Page tree

Contents

BloxOne Threat Defense Cloud provides predefined threat intelligence feeds based on your subscription. The BloxOneThreat Defense Business On-Premises and BloxOne Threat Defense Business Cloud subscriptions offer a few more feeds than the BloxOneThreat Defense Essentials subscription. The BloxOneThreat Defense Advanced subscription offers a few more feeds than the BloxOneThreat Defense Business On-Premises and BloxOneThreat Defense Business Cloud subscriptions. To view threat feeds and Threat Insight information associated with a security policy, see Viewing Feeds and Threat Insight Associated with a Security Policy.

Supported Threat Intelligence Feeds

The following is a list of all supported threat intelligence feeds and their descriptions. The Threat Feeds page displays only the supported feeds that your subscription offers.

Enables protection against known malicious hostname threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites.

Enables protection against known malicious or compromised IP addresses. These are known to host threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites.

Base

Enables protection against known hostnames that are dangerous as destinations, such as APT, Bot, Compromised Host/Domains, Exploit Kits, Malicious Name Servers, and Sinkholes.

BloxOne Threat Defense Cloud Hits

"BloxOne Threat Defense Cloud Hits" is a custom RPZ feed which contains blocked or redirected domains by Infoblox's threat intelligence feeds in the cloud.

Bogons are commonly found as the source addresses of DDoS attacks. “Bogon” is an informal name for an IP packet on the public Internet that claims to be from an area of the IP address space reserved, but not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated Regional Internet Registry (RIR). The areas of unallocated address space are called “bogon space”. Many ISPs and end-user firewalls filter and block bogons, because they have no legitimate use, and usually are the result of accidental or malicious misconfiguration.

Enables protection against self-propagating malware designed to infect a host and connect back to a central server or servers that act as a command and control (C&C) center for an entire network of compromised devices, or “botnet.” With a botnet, attackers can launch broad-based, “remote-control,” flood-type attacks against their target(s). Bots can also log keystrokes, gather passwords, capture and analyze packets, gather financial information, launch DoS attacks, relay spam, and open back doors on the infected host.

Cryptocurrency

The use and mining of cryptocurrency is not inherently benign or malicious, or used exclusively by threat actors or general users. However, over the last several years, it has been increasingly used for illegal and/or fraudulent activities such as human trafficking, black market sales/purchases, and ransomware payments, and others. Cryptocurrency mining can impair system performance and risk end users and businesses to information theft, hijacking, and a plethora of other malware. This feed features threats that allow malicious actors to perform illegal and/or fraudulent activities, coinhives that allows site owners to embed cryptocurrency mining software into their webpages as a replacement to normal advertising, Cryptojacking that allows site owners to mine for cryptocurrency without the owner’s consent, and cryptocurrency mining pools working together to mine cryptocurrency. This feed features indicators of activity which may indicate malicious or unauthorized use of resources including: coinhive which can be embedded into a site owner’s web pages to lie cryptocurrency with the visitor’s permission as an alternative to web banner advertising; cryptojacking where malicious actors use in-browser mining without the victim’s consent; and cryptocurrency mining pools working together to mine cryptocurrency.

DHS_AIS_IP

The Department of Homeland Security’s (DHS) Automated Indicator Sharing (AIS) program enables the exchange of cyber threat indicators between the Federal Government and the private sector. AIS is a part of the Department of Homeland Security’s effort to create an ecosystem where as soon as a company or federal agency observes an attempted compromise, the indicator is shared with AIS program partners, including Infoblox. IP Indicators contained in this feed are not validated by DHS as the emphasis is on velocity and volume. Infoblox does not modify or verify the indicators. However, indicators from the AIS program are classified and normalized by Infoblox to ease consumption. Data included in this AIS_IP feed includes AIS data subject to the U.S. Department of Homeland Security Automated Indicator Sharing Terms of Use available at https://www.us-cert.gov/ais and must be handled in accordance with the Terms of Use. Prior to further distributing the AIS data, you may be required to sign and submit the Terms of Use. Please email ncciccustomerservice@hq.dhs.gov for additional information.

The Department of Homeland Security’s (DHS) Automated Indicator Sharing (AIS) program enables the exchange of cyber threat indicators between the Federal Government and the private sector. AIS is a part of the Department of Homeland Security’s effort to create an ecosystem where as soon as a company or federal agency observes an attempted compromise, the indicator is shared with AIS program partners, including Infoblox. Hostname Indicators contained in this feed are not validated by DHS as the emphasis is on velocity and volume. Infoblox does not modify or verify the indicators. However, indicators from the AIS program are classified and normalized by Infoblox to ease consumption. Data included in this AIS_IP feed includes AIS data subject to the U.S. Department of Homeland Security Automated Indicator Sharing Terms of Use available at https://www.us-cert.gov/ais and must be handled in accordance with the Terms of Use. Prior to further distributing the AIS data, you may be required to sign and submit the Terms of Use. Please email ncciccustomerservice@hq.dhs.gov for additional information.

