Required Shun Lists
Required shun lists contain IP addresses and host names that pose an immediate security threat, regardless of where they are in the world. These lists include:
- Application Exploit
- BotNet Command & Control
- Brute Force
- Organized Cybercrime
- Penetration Testing Tools
- Recon Bots
- Spam Bots
- ZeuS Banking Trojan Command & Control
Optional Shun Lists
In addition to our mandatory shun lists, most RiskAnalytics shunning products include a list blocking feature. Optional lists that are available include geographic regions, policy lists and certain aggressive security feeds. When this feature is enabled the service will block all network traffic to and from the IP ranges associated with a selected list.
RiskAnalytics also offers list subscription blocking which roughly equates to blocking all the countries in a geographic region. Within the RA Force portal, a customer can block any of six regions: Central Asia, Northeast Asia, South Asia, Eastern Europe, Equatorial Africa, and League of Arab States.
How region blocking improves organizational security posture
It is well known that organized cybercrime syndicates prefer to operate from countries that will not pursue and prosecute their criminal operations. In some jurisdictions criminal activities are tolerated for the right price and the right payoff. These corrupt areas are typically in places where many western-based companies conduct little or no business.
There is no strict alignment between tolerance of criminal activities and geographic boundaries, however certain regions (such as the League of Arab States in the middle east) are infrequently seen hosting content for the broader Internet community, while others (such as Northeast Asia) are part of an increasingly globalized Internet ecosystem.
When to use list blocking
Except as noted in the contraindications, below, most corporate networks can safely use country blocking on their RiskAnalytics appliances and services. To get comfortable with country blocking, most customers can safely block Moldova, Iran, Ukraine and Russia. Although China is a tempting choice for blocking, many well known retailers host their web sites in cheaper Chinese data centers.
Once a customer has decided to subscribe to list blocking, the RA Force administrator needs to be familiar with whitelisting and researching IP address characteristics in RA Force. List blocking should be introduced slowly as a client organization gains comfort with creating new whitelist entries.
When not to use list blocking
Most Optional List blocking, by its nature, benefits from collateral damage. Since the regional traffic being blocked is not being blocked because of any known threat, all list block events are technically collateral damage. Obviously, a client should not block traffic to or from lists/regions where the client needs to communicate with business partners and customers. Unfortunately, it is almost impossible to clearly know where one's business partners may host their data operations. For a company that has significant overseas business operations, region blocking should be used very sparingly if at all.
Whitelisting is used to keep known-good addresses from becoming blocked.
RiskAnalytics maintains a whitelist of addresses that will not be added to a required shunlist. This is useful for internet-critical services such as public DNS servers, root servers, or verified penetration testing agencies. We call these "Overridable Whitelists" in the RAForce Portal. If these addresses are added to a custom Shun List, these overridable whitelist entries can still be blocked.
Customer whitelist entries keep listed IP addresses or networks from being blocked on the device. It takes precedent over all shun lists. If you create a custom shun list with a large network range, then whitelist a small part of that range, the desired effect should work (e.g. the smaller whitelisted range is accessible while the rest of the larger range is not). You are encouraged to add business partner assets and your own critical infrastructure to your whitelist even if these addresses are not currently being blocked by any list.
Unshunnable/Permanent whitelists are catch-all whitelists that include infrastructure critical to RiskAnalytics, and un-routable private network addresses (e.g. RFC1918). These addresses should absolutely never end up on any shun list, and even if a custom shun list is created with these addresses, they will not be enforced by RA services.