Default Lists Descriptions

Proofpoint

Proofpoint is a world-class threat intelligence provider. This feed routinely hovers in the 20,000 to 50,000 range consisting of well-vetted indicators of compromise (IOCs) across a wide range of threat categories, to include associated risk thresholds (confidence factors). Only customers paying for our Enterprise/Premium subscription service have access to this feed. For more information about Proofpoint’s service, see https://www.proofpoint.com/us/products/et-intelligence 

Webroot

Webroot is a world-class threat intelligence provider. They offer an entire platform, and a critical piece of that platform is the Webroot BrightCloud URL Classification and Reputation Service, which includes millions of well-vetted IOCs. Under our agreements with Webroot, all of our customers (even our standard subscription customers) receive access to Webroot’s threat intelligence through our GMC platform across a wide range of threat categories, to include associated risk thresholds (confidence factors). For more details on Webroot’s services, see https://www.webroot.com/us/en/business/threat-intelligence/internet/web-classification-and-reputation-services 

Category

Description

Examples

Command and Control

Command and Control Servers

CnC servers for botnets such as Conficker, Kelihos, etc.

Botnets

Known infected bots

Hosts belonging to botnets such as Conficker, Kelihos, etc.

Spam

Known spam sources

Servers sending spam, tunneling spam through proxies, forum spam

Scanners

Hosts performing scanning or brute force attempts

Probes, port scans, brute force attempts

Endpoint Exploits

Hosts distributing malware capable of exploiting endpoint systems

Shellcode, rootkits, worms, or viruses

Web Exploits

Hosts attempting to exploit web vulnerabilities

Cross site scripting, iFrame injection, SQL injection, etc.

Drop Sites

Drop sites for logs or stolen credentials

Proxy/VPN

Hosts providing proxy or VPN services

Public anonymous proxy or VPN services

DDOS

Hosts participating in DDOS attacks

Compromised

Known compromised or hostile hosts

Hosts that are compromised and usually serving malicious content, such as WebShells, but that aren’t part of any particular botnet

Fraudulent Activity

Hosts participating in fraudulent activity

Phishing sires, ad click fraud, gaming fraud, etc.

Illegal Activity

Hosts participating in illegal activity

Buying and selling of stolen information, credit cards, credentials, etc.

Undesirable Activity

Hosts participating in undesirable activities that are not illegal

Hosting hacking programs or other potentially malicious information

P2P Node

Hosts participating in a peer to peer network

Online Gaming

Questionable online gaming sites

Online gaming sites such as MInecraft, Blizzard, etc.

Remote Access Servers

Servers providing remote access capabilities

Sites similar to GoToMyPC, LogMeIn, etc.

TOR/Anonymizers

Hosts participating in a TOR or other anonymizing network

TOR nodes

Brute Force Password

IP addresses associated with password brute force activity

Advanced Persistent Threats

IP addresses associated with known advanced persistent threat (APT) actors for command and control, data exfiltration, or targeted exploitation

AIG Recommended

This list was created by Bandura and AIG, and contains IP indicators provided by AIG that they recommend blocking. This list is only available for AIG CyberEdge customers.

Bandura Healthcare Ransomware        

This list of IP indicators is curated from commercial and open source lists shared in response to the ransomware activity targeting the Healthcare and Public Health Sector. The list currently includes data shared by Mandiant (https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456), and will include additional sources as more become available.