EECN_IP

May choose to block based on company policy. Contains IPs assigned to China and Eastern European countries that are not part of the European Union. These countries are often found in cyber-attacks seeking intellectual property or other sensitive or classified data and stealing credit card or financial information. Countries include Belarus, China, Moldova, Russian Federation, Turkey, and Ukraine. This feed includes Geo IP data provided by MaxMind.

ETIQRisk

Provides actionable domain reputation entries that are scored based upon observed in the wild threat actor behavior and as observed directly by Proofpoint’s ET Labs. Built upon a proprietary process that leverages one of the world’s largest active malware exchanges, victim emulation at massive scale, original detection technology and a global sensor network, Proofpoint ET Intelligence is updated in real-time to provide organizations with the actionable intelligence to combat today’s emerging threats.

ETIQRisk_IP

Provides actionable IP reputation entries that are scored based upon observed in the wild threat actor behavior and as observed directly by Proofpoint’s ET Labs. Built upon a proprietary process that leverages one of the world’s largest active malware exchanges, victim emulation at massive scale, original detection technology and a global sensor network, Proofpoint ET Intelligence is updated in real-time to provide organizations with the actionable intelligence to combat today’s emerging threats.

Enables protection against distributable packs that contains malicious programs that are used to execute “drive-by download” attacks in order to infect users with malware. These exploit kits target vulnerabilities in the users’ machines (usually due to unpatched versions of Java, Adobe Reader, Adobe Flash, Internet Explorer, …) to load malware onto the victim’s computer.

Ext_AntiMalware_IP

Suspicious/malicious as destinations: An extension of the AntiMalware IP feed that contains recently expired Malware IP’s with an extended time-to-live (TTL) applied. The extended time-to-live (TTL) provides an extended reach of protection for the DNS FW, but may also increase the risk of false positives as some of these Malware IP’s may no longer be active.

Ext_Base_AntiMalware

Suspicious/malicious as destinations: An extension of the Base and AntiMalware feed that contains recently expired hostname indicators with an extended time-to-live (TTL) applied. The extended time-to-live (TTL) provides an extended reach of protection for the DNS FW, but may also increase the risk of false positives as some of these Base and Antimalware feed related domains and hosts may no longer be active.

Ext_ExploitKit_IP

Suspicious/malicious as destinations: An extension of the Exploit Kits feed that contains recently expired ExploitKits with an extended time-to-live (TTL) applied. The extended time-to-live (TTL) provides an extended reach of protection the DNS FW, but may also increase the risk of false positives as some of these Exploit Kits IP’s may no longer be active.

Ext_Ransomware

Suspicious/malicious as destinations: An extension of the Ransomware feed that contains recently expired Ransomware with an extended time-to-live (TTL) applied. The extended time-to-live (TTL) provides an extended reach of protection for the DNS FW, but may also increase the risk of false positives as some of the Ransomware related domains and hosts may no longer be active.

Ext_TOR_Exit_Node_IP

Suspicious/malicious as destinations. An extension of the Tor Exit Nodes feed that contains recently expired Tor Exit Nodes with an extended time-to-live (TTL) applied. The extended time-to-live (TTL) provides an extended reach of protection for the DNS FW, but may also increase the risk of false positives as some of these Tor Exit Node IP’s may no longer be active.

FarsightNOD

Provides an incremental layer of defense to combat malware exfiltration, brand abuse, and spam-based attacks which originate or terminate at newly-launched domains.

Domain generation algorithm (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers. Examples include Ramnit, Conficker, and Banjori.

Indicators contained in this feed appear on the watchlist from the National Cybersecurity & Communications Integration Center (NCCIC) and are not verified or validated by DHS or Infoblox. DHS’s National Cybersecurity and Communications Integration Center (NCCIC) is a 24×7 cyber situational awareness, incident response, and management center that serves as the hub of information sharing activities among public and private sector partners to build awareness of vulnerabilities, incidents, and mitigations. Data included in this feed are subject to the U.S. Department of Homeland Security Automated Indicator Sharing Terms of Use available at: https://www.us-cert.gov/ais and must be handled in accordance with the Terms of Use. Please email ncciccustomerservice@hq.dhs.gov for additional information. Hostname Indicators contained in this feed have not been verified or validated and may contain false positives.  While these indicators may be used to detect suspicious activity, Infoblox recommends caution due to the potential to cause a user or customer outage. Recommended running in ‘logging’ mode prior to blocking to see what would have been blocked.

Indicators contained in this feed appear on the watchlist from the National Cybersecurity & Communications Integration Center (NCCIC) and are not verified or validated by DHS or Infoblox. DHS’s National Cybersecurity and Communications Integration Center (NCCIC) is a 24×7 cyber situational awareness, incident response, and management center that serves as the hub of information sharing activities among public and private sector partners to build awareness of vulnerabilities, incidents, and mitigations. Data included in this feed are subject to the U.S. Department of Homeland Security Automated Indicator Sharing Terms of Use available at: https://www.us-cert.gov/ais and must be handled in accordance with the Terms of Use. Please email ncciccustomerservice@hq.dhs.gov for additional information. Hostname Indicators contained in this feed have not been verified or validated and may contain false positives.  While these indicators may be used to detect suspicious activity, Infoblox recommends caution due to the potential to cause a user or customer outage. Recommended running in ‘logging’ mode prior to blocking to see what would have been blocked.

Public_DOH 

The Public DOH feed provides a list of known public DNS services that tunnel their traffic over HTTP. This may be from a browser (such as Mozilla Firefox), a piece of malware, or a user attempting to bypass your organization's DNS policies. This feed contains “canary” domains. We recommend all organizations enable this blocking rule.

Public_DOH_IP

The Public DOH IP feed provides a list of known public DNS services that tunnel their traffic over HTTP. This may be from a browser (such as Mozilla Firefox), a piece of malware, or a user attempting to bypass your organization's DNS policies. This feed contains “canary” addresses. We recommend all organizations enable this blocking rule.

Enables protection against ransomware taking over your system. Ransomware will encrypt files on your system and require you to pay in order to get them decrypted. This feed prevents ransomware to contact the servers which it needs to encrypt your files.

Newly Observed Domains. SURBL Fresh feed provides critical, accurate, information on the time new domains are placed into service. Security policy can be easily applied (block, quarantine, walled garden, etc.) to prevent resolution of new domains, based on the user’s defined policies. Based on data provided by our partner SURBL.

Blacklist of roughly 800k+ Malicious Domains including up-to-date intelligence on active malware, phishing, botnet, and spam domains. Based on data provided by our partner SURBL.

SURBL_Multi_Lite

Designed to fit on appliances with limitations on the number of threat intelligence entries that can be loaded, SURBL Multi lite is a subset of threat intelligence entries from the SURBL Multi threat feed. SURBL Multi Lite is narrowed down to include concise and targeted threat intelligence focusing on only the most current and fully malicious sites. The combined set includes malware, phishing and botnet activity.

Sanctions_IP

May choose to block based on company policy. Contains IP’s assigned to United States sanctioned countries listed by US Treasury Office of Foreign Assets Control (OFAC). The Treasury Department’s Office of Foreign Asset Control (OFAC) administers and enforces economic sanctions imposed by the United States against foreign countries. More information can be found by visiting the “Sanctions Programs and Country Information” page found here: https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx. This feed includes Geo IP data provided by MaxMind.

Spambot_DNSBL_IP

In DNSBL format, this feed contains IPs of known spam servers. Enables protection against a computer or bot node as part of a botnet seen sending spam. Can be used to help block incoming Spam or potentially malicious emails from known spam sources by feeding into your email platform or appliance. please note, the Spambot_DNSBL_IP feed contains the same data as the Spambot IP feed above, but is formatted differently for RPZ zone file use.

Spambot_IP

Suspicious/malicious as sources. IPs of known spam servers. Enables protection against a computer or bot node as part of a botnet seen sending spam. IP’s listed are also frequently found with a poor/negative reputation on that IP address. Recommended to run in ‘logging’ mode prior to blocking to see what would have been blocked. Can also be used to help block incoming Spam or potentially malicious emails from known spam sources by feeding into your email platform or appliance.

Tor Exit Nodes are the gateways where encrypted Tor traffic hits the Internet. This means an exit node can be used to monitor Tor traffic (after it leaves the onion network). It is in the design of the Tor network that locating the source of that traffic through the network should be difficult to determine.

Viewing Feeds and Threat Insight Associated with a Security Policy

To view Feeds and Threat insight associated with a security policy, to do the following:

  1. From the Cloud Services Portal, click Policies  Security Policies.
  2. On the Security Policies page, go to the Default Global Policy panel on the right-hand side of the page. If the panel is not already open, click to view the details on the panel.
  3. From within the Default Global Policy panel, click on Feeds and Threat Insight section to expand it.
  4. Under Feeds and Threat Insight, a list of of the feeds and Threat Insight associated with the security policy will be displayed.







  • No labels

This page has no comments.