Guardicore is offering a threat intelligence-based firewall to Centra SaaS users. This feature uses Guardicore’s threat intelligence sensors, distributed across major cloud providers worldwide, to create blacklists of verified malicious IP addresses. Updated daily, these IP blacklists are automatically fed into Centra to create rules to alert and block communications via malicious IP labels: top attackers, top scanners, and top CnC.
What types of IPs do you block?
We currently provide 2 IP blocklists, for which we block traffic to and from these IPs: Attacking IPs and Scanning IPs. We additionally provide an IP alert list for Command and Control (CnC) IPs.
How do you blacklist an IP?
Guardicore has distributed Guardicore Threat Intelligence sensors across the largest cloud providers around the world. These sensors detect attacks 24/7.
Attacking IPs list – Created based on IPs that attack our Threat Intelligence sensors. We block the most prominent ones.
Scanning IPs list – Created based on the top scanners which scan our Threat Intelligence sensors. We block the most prominent ones.
CnC IP list – Created based on resolving the IPs of connections to malicious domains. Once an attacker infects a Guardicore Threat Intelligence sensor and connects back to a CnC server, log server, etc’ – we add this indicator to the list.
Why is the CnC list set to Alert and not to Block?
The CnC list is set to Alert since attackers may use legitimate websites / hosting servers to deliver their malware or communicate with it (for example: github, bitbucket, AWS S3 buckets, etc). The Guardicore Threat Intelligence service detects such cases and avoids adding them to the CnC list. As an initial step, we are taking an extra measure of caution by only alerting on outgoing connections to such IPs and not blocking them.
Can I test the feature?
You sure can! simply access one of the IPs in the labels, from an asset covered by a Guardicore Agent, and check the Centra UI for the blocked/alerted incident.
How can I see if anything was blocked/alerted by the threat intelligence firewall?
There are 2 options:
Filter the “Incidents” screen for any threat intelligence rulesets. Any incidents that matched these rulesets contain alerted/blocked flows by the Threat Intelligence Firewall. In case a SIEM integration is in place, the incidents will also be exported to your local SIEM and can be viewed there.
Filter the “Network Log” screen for any alerted/blocked connections from the threat intelligence firewall policy rule id. Any matching connection was alerted/blocked by the Threat Intelligence Firewall.
How often is the list updated?
The list is updated daily.
How do I stop daily updates of the lists?
Simply disable the Guardicore rules in the segmentation rules screen and let our customer success know you wish to opt-out of the daily update service.
What if I want to change the rules to alert and not to block?
Simply move the rules to the override alert section in the Guardicore the segmentation rules screen. We will continue to update the labels with the malicious IPs on a daily basis.
I received a blocking alert related to a malicious IP provided by Guardicore Threat Intelligence Firewall. What should I do?
There are 2 cases in which you can get an alert/block:
In case of an outbound alerted/blocked connection – your environment has been compromised! We recommend verifying the connection source, process, user and command line. We also recommend engaging with our Cyber Security Analyst service to help with forensics and further incident response. Contact email@example.com or Guardicore Customer Success.
In the case of inbound alerted/blocked connection – malicious traffic is something you can expect when exposing a service to the internet. Centra blocked this connection attempt and reduced your service exposure to malicious actors over the internet.
How do I remove an IP from the list?
Contact us at firstname.lastname@example.org or through Customer Success to remove an IP from the list
How do you prevent blocking my internal IPs?
Guardicore removes all private IP subnets such as 192.168.0.0/16, 172.16.0.0/16 and 10.0.0.0/8, we additionally remove APIPA and your personal IP configuration in Centra for any public IPs that are used as private in your network. The IP configuration in Centra is located in: Administration → System → Configuration → IP classification