Blocklist.de

This is a list provided by a group out of Germany. They monitor their systems for attacks and then generate reporting and lists based on what they see. More information can be found on their website: https://blocklist.de/en/index.html

CINS Army List

This list of IPs comes from Collective Intelligence Network Security (CINS) and is a subset of their active threat intelligence. It consists of IPs that have a very negative score or have been flagged enough times. They currently have the list capped at 15,000 entries. More information can be found at http://www.cinsscore.com/#list

DHS Information Sharing

This list comes from the Department of Homeland Security. The Cyber Information Sharing and Collaboration Program (CISCP) allows its members to share security threat information which is then verified and aggregated to produce reliable intelligence. Only certain Bandura Cyber customers authorized by DHS are permitted access to this feed. More information can be found at https://www.dhs.gov/ciscp

ET Block IPs

This is an IP denied list compiled by Emerging Threats. There may be some overlap with other Emerging Threats feeds, but they are not identical. More information can be found at http://doc.emergingthreats.net/bin/view/Main/AllRulesets 

ET Compromised IPs

This is an IP denied list from Emerging Threats that combines a number of sources into one. More information can be found at http://doc.emergingthreats.net/bin/view/Main/AllRulesets

Feodo

Feodo Tracker is a project of abuse.ch with the goal of sharing botnet C&C servers associated with the Feodo malware family (Dridex, Emotet/Heodo). It offers various blocklists, helping network owners to protect their users from Dridex and Emotet/Heodo. More information can be found at https://feodotracker.abuse.ch/ 

OpenDBL Tor List

This list consists of IPs designated as Tor exit nodes. While the Tor network is not malicious itself, bad actors can use it for malicious activities. Enable this list if you would like to dis-allow connections to and from the Tor nodes on this list. Learn more about The Onion Router at https://www.torproject.org/

SolarWinds Compromised IPs

This list of IPs is curated from commercial and open source lists shared in response to the SolarWinds Orion supply chain attacks. The list currently includes data shared by FireEye (https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv), and will include additional sources as more become available.

State of Missouri SOC

An IP denied list developed by the Missouri Security Operations Center (SOC). Entries are added as they come across incidents or new threats, and should be free of false positives. Only authorized customers are able to receive this feed. You can visit their site at https://cybersecurity.mo.gov 

Talos IP RBL

Talos, a security intelligence division of Cisco, provides this IP denied list. They utilize their infrastructure and networks to compromise and update the addresses available every fifteen minutes. For more information about Talos, see https://talosintelligence.com/reputation_center/ 

US-CERT Healthcare Ransomware        

This is a list of IP IOCs published by the CISA, FBI, and HHS in response to ransomware activity targeting the Healthcare and Public Health Sector.

https://us-cert.cisa.gov/ncas/alerts/aa20-302a 

Zoom

Zoom is an extremely popular online video and audio collaboration tool.  At Bandura Cyber, we make heavy use of it internally, as well as on our Support calls.  However, there have been some disturbing reports in the media about the security of the Zoom platform.  Some of our customers have expressed a desire to be able to block Zoom communications in favor of other collaboration tools, at least until various Zoom security holes can be plugged.  Bandura Cyber does not make any recommendation as to whether or not a customer should block Zoom - that is completely up them.  We do provide the known list of Zoom service IPs so that customers who do choose to block them can do so by selecting this list.

Bandura Healthcare Ransomware        

This is a list of Domain IOCs curated from commercial and open source lists shared in response to the ransomware activity targeting the Healthcare and Public Health Sector. The list currently includes data shared by Mandiant (https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456), and will include additional sources as more become available.

COVID-19- DomainTools-70

COVID-19- DomainTools-99

DomainTools

DomainTools is the world leader in domain and DNS intelligence, offering accurate, timely, and comprehensive threat intelligence information for over 95% of currently registered domains. It is routine to see 10 million to 20 million active DNS indicators of compromise (IOCs) on the DomainTools denied list. Only customers paying for our Enterprise/Premium subscription service have access to this feed. For more information about DomainTools, see https://www.domaintools.com/solutions/threat-intelligence 

SolarWinds Compromised Domains

This list of domains is curated from commercial and open source lists shared in response to the SolarWinds Orion supply chain attacks. The list currently includes data shared by FireEye (https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv), and will include additional sources as more become available.

