Why use target bundles?
Targets are the building blocks of ThreatSTOP IP and DNS Policies. They group IOCs based on the attributes of the threat being tracked, such as the malware type, or the direction of the traffic tied to thre threat (e.g. inbound vs outbound vs both directions). As the landscape of cybersecurity threats changes, the ThreatSTOP Security team will add and retire targets.
When new targets are published, they are typically not automatically added to customers’ custom policies and require administrators to edit the policy to add them.
Bundles are groups of targets defined by a set of attributes - most commonly the type of threats. For example, Botnets Tier 1 groups targets tracking IOCs for the Command and Control domains of known active major botnets. When a target for a new botnet is published, it will be added to the Botnets bundle by the ThreatSTOP Security team. By having the bundle (vs the individual targets) in your policy, you will be protected against these new threats automatically without making a manual change to your policy.
Mixing bundles and targets
Not every target is added to a bundle and you create a policy that includes both targets and bundles. If you add a target that is already prevent via a bundle, our policy generation engine will not duplicate the IOCs so you don’t need to worry about consuming extra space in the rulesets of your firewall or DNS server.
Excluding targets from a bundle, e.g. ITAR and OFAC bundles
You may want to use a bundle but, for business reasons, can’t block networks and domains associated with one or several targets included in the bundle. This is common for users that want to block countries sanctioned under the ITAR or OFAC regulations. For example, you may have a compliance requirement to block countries in the ITAR or OFAC lists, but also have a business requirement to allow traffic to a particular country or region. There are two options that will allow you to use bundles and still meet your requirements.
The first and preferred option is to exclude a target from your policy. After adding a bundle using the Add Bundle button in the Bundle Details box, you can then navigate to the Excluded target tab and select the target to exclude from your policy. By doing so, your policy will include all other targets in the bundle, but the excluded target will be removed. As changes are made by the ThreatSTOP Security team (such adding or removing countries from the ITAR and OFAC bundles), your policy will automatically reflect the changes but the excluded target will remain excluded from your policy. IOCs from a target excluded from your policy will never be loaded in your policy regardless of which bundles include the target, or if a target is removed and later re-added to the bundle.
The second option to create your policy is to add the bundle “as targets”: in the Target Bundles tab of the policy editor, find and select the bundle. The list of targets included in the bundle will be listed in the Details box. If you click on Add as targets, the targets will be added separately to your policy and you can delete unwanted targets. However, future changes made by the ThreatSTOP Security team to the list of targets in the bundle will not be reflected in your policy automatically.
The policy in the screenshot below includes the ITAR IP Bundle (network addresses of all countries currently subject to ITAR restrictions) but excludes the network addresses for Lebanon.