dark mode light mode Back to ellio.tech

Managing blocklists using a central platform (part 1)

Every optimization and automation in cybersecurity boosts efficiency, and blocklist maintenance is no exception. Centralized blocklist management helps NOC and SOC teams streamline threat prevention by unifying control over blocking malicious IPs. It reduces manual effort, minimizes errors, speeds up responses to threats, and improves overall network performance with real-time updates.

Effective blocklist management is crucial for defending against mass exploitation campaigns and reconnaissance operations. In this post, we’ll explore how blocklist management platforms, specifically ELLIO’s, empower SOCs and NOCs to streamline their processes.

But before we can go deep into the use-cases and how SOCs and NOCs are using it, let’s go over the basics first.

What is a Blocklist Management Platform?

A Blocklist Management Platform centralizes the creation, customization, and distribution of blocklists—lists of IP addresses that should be blocked—to various network devices and endpoints. It ensures consistent, up-to-date security policies across an organization, simplifying the management of network defenses against unauthorized access and malicious activities.

What is a Deployment?

A Deployment is the customized blocklist that is actually used by your firewalls, applications, or specific endpoints. It’s the list that results from combining various blocklists (like ELLIO’s Threat List MAX and other sources), adding or removing specific IPs, and tailoring it to fit the specific needs of your organization. You then deploy this custom blocklist to your firewalls and other security devices, ensuring consistent protection across your network infrastructure.

For example, if you combine the IPSum List with ELLIO’s Threat List MAX and then remove all Googlebot IPs, the resulting custom blocklist is your deployment. This deployment is then propagated to all the firewalls of your organization automatically, which most Next-Generation Firewalls (NGFWs) support.

Introducing ELLIO Threat List as a building block

Throughout this blog we will be using ELLIO Threat List as the foundational blocklist for deployments. However, you can use other widely available lists, both free and paid.

We’ve developed the ELLIO Threat List to block mass exploitation campaigns and reconnaissance efforts by threat actors. It’s primarily used to secure:

  • Extended Internet of Things (xIoT)
  • Operational Technologies (OT)
  • Hybrid Edge Environments
  • Network Perimeters

For those familiar with the MITRE ATT&CK® Enterprise Matrix, the ELLIO Threat List focuses on:

  • Reconnaissance Techniques:
    • T1590 (Gather Victim Network Information)
    • T1591 (Gather Victim Org Information)
    • T1592 (Gather Victim Host Information)
    • T1593 (Search Open Technical Databases)
    • T1594 (Search Open Websites/Domains)
    • T1595 (Active Scanning)
    • T1596 (Search Open Vulnerability Databases)
  • Initial Access Techniques:
    • T1133 (External Remote Services)
    • T1189 (Drive-by Compromise)
    • T1190 (Exploit Public-Facing Application)
    • T1659 (Compromise Infrastructure)

Customizing the Blocklists to Fit Your Needs

Every organization has unique security requirements, so it’s essential to customize blocklists accordingly. Here’s how you can tailor them to your needs.

Pre-Built Exclusion Lists

We provide pre-built exclusion lists that include IP addresses of popular cloud providers like AWS, Google Cloud Platform (GCP), and Microsoft Azure. This ensures that legitimate traffic from these services isn’t accidentally blocked. Other examples of pre-built exclusion lists include Content Delivery Networks (CDNs), Trusted Third-Party Services or Crawlers like Google Bot or Bing Bot.

These exclusion lists serve as safety nets. Even though the ELLIO Threat List is carefully curated, using exclusion lists guarantees that essential services are never blocked, especially when you incorporate other (non-ELLIO) blocklists as your base.

Pre-Built Include Lists

To enhance security, you can add pre-built include lists. These are lists of IPs or IP ranges that you want to include in your deployment. For instance, blocking IP addresses of known scanners like Shodan and Censys can help your network “disappear” from their databases. This reduces the risk of being targeted by threat actors who use these services for reconnaissance. Other examples include known ranges of threat actors or Autonomous System Numbers (ASNs) with poor reputations.

Include and exclude lists in the context of a deployment.

Include Lists are lists of IPs or IP ranges that you want to include in the deployment, i.e., IPs that you want to block.

Exclude Lists are lists of IPs that you want to exclude from the deployment, i.e., IPs that you want to ensure are not blocked, even if they appear in the base blocklists.

Bring-Your-Own-List Functionality

If your organization maintains its own blocklists or subscribes to third-party lists, you can integrate them into the platform. Provide us with a link and an API key in, and we’ll handle the inclusion or exclusion, management, and distribution. 

The difference between BYOL and include/exclude lists is that we will be taking care of downloading/parsing them, so you do not have to do that manually through an API. BYOL is generally used as an include list, but can be used as an exclude list as well.

If you have specific requirements, we’re happy to set up custom integrations—just reach out to us.

Custom Lists Management

You have the ability to create and manage your own lists:

  • Include Lists: Lists of IPs or IP ranges that you want to block by including them in your deployment. For example, if you’ve identified IP ranges associated with a specific threat actor group, you can create an include list with those ranges and then use it in multiple deployments.
  • Exclude Lists: Lists of IPs that you want to ensure are not blocked by excluding them from your deployment For instance, you might exclude your own data centers or trusted partners.

This functionality was developed based on feedback from SOCs, allowing teams to update blocklists manually or automatically through their Security Orchestration, Automation, and Response (SOAR) playbooks or other automation tools. Changes are then propagated to all firewalls or endpoints, streamlining the process of blocking or unblocking IPs across the network.

Stay tuned

In the next part of this series we are going to dive deeper into how deployments are created, in what order rules from all include/exclude lists are applied and at which stages the deployment can be modified.

Read part 2 here.

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *