the-box threat lists, denied lists and allowed lists that are available to our customers. The available lists are dependent on the type of subscription (Standard or Enterprise). Additionally, some lists are available only to customers with appropriate authorization, such as some of the government-sourced information.
Bandura Cyber also supplies out-of-the-box plug-ins that can be used to configure other, non-default third party feeds (such as Anomali, GRF, Recorded Future, Symantec, ThreatConnect, AlienVault, IntSights, H-ISAC, E-ISAC, FS-ISAC, and more) and/or customer specific feeds of interest via standards-based plug-ins such as simple IP lists or STIX/TAXII protocols. The configuration and use of these and other plug-ins are beyond the scope of this intentionally short document, and the reader is referred to the Bandura Cyber Global Management Center (GMC) and Bandura Cyber ThreatBlockr User Manuals for detailed information about the plug-in architecture.
Threat Lists
Proofpoint |
Proofpoint is a world-class threat intelligence provider. This feed routinely hovers in the 20,000 to 50,000 range consisting of well-vetted indicators of compromise (IOCs) across a wide range of threat categories, to include associated risk thresholds (confidence factors). Only customers paying for our Enterprise/Premium subscription service have access to this feed. For more information about Proofpoint’s service, see https://www.proofpoint.com/us/products/et-intelligence |
Webroot |
Webroot is a world-class threat intelligence provider. They offer an entire platform, and a critical piece of that platform is the Webroot BrightCloud URL Classification and Reputation Service, which includes millions of well-vetted IOCs. Under our agreements with Webroot, all of our customers (even our standard subscription customers) receive access to Webroot’s threat intelligence through our GMC platform across a wide range of threat categories, to include associated risk thresholds (confidence factors). For more details on Webroot’s services, see https://www.webroot.com/us/en/business/threat-intelligence/internet/web-classification-and-reputation-services |
Threat Categories
Category |
Description |
Examples |
Command and Control |
Command and Control Servers |
CnC servers for botnets such as Conficker, Kelihos, etc. |
Botnets |
Known infected bots |
Hosts belonging to botnets such as Conficker, Kelihos, etc. |
Spam |
Known spam sources |
Servers sending spam, tunneling spam through proxies, forum spam |
Scanners |
Hosts performing scanning or brute force attempts |
Probes, port scans, brute force attempts |
Endpoint Exploits |
Hosts distributing malware capable of exploiting endpoint systems |
Shellcode, rootkits, worms, or viruses |
Web Exploits |
Hosts attempting to exploit web vulnerabilities |
Cross site scripting, iFrame injection, SQL injection, etc. |
Drop Sites |
Drop sites for logs or stolen credentials |
|
Proxy/VPN |
Hosts providing proxy or VPN services |
Public anonymous proxy or VPN services |
DDOS |
Hosts participating in DDOS attacks |
|
Compromised |
Known compromised or hostile hosts |
Hosts that are compromised and usually serving malicious content, such as WebShells, but that aren’t part of any particular botnet |
Fraudulent Activity |
Hosts participating in fraudulent activity |
Phishing sires, ad click fraud, gaming fraud, etc. |
Illegal Activity |
Hosts participating in illegal activity |
Buying and selling of stolen information, credit cards, credentials, etc. |
Undesirable Activity |
Hosts participating in undesirable activities that are not illegal |
Hosting hacking programs or other potentially malicious information |
P2P Node |
Hosts participating in a peer to peer network |
|
Online Gaming |
Questionable online gaming sites |
Online gaming sites such as MInecraft, Blizzard, etc. |
Remote Access Servers |
Servers providing remote access capabilities |
Sites similar to GoToMyPC, LogMeIn, etc. |
TOR/Anonymizers |
Hosts participating in a TOR or other anonymizing network |
TOR nodes |
Brute Force Password |
IP addresses associated with password brute force activity |
|
Advanced Persistent Threats |
IP addresses associated with known advanced persistent threat (APT) actors for command and control, data exfiltration, or targeted exploitation |
|
Threat List Category Mappings
Denied Lists - IP Indicators
AIG Recommended |
This list was created by Bandura and AIG, and contains IP indicators provided by AIG that they recommend blocking. This list is only available for AIG CyberEdge customers. |
Bandura Healthcare Ransomware |
This list of IP indicators is curated from commercial and open source lists shared in response to the ransomware activity targeting the Healthcare and Public Health Sector. The list currently includes data shared by Mandiant (https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456), and will include additional sources as more become available. |
Blocklist.de |
This is a list provided by a group out of Germany. They monitor their systems for attacks and then generate reporting and lists based on what they see. More information can be found on their website: https://blocklist.de/en/index.html |
CINS Army List |
This list of IPs comes from Collective Intelligence Network Security (CINS) and is a subset of their active threat intelligence. It consists of IPs that have a very negative score or have been flagged enough times. They currently have the list capped at 15,000 entries. More information can be found at http://www.cinsscore.com/#list |
DHS Information Sharing |
