Versions Compared

Version Old Version 12 New Version 13
Changes made by

Gary Leicht

Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Default Custom Lists

  • Default Allow: The  The default allow list will be added with "Allow - No Log" by default in the Default Global Policy. You can change the configuration to any Allow related actions such as "Allow - With Log" which enables only allow actions with no logging (Allow - No Log). All types of allow related actions can be used with the default allow list. Organizations can change the default order of the allow list and can also  edit the  list of domains, IP addresses, and tags on the custom allow list.
  • Default Block: The  The default block list enables block actions with logging (Block with Log). All types of block related actions can be used with the default block list.  Organizations can change the default order of the block list and can also edit the list of domains, IP addresses, and tags on the custom block list.will be added with "Block - No Redirect" action by default in the Default Global Policy. You can change the configuration to any Block related actions like Block - No Redirect, Block - Default Redirect or Block - Custom Redirect. 

You can add a custom list to multiple security policies or multiple custom lists to one security policy based on your business needs. When you assign multiple custom lists that contain the same domain name(s) but with different actions to the same security policy, BloxOne Threat Defense Cloud takes actions based on the following order:

...

  • Threat Insight – Data Exfiltration:  The default action for this policy is Log. This list helps minimize the risk of DNS data exfiltration that are brought upon your networks through DNS tunneling.
  • Threat Insight - Notional Data ExfiltrationThreat Insight - Notional Data Exfiltration is part of the default feed and will be listed below Threat Insight - Data Exfiltration. (For existing customers to be aware and take advantage of this new Threat Insight - it will be automatically enabled and displayed below Threat Insight - Data Exfiltration, if that’s already enabled in existing policy). This list includes low confidence DNS Tunnel detections. The default action for this policy is Allow with Log. Ideally, only high confidence DNS Tunnel detections should be of interest and blocked, which are listed in the existing Threat Insight - Data Exfiltration list. However, there are cases where you may want to be informed of even lower confidence tunnels in your network. This Notional Data Exfiltration Threat Insight list addresses those cases. These are just suggestions for tunnel activity (hence, Notional) and not confident enough to be added to the original Threat Insight - Data Exfiltration list. Customers can also change the default action of this Notional list to Block based on the organization's sensitivity to these low confidence DNS tunnels.
    Threat Insight - Notional Data Exfiltration is part of the default feed and will be listed below Threat Insight - Data Exfiltration. (For existing customers to be aware and take advantage of this new Threat Insight - it will be automatically enabled and displayed below Threat Insight - Data Exfiltration, if that’s already enabled in existing policy)

  • Threat Insight – DNS Messenger: The default action for this policy is Log. This list helps minimize the risk of malicious activities that are brought upon your networks through the DNSMessenger malware, a Remote Access Trojan (RAT), that attackers use to conduct malicious Powershell commands on compromised devices.
  • Threat Insight – - Rapid Domain Triage: The default action for this policy is Block - No Redirect. This list examines DNS logs to determine if a newly reported domain may present a threat to an organization. If it is determined that it may pose a threat, then the newly reported domain will be added to the Threat Insight - Rapid Domain Triage list for quarantine for a period of 48 hours. Domains added to the Threat Insight - Rapid Domain Triage list will undergo further investigation to confirm whether it presents a threat. Based on the results of the investigation, if the domain is determined not to present a threat then it will be removed from the quarantine list and added to an allow list, or added to a TIDE RPZ feed. If, however, it is determined the domain does  present a threat, then it will be added to a block list. 
  • Threat Insight – Fast Flux: The default action for this policy is Log. This list helps minimize the risk of malicious activities that are brought upon your networks using the Fast Flux technique. Fast Flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind a network of compromised hosts acting as proxies. It can also be a combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery.
  • Threat Insight – DGA: The default action for this policy is Log. This list helps minimize the risk of malicious activities that are brought upon your networks using the Domain Generation Algorithm (DGA). DGA is a scheme used by malwares for domain fluxing by generating variations of a given domain name. They can be used to create a large number of domain names used as rendezvous points with command and control servers, in an attempt to evade detection by signature filters, block lists, reputation systems, security gateways, intrusion prevention systems, and other security methods.

...