In addition to the predefined threat intelligence feeds that your subscription offers, you can create custom lists (containing domains and IP addresses) to define whitelists and blacklists for additional protection. You can use a custom list to complement existing feeds or override the Block, Allow, Log, or Redirect action that is currently defined for an existing feed. When using your own threat intelligence feeds with BloxOne Threat Defense Cloud, whitelists and blacklists, you can apply your own security policies. Each custom list can contain as many as 50,000 records, and BloxOne Thread Defense Cloud supports up to 500,000 records across al customer lists.
You can add a custom list to multiple security policies or multiple custom lists to one security policy based on your business needs. When you assign multiple custom lists that contain the same domain name(s) but with different actions to the same security policy, BloxOne Threat Defense Cloud takes actions based on the following order:
- Allow (= Allow but no log)
- Log (= Allow and log)
BloxOne Threat Defense Cloud automatically creates the following default global policies. If you are concerned about DNS data exfiltration through DNS tunneling, DNSMessenger, Fast Flux, and DGA (including Dictionary DGA), you can add any or all of these policies to the security policy for a whitelist or backlist. Note that you cannot modify or delete these default policies.
- Threat Insight – Data Exfiltration: The default action for this policy is Log. This list helps minimize the risk of DNS data exfiltration that are brought upon your networks through DNS tunneling.
- Threat Insight – DNS Messenger: The default action for this policy is Log. This list helps minimize the risk of malicious activities that are brought upon your networks through the DNSMessenger malware, a Remote Access Trojan (RAT), that attackers use to conduct malicious Powershell commands on compromised devices.
- Threat Insight – Fast Flux: The default action for this policy is Log. This list helps minimize the risk of malicious activities that are brought upon your networks using the Fast Flux technique. Fast Flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind a network of compromised hosts acting as proxies. It can also be a combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery.
- Threat Insight – DGA: The default action for this policy is Log. This list helps minimize the risk of malicious activities that are brought upon your networks using the Domain Generation Algorithm (DGA). DGA is a scheme used by malwares for domain fluxing by generating variations of a given domain name. They can be used to create a large number of domain names used as rendezvous points with command and control servers, in an attempt to evade detection by signature filters, blacklists, reputation systems, security gateways, intrusion prevention systems, and other security methods.
Custom List Support for IPv6 Addresses
IPv6 addresses are supported in custom lists. IPv6 addresses can be added to a custom list in a similar manner as adding an IPv4 address, a fully qualified domain name (FQDN), or a CIDR. For information on creating custom lists, see Creating Custom Lists.
A custom list containing IPv6 addresses can be added to a security policy in the same manner as when adding other custom lists to a security policy. For information on adding a custom list to a security policy, see Creating Security Policies.
IPv6 addresses added to a custom list and then added to a security policy can be viewed in the Device IP column of the Security Events sub-report of the Security Activity report (Cloud Services Portal -> Reports -> Security Activity -> Security Events).
For more information on custom lists, see the following:
- Viewing Custom Lists
- Creating Custom Lists
- Editing Custom Lists
- Removing Custom Lists
- Importing Custom Lists
- Updating an Importing Custom List
- Viewing Custom List Details
- Customer-Defined Threat Level and Confidence Score for Custom and Threat Insight Lists
This page has no comments.