This list comes from the Department of Homeland Security. The Cyber Information Sharing and Collaboration Program (CISCP) allows its members to share security threat information which is then verified and aggregated to produce reliable intelligence. Only certain Bandura Cyber customers authorized by DHS are permitted access to this feed. More information can be found at https://www.dhs.gov/ciscp |
ET Block IPs |
This is an IP denied list compiled by Emerging Threats. There may be some overlap with other Emerging Threats feeds, but they are not identical. More information can be found at http://doc.emergingthreats.net/bin/view/Main/AllRulesets |
ET Compromised IPs |
This is an IP denied list from Emerging Threats that combines a number of sources into one. More information can be found at http://doc.emergingthreats.net/bin/view/Main/AllRulesets |
Feodo |
Feodo Tracker is a project of abuse.ch with the goal of sharing botnet C&C servers associated with the Feodo malware family (Dridex, Emotet/Heodo). It offers various blocklists, helping network owners to protect their users from Dridex and Emotet/Heodo. More information can be found at https://feodotracker.abuse.ch/ |
OpenDBL Tor List |
This list consists of IPs designated as Tor exit nodes. While the Tor network is not malicious itself, bad actors can use it for malicious activities. Enable this list if you would like to dis-allow connections to and from the Tor nodes on this list. Learn more about The Onion Router at https://www.torproject.org/ |
SolarWinds Compromised IPs |
This list of IPs is curated from commercial and open source lists shared in response to the SolarWinds Orion supply chain attacks. The list currently includes data shared by FireEye (https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv), and will include additional sources as more become available. |
State of Missouri SOC |
An IP denied list developed by the Missouri Security Operations Center (SOC). Entries are added as they come across incidents or new threats, and should be free of false positives. Only authorized customers are able to receive this feed. You can visit their site at https://cybersecurity.mo.gov |
Talos IP RBL |
Talos, a security intelligence division of Cisco, provides this IP denied list. They utilize their infrastructure and networks to compromise and update the addresses available every fifteen minutes. For more information about Talos, see https://talosintelligence.com/reputation_center/ |
US-CERT Healthcare Ransomware |
This is a list of IP IOCs published by the CISA, FBI, and HHS in response to ransomware activity targeting the Healthcare and Public Health Sector. |
Denied Lists - Special Situations
Zoom |
Zoom is an extremely popular online video and audio collaboration tool. At Bandura Cyber, we make heavy use of it internally, as well as on our Support calls. However, there have been some disturbing reports in the media about the security of the Zoom platform. Some of our customers have expressed a desire to be able to block Zoom communications in favor of other collaboration tools, at least until various Zoom security holes can be plugged. Bandura Cyber does not make any recommendation as to whether or not a customer should block Zoom - that is completely up them. We do provide the known list of Zoom service IPs so that customers who do choose to block them can do so by selecting this list. |
Denied Lists - Domain Indicators
Bandura Healthcare Ransomware |
This is a list of Domain IOCs curated from commercial and open source lists shared in response to the ransomware activity targeting the Healthcare and Public Health Sector. The list currently includes data shared by Mandiant (https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456), and will include additional sources as more become available. |
COVID-19- DomainTools-70 |
|
COVID-19- DomainTools-99 |
|
DomainTools |
DomainTools is the world leader in domain and DNS intelligence, offering accurate, timely, and comprehensive threat intelligence information for over 95% of currently registered domains. It is routine to see 10 million to 20 million active DNS indicators of compromise (IOCs) on the DomainTools denied list. Only customers paying for our Enterprise/Premium subscription service have access to this feed. For more information about DomainTools, see https://www.domaintools.com/solutions/threat-intelligence |
SolarWinds Compromised Domains |
This list of domains is curated from commercial and open source lists shared in response to the SolarWinds Orion supply chain attacks. The list currently includes data shared by FireEye (https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv), and will include additional sources as more become available. |
US-CERT Healthcare Ransomware |
This is a list of Domain IOCs published by the CISA, FBI, and HHS in response to ransomware activity targeting the Healthcare and Public Health Sector. |
Allowed Lists
Apple |
|
Bandura Cyber Curated DNS |
We provide this list to all of our customers. It contains the known IP addresses of the major commonly-used DNS providers, specifically Cloudflare, Google, and OpenDNS. Generally, we recommend that customers always allow these services, unless they have some specific reason not to (for example, if they instead force their employees to use alternative DNS services). |
Bandura Cyber SaaS |
We provide this list to all of our customers. When enabled, this list ensures that a customer doesn’t accidentally block access to our Bandura Cyber GMC cloud-based software-as-a-service, which is instrumental to the proper and timely operation of our Bandura Cyber ThreatBlockr devices and our Customer Support infrastructure. |
DocuSign |
|
GitHub |
