Configuring Combination Threat Feeds
- Shwetha S
Infoblox has a large and robust offering of threat intelligence feeds that allow you to tailor your security to your needs. In an effort to simplify the process, Infoblox has created “combination feeds” to group sets of threat intelligence feeds in order to reduce the number of choices and make the process more intuitive. As no two users have the same requirements, threat intelligence feeds have been narrowed to a small number of “sets”. The set you choose depends on the sensitivity your environment has to protection of potential threats as compared to the sensitivity your environment has to blocking potentially benign sites.
Aside from simplifying the choice from more than twenty individual feeds to a single set, there are other benefits to these feeds as well. These feeds will continue to be curated over time. As new feeds that qualify for inclusion are introduced, new classes of indicators will be added automatically and do not require a major change to your policy rules. Similarly, as some feeds are deprecated, they can be removed from the combination feed automatically, thus not requiring maintenance of your policy rules. As these feeds are enhanced and maintained, you will be updated about any substantive changes to their contents.
Infoblox provides four sets of combination feeds:
Low: Blocks the fewest number of threats but also minimizes the potential of blocking benign sites. Examples of these environments may be universities, service providers, and public wifi access points.
Medium: An ideal balance between detection while minimizing the potential for positives. The “Medium” set has been designed to be appropriate for most enterprise organizations. If you are unsure of which set to use, “Medium” is probably the best fit for your organization
High: Designed for environments where security is the most important factor. These feeds are most appropriate for environments where communication is well understood and security of the devices is critical. Examples of environments where “High” is most appropriate include server farms, networks with IoT devices or Point-of-Sale terminals. It is not recommended for networks in which users typically surf the web or check their email.
Extreme: Created to provide the greatest degree of security, but these sets are not recommended for most users as the potential for positives is much higher than normal. Use this feed at your own risk.
Each set includes two separate feeds that must be deployed together and without any other set:
Block: Deploy this file with the policy action of “Block”. This should be one of the first actions in the policy list, possibly following a global allow list.
Log: Deploy this file with the policy action of “Allow” (preferably with log). This should be one of the last actions in the policy list.
For example, this is what a minimal policy should look like if the “Medium” set best describes your organization.
Order | Object | Action |
|---|---|---|
1 | Local RPZ: Allowlist | Passthru |
2 | RPZ: ib-med-block | Block |
3 | RPZ: ib-med-log | Log Only (Disabled) |
Contents of Combination Feeds
Combination feeds are combinations of existing feeds. If you deploy either the Low, Medium, High, or Extreme combination feed set, these feeds are already combinations of one or more of the following existing feeds:
AntiMalware
AntiMalware_IP
Base Hostnames
Bogon
Cryptocurrency hostnames and domains
DoH Public Hostnames
DoH Public IPs
Exploit Kit IPs
Extended Base & anti-malware Hostnames
Extended Exploit Kits IPs
Extended malware IPs
Extended Ransomware IPs
Extended TOR Exit Node IPs
Malware DGA hostnames
Malware IPs
Ransomware
SURBL Fresh domains
SURBL Multi domains
SURBL Multi Lite domains
TOR Exit Node IPs
This means that if you use one of the combination feed sets, you must not:
Use it in combination with any other set. That is, do not deploy Low, Medium, and High together. Each is completely self-contained, and deploying them together will almost certainly not provide the results you are looking for.
Use it in combination with any of the other above feeds, as these feeds are already reselected in the contents of the combination feed. Therefore, deploying them together will at minimum cause your NIOS appliance to expend more resources than necessary, and may also result in undesired actions if there are conflicting policies.
Current Contents of Each of the Combination Threat Feeds
Feeds | Extreme Block | Extreme Log | High Block | High Log | Med Block | Med Log | Low Block | Low Log |
AntiMalware | ✔️ |
| ✔️ |
|
| ✔️ |
| ✔️ |
AntiMalware_IP | ✔️ |
| ✔️ |
|
| ✔️ |
|
|
Base Hostnames | ✔️ |
| ✔️ |
| ✔️ |
| ✔️ |
|
Bogon | ✔️ |
| ✔️ |
| ✔️ |
|
| ✔️ |
Cryptocurrency hostnames and domains | ✔️ |
| ✔️ |
|
| ✔️ |
| ✔️ |
DoH Public Hostnames | ✔️ |
| ✔️ |
|
| ✔️ |
| ✔️ |
DoH Public IPs |
| ✔️ |
| ✔️ |
| ✔️ | ✔️ | ✔️ |
Extended Base & anti-malware Hostnames | ✔️ |
| ✔️ |
| ✔️ |
| ✔️ |
|
Extended malware IPs | ✔️ |
|
| ✔️ |
| ✔️ |
| ✔️ |
Extended Ransomware IPs | ✔️ |
|
| ✔️ |
| ✔️ |
| ✔️ |
Extended TOR Exit Node IPs | ✔️ |
| ✔️ |
|
| ✔️ |
| ✔️ |
Malware DGA hostnames | ✔️ |
| ✔️ |
| ✔️ |
| ✔️ |
|
Malware IPs | ✔️ |
|
| ✔️ |
| ✔️ |
| ✔️ |
Ransomware | ✔️ |
| ✔️ |
| ✔️ |
| ✔️ |
|