updated 27 October 2023
Except where otherwise noted, this document focuses on threatER’s default out-of-the-box threat lists, block lists and allow lists that are available to our customers.
threatER also supplies out-of-the-box plug-ins that can be used to configure other, non-default third party feeds (such as Anomali, GRF, Recorded Future, Symantec, ThreatConnect, AlienVault, IntSights, H-ISAC, E-ISAC, FS-ISAC, and more) and/or customer specific feeds of interest via standards-based plug-ins such as simple IP lists, CSVs, or STIX/TAXII protocols. Many of these require licenses and/or API keys that the end-customer provides, while others are available from our Marketplace
More information on the configuration and use of these plug-ins can be found on the Creating IP Lists and Creating Domain Lists articles.
Threat Lists
Proofpoint |
Proofpoint is a world-class threat intelligence provider. This feed routinely hovers in the 20,000 to 50,000 range consisting of well-vetted indicators of compromise (IOCs) across a wide range of threat categories, to include associated risk thresholds (confidence factors). This feed can be added at extra cost via a Marketplace subscription. For more information about Proofpoint’s service, see this link here. |
Webroot |
Webroot is a world-class threat intelligence provider. They offer an entire platform, and a critical piece of that platform is the Webroot BrightCloud URL Classification and Reputation Service, which includes millions of well-vetted IOCs. Under our agreements with Webroot, all of our customers (even our standard subscription customers) receive access to Webroot’s threat intelligence through our platform across a wide range of threat categories, to include associated risk thresholds (confidence factors). For more details on Webroot’s services, see this link here. |
Threat Categories
Category |
Description |
Examples |
Command and Control |
Command and Control Servers |
CnC servers for botnets such as Conficker, Kelihos, etc. |
Botnets |
Known infected bots |
Hosts belonging to botnets such as Conficker, Kelihos, etc. |
Spam |
Known spam sources |
Servers sending spam, tunneling spam through proxies, anomalous SMTP activities, and forum spam activities. |
Scanners |
Hosts performing scanning or brute force attempts |
All reconnaissance such as probes, host scan, domain scan and password brute force. |
Endpoint Exploits |
Hosts distributing malware capable of exploiting endpoint systems |
Shellcode, rootkits, worms, or viruses |
Web Exploits |
Hosts attempting to exploit web vulnerabilities |
Cross-site scripting, iFrame injection, SQL injection, cross domain injection or domain password brute force. |
Drop Sites |
Drop sites for logs or stolen credentials |
|
Proxy/VPN |
Hosts providing proxy or VPN services |
Public anonymous proxy or VPN services https://helpdesk.banduracyber.com/hc/en-us/articles/360056979092 |
DDOS |
Hosts participating in DDOS attacks |
|
Compromised |
Known compromised or hostile hosts |
Hosts that are compromised and usually serving malicious content, such as WebShells, but that aren’t part of any particular botnet |
Fraudulent Activity |
Hosts participating in fraudulent activity |
Phishing sites, ad click fraud, gaming fraud, etc. |
Illegal Activity |
Hosts participating in illegal activity |
Buying and selling of stolen information, credit cards, credentials, etc. |
Undesirable Activity |
Hosts participating in undesirable activities that are not illegal |
Hosting hacking programs or other potentially malicious information |
P2P Node |
Hosts participating in a peer-to-peer network |
|
Online Gaming |
Questionable online gaming sites |
|
Remote Access Servers |
Servers providing remote access capabilities |
Sites similar to GoToMyPC, LogMeIn, etc. |
TOR/Anonymizers |
Hosts participating in a TOR or other anonymizing network |
TOR nodes |
Brute Force Password |
IP addresses associated with password brute force activity |
|
Advanced Persistent Threats |
IP addresses associated with known advanced persistent threat (APT) actors for command and control, data exfiltration, or targeted exploitation |
|
Block Lists - IP Indicators
AIG Recommended |
This list contains IP indicators provided by AIG that they recommend blocking. This list is only available for AIG CyberEdge customers. |
Blocklist.de |
This is a list provided by a group out of Germany. They monitor their systems for attacks and then generate reporting and lists based on what they see. More information can be found on their website |
CINS Army List |
This list of IPs comes from Collective Intelligence Network Security (CINS) and is a subset of their active threat intelligence. It consists of IPs that have a very negative score or have been flagged enough times. They currently have the list capped at 15,000 entries. More information can be found at http://www.cinsscore.com/#list |
CISA Alert List |
CISA provides timely information about malicious attacks. Whenever new CISA advisories are published that list known malicious IP indicators, threatER personnel check the accuracy of the data and if viable (it generally is), the indicators are automatically added to this list. https://us-cert.cisa.gov/ncas/alerts |
Cloud Attackers |
Cloud Attackers is threatER's own proprietary list that includes ~15,000 indicators of known threat actors actively attacking the cloud. This list is curated and updated with up-to-the minute intelligence by threatER and is included in all Collect and Enforce subscriptions. |
DHS Information Sharing |
This list comes from the Department of Homeland Security. The Cyber Information Sharing and Collaboration Program (CISCP) allows its members to share security threat information which is then verified and aggregated to produce reliable intelligence. Only certain Bandura Cyber customers authorized by DHS are permitted access to this feed. More information can be found at https://www.dhs.gov/ciscp |
DomainTools |
DomainTools is the world leader in domain and DNS intelligence, offering accurate, timely, and comprehensive threat intelligence information for over 95% of currently registered domains. Recently they have started publishing a mapped IP list to known bad domains, which can be very useful for protective purposes in the era of encrypted DNS when it is becoming more and more difficult (and in many cases impossible) to protect systems by DNS lookup alone. This list can be enabled from our Marketplace. For more information about DomainTools, see https://www.domaintools.com/solutions/threat-intelligence |
ET Block IPs |
This is an IP denied list compiled by Emerging Threats. There may be some overlap with other Emerging Threats feeds, but they are not identical. More information can be found at http://doc.emergingthreats.net/bin/view/Main/AllRulesets |
ET Compromised IPs |
This is an IP denied list from Emerging Threats that combines a number of sources into one. More information can be found at http://doc.emergingthreats.net/bin/view/Main/AllRulesets |
Feodo |
Feodo Tracker is a project of abuse.ch with the goal of sharing botnet C&C servers associated with the Feodo malware family (Dridex, Emotet/Heodo). It offers various blocklists, helping network owners to protect their users from Dridex and Emotet/Heodo. More information can be found at https://feodotracker.abuse.ch/ |
OpenDBL Tor List |
This list consists of IPs designated as Tor exit nodes. While the Tor network is not malicious itself, bad actors can use it for malicious activities. Enable this list if you would like to dis-allow connections to and from the Tor nodes on this list. Learn more about The Onion Router at https://www.torproject.org/ |
State of Missouri SOC |
An IP denied list developed by the Missouri Security Operations Center (SOC). Entries are added as they come across incidents or new threats and should be free of false positives. Only authorized customers are able to receive this feed. You can visit their site at https://cybersecurity.mo.gov |
Talos IP RBL |
Talos, a security intelligence division of Cisco, provides this IP block list. They utilize their infrastructure and networks to compromise and update the addresses available every fifteen minutes. For more information about Talos, see https://talosintelligence.com/reputation_center/ |
Tor Project |
This list consists of IPs designated as Tor exit nodes. While the Tor network is not malicious itself, bad actors can use it for malicious activities. Enable this list if you would like to dis-allow connections to and from the Tor nodes on this list. Learn more about The Onion Router at https://www.torproject.org/ |
Block Lists - Special Situations
Zoom |
Zoom is an extremely popular online video and audio collaboration tool. There have been some disturbing reports in the media about the security of the Zoom platform. Some of our customers have expressed a desire to be able to block Zoom communications in favor of other collaboration tools, at least until various Zoom security holes can be plugged. threatER does not make any recommendation as to whether or not a customer should block Zoom - that is completely up to them. We do provide the known list of Zoom service IPs so that customers who do choose to block them can do so by selecting this list. As noted elsewhere in this document, we maintain an identical list that can be used to always allow Zoom traffic, if that is your preference. |
Block Lists - Domain Indicators
CISA Alert List |
CISA provides timely information about malicious attacks. Whenever new CISA advisories are published that list known malicious domain indicators, threatER personnel check the accuracy of the data and if viable (it generally is), the indicators are automatically added to this list. https://us-cert.cisa.gov/ncas/alerts |
DomainTools |
DomainTools is the world leader in domain and DNS intelligence, offering accurate, timely, and comprehensive threat intelligence information for over 95% of currently registered domains. It is routine to see many millions of active DNS indicators of compromise (IOCs) on the DomainTools block list. This list can be enabled from our Marketplace. For more information about DomainTools, see https://www.domaintools.com/solutions/threat-intelligence |
Allow Lists
threatER Curated DNS |
We provide this list to all of our customers. It contains the known IP addresses of the major commonly-used DNS providers, specifically Cloudflare, Google, and OpenDNS. Generally, we recommend that customers always allow these services, unless they have some specific reason not to (for example, if they instead force their employees to use alternative DNS services). |
threatER SaaS |