GitHub provides a public-facing feed of all of its known IP addresses, and we make this available to our customers, in case our customers want to allow all GitHub services. We provide this because we’ve found a high-number of malicious reporting rates relating to GitHub addresses curated from the variety of third party threat intelligence that we ingest. This causes problems for some of our customers who are heavily reliant on GitHub, and consider some of the information to be false positives. Bandura Cyber takes no position on the validity of those false positive claims (and in many cases we feel that it is dangerous to allow all GitHub addresses as some can indeed potentially serve malicious content on occasion), but this way our customers can decide what makes most sense for their businesses alongside their security needs, by choosing to enable or disable this curated allowed list as needs dictate. |
|
|
MailChimp |
|
Microsoft |
Microsoft’s software and services are of critical need to many businesses. Many of Microsoft’s services now run in the cloud, and can be load balanced across servers in multiple datacenters, potentially all over the world. On rare occasions, this can cause complications if a valid Microsoft IP address is misidentified by one of our threat intelligence partners or by an open source feed being used for denied list management, or if it shows up as belonging to a country that you’ve decided to block. Microsoft is well aware of this problem, and so they make a concerted effort to supply their known-good numeric IPs housing their services to the public. Bandura Cyber pulls this public information from Microsoft, and we use it to craft curated allowed lists for Microsoft services, which we group into four Microsoft service areas: Common, Exchange, SharePoint, and Skype. If your company uses one or more of these services and wants to ensure they are always enabled and never blocked, then you can do so with just a few mouse clicks in our GMC, by creating the list from our built-in Microsoft Plugin and then enabling it in your policies of interest. |
Pingdom |
Pingom is a subsidiary of SolarWinds. Pingdom has servers and sensors located in several countries used to measure the latency of the websites it monitors. It can report whether a website is down due to network splits or failure in DNS servers. Pingdom functions by regularly pinging websites to check whether the site is accessible to users. The software will continuously ping the website at higher rates until it determines that it is again operational. Users receive notifications of any downtime as soon as it occurs and again when it ends. Because of some of the types of activity undertaken by Pingdom’s services, occasionally Pingdom servers may be classified as threats by various threat list or denied list providers. Pingdom recognizes this, and provides a public-facing always-updated list of their known sensor IPs so that those sensors can be easily allowed as customer needs dictate. Bandura Cyber provides an automatically curated allowed list of these Pingdom-supplied IP addresses that users can choose to enable if they so choose. |
SurveyMonkey |
|
Zoom |
Zoom is an extremely popular online video and audio collaboration tool. At Bandura Cyber, we make heavy use of it internally, as well as on many of our Support calls. However, there have been some disturbing reports in the media about the security of the Zoom platform. Some of our customers have expressed a desire to be able to block Zoom communications in favor of other collaboration tools, at least until various Zoom security holes can be plugged, and in that regard we have implemented an allowed list option that customers can choose. We have also enabled an allowed list option, to assist customers with allowing Zoom services to make sure they aren’t blocked (which is important when Zoom is a business critical tool for a given customer). Note that Bandura Cyber does not make any recommendation as to whether or not a customer should block or allow Zoom - that is completely up to them. We proudly provide our customers with the means to do both. |
List Behavior Differences Between Legacy TIG OS and ThreatBlockr 2.0
This section provides an overview of the differences between legacy TIG OS software and ThreatBlockr 2.0 software with respect to allowed lists, denied lists, and exception lists.
Legacy Device (TIG OS) Software
Allowed lists - Legacy software receives all of the associated company’s allowed list IPs. A legacy resource group either uses all the IPs or none of the IPs. Lists cannot be enabled/disabled per resource group/policy. Legacy exception lists are the recommended way of allowing certain IPs/networks for specific resource groups.
Denied lists - Legacy software receives all of the associated Bandura Cyber, MSP (if applicable) and company attributable denied list detail. The denied lists are enabled/disabled globally, not per-policy. A resource group can be configured to either use all the enabled denied lists or none of the denied lists.
Exception lists - Legacy exception lists are the recommended way of blocking certain IPs/networks for specific resource groups.
ThreatBlockr 2.0 Software
Allowed lists - All allowed lists are synced to the device and can be enabled/disabled on a per resource group/policy basis.
Denied lists - All denied lists are synced to the device and can be enabled/disabled on a per resource group/policy basis.
Exception lists - The concept of exception lists is no longer used in ThreatBlockr 2.0. All of the functionality that was provided by exception lists in legacy devices can now be performed much more simply and effectively via ThreatBlockr 2.0’s comprehensive implementation of per resource group/policy schemes for both allowed lists and denied lists.
Comments
0 comments
Please sign in to leave a comment.