ThreatSTOP Policy Editor | ThreatSTOP Dochub

This document describes the redesigned ThreatSTOP Policy Editor and migrating existing policies.

Overview of the redesigned Policy Editor

The number of threats that ThreatSTOP provides protection against has increased in recent years. Targets are the building blocks of ThreatSTOP Policies, and we