US-CERT Healthcare Ransomware        

This is a list of Domain IOCs published by the CISA, FBI, and HHS in response to ransomware activity targeting the Healthcare and Public Health Sector.

https://us-cert.cisa.gov/ncas/alerts/aa20-302a 

Apple

Bandura Cyber Curated DNS

We provide this list to all of our customers. It contains the known IP addresses of the major commonly-used DNS providers, specifically Cloudflare, Google, and OpenDNS. Generally, we recommend that customers always allow these services, unless they have some specific reason not to (for example, if they instead force their employees to use alternative DNS services).

Bandura Cyber SaaS

We provide this list to all of our customers. When enabled, this list ensures that a customer doesn’t accidentally block access to our Bandura Cyber GMC cloud-based software-as-a-service, which is instrumental to the proper and timely operation of our Bandura Cyber ThreatBlockr devices and our Customer Support infrastructure.

DocuSign

GitHub

GitHub provides a public-facing feed of all of its known IP addresses, and we make this available to our customers, in case our customers want to allow all GitHub services. We provide this because we’ve found a high-number of malicious reporting rates relating to GitHub addresses curated from the variety of third party threat intelligence that we ingest. This causes problems for some of our customers who are heavily reliant on GitHub, and consider some of the information to be false positives. Bandura Cyber takes no position on the validity of those false positive claims (and in many cases we feel that it is dangerous to allow all GitHub addresses as some can indeed potentially serve malicious content on occasion), but this way our customers can decide what makes most sense for their businesses alongside their security needs, by choosing to enable or disable this curated allowed list as needs dictate.

Google

MailChimp

Microsoft

Microsoft’s software and services are of critical need to many businesses. Many of Microsoft’s services now run in the cloud, and can be load balanced across servers in multiple datacenters, potentially all over the world. On rare occasions, this can cause complications if a valid Microsoft IP address is misidentified by one of our threat intelligence partners or by an open source feed being used for denied list management, or if it shows up as belonging to a country that you’ve decided to block. Microsoft is well aware of this problem, and so they make a concerted effort to supply their known-good numeric IPs housing their services to the public. Bandura Cyber pulls this public information from Microsoft, and we use it to craft curated allowed lists for Microsoft services, which we group into four Microsoft service areas: Common, Exchange, SharePoint, and Skype. If your company uses one or more of these services and wants to ensure they are always enabled and never blocked, then you can do so with just a few mouse clicks in our GMC, by creating the list from our built-in Microsoft Plugin and then enabling it in your policies of interest.

Pingdom

Pingom is a subsidiary of SolarWinds. Pingdom has servers and sensors located in several countries used to measure the latency of the websites it monitors. It can report whether a website is down due to network splits or failure in DNS servers. Pingdom functions by regularly pinging websites to check whether the site is accessible to users. The software will continuously ping the website at higher rates until it determines that it is again operational. Users receive notifications of any downtime as soon as it occurs and again when it ends. Because of some of the types of activity undertaken by Pingdom’s services, occasionally Pingdom servers may be classified as threats by various threat list or denied list providers.  Pingdom recognizes this, and provides a public-facing always-updated list of their known sensor IPs so that those sensors can be easily allowed as customer needs dictate.  Bandura Cyber provides an automatically curated allowed list of these Pingdom-supplied IP addresses that users can choose to enable if they so choose.

SurveyMonkey

Zoom

Zoom is an extremely popular online video and audio collaboration tool.  At Bandura Cyber, we make heavy use of it internally, as well as on many of our Support calls.  However, there have been some disturbing reports in the media about the security of the Zoom platform.  Some of our customers have expressed a desire to be able to block Zoom communications in favor of other collaboration tools, at least until various Zoom security holes can be plugged, and in that regard we have implemented an allowed list option that customers can choose.  We have also enabled an allowed list option, to assist customers with allowing Zoom services to make sure they aren’t blocked (which is important when Zoom is a business critical tool for a given customer).  Note that Bandura Cyber does not make any recommendation as to whether or not a customer should block or allow Zoom - that is completely up to them.  We proudly provide our customers with the means to do both.