We provide this list to all of our customers. When enabled, this list ensures that a customer doesn’t accidentally block access to our threatER cloud-based software-as-a-service, to include important support and security update servers. These servers are instrumental to the proper and timely operation of the threatER infrastructure. |
Akamai |
A popular CDN. Note that care should be exercised when blanket-allowing an entire CDN, as threat actors will often park malware on CDNs. |
Amazon Cloudfront |
A popular CDN. Note that care should be exercised when blanket-allowing an entire CDN, as threat actors will often park malware on CDNs. |
Cisco Webex |
A popular collaboration tool. |
Cloudflare CDN |
A popular CDN. Note that care should be exercised when blanket-allowing an entire CDN, as threat actors will often park malware on CDNs. |
DocuSign |
Market leader in legal document management and signing. |
Fastly |
A popular CDN. |
GitHub |
GitHub provides a public-facing feed of all of its known IP addresses, and we make this available to our customers, in case our customers want to allow all GitHub services. We provide this because we’ve found a high-number of malicious reporting rates relating to GitHub addresses curated from the variety of third party threat intelligence that we ingest. This causes problems for some of our customers who are heavily reliant on GitHub, and consider some of the information to be false positives. threatER takes no position on the validity of those false positive claims (and in many cases we feel that it is dangerous to allow all GitHub addresses as some can indeed potentially serve malicious content on occasion), but this way our customers can decide what makes most sense for their businesses alongside their security needs, by choosing to enable or disable this curated allow list as needs dictate. |
|
Home of the world’s most popular search engine, and, amongst other things, a variety of common SaaS applications that many companies leverage. |
MailChimp |
A popular mail/marketing service. |
Microsoft |
Microsoft’s software and services are of critical need to many businesses. Many of Microsoft’s services now run in the cloud, and can be load balanced across servers in multiple datacenters, potentially all over the world. On rare occasions, this can cause complications if a valid Microsoft IP address is misidentified by one of our threat intelligence partners or by an open source feed being used for block list management, or if it shows up as belonging to a country that you’ve decided to block. Microsoft is well aware of this problem, and so they make a concerted effort to supply their known-good numeric IPs housing their services to the public. threatER pulls this public information from Microsoft, and we use it to craft curated allow lists for Microsoft services, which we group into four Microsoft service areas: Common, Exchange, SharePoint, and Skype. If your company uses one or more of these services and wants to ensure they are always enabled and never blocked, then you can do so with just a few mouse clicks in threatER, by creating the list from our built-in Microsoft Plugin and then enabling it in your policies of interest. |
Okta |
A popular authentication platform. |
Pingdom |
Pingom is a subsidiary of SolarWinds. Pingdom has servers and sensors located in several countries used to measure the latency of the websites it monitors. It can report whether a website is down due to network splits or failure in DNS servers. Pingdom functions by regularly pinging websites to check whether the site is accessible to users. The software will continuously ping the website at higher rates until it determines that it is again operational. Users receive notifications of any downtime as soon as it occurs and again when it ends. Because of some of the types of activity undertaken by Pingdom’s services, occasionally Pingdom servers may be classified as threats by various cyber intelligence providers. Pingdom recognizes this and provides a public-facing always-updated list of their known sensor IPs so that those sensors can be easily allowed as customer needs dictate. threatER provides an automatically curated allow list of these Pingdom-supplied IP addresses that users can choose to enable if they so choose. |
Qualys |
A popular penetration testing service. |
SurveyMonkey |
A popular marketing/survey tool. |
Windows Update |
A list of known servers and services associated with the Microsoft Windows Update ecosystem. Note that this list is discovered on-the-fly, as unfortunately Microsoft has chosen to not publish the full set of their official IPs for their Windows Update service. This means that the list may not be 100% accurate. |
Zoom |
Zoom is an extremely popular online video and audio collaboration tool. threatER provides an allow list option for known Zoom servers as published by Zoom, to assist customers with allowing Zoom services to make sure they aren’t blocked (which is important when Zoom is a business-critical tool for a given customer). Note that threatER does not make any recommendation as to whether or not a customer should block or allow Zoom - that is completely up to them. We proudly provide our customers with the means to do both - meaning, in the same we have provided an allow list that can be configured, we also have the same IPs listed in a block list that customers are able to use if their corporate policies require that Zoom be blocked. |
Comments
0 comments
Please sign in to leave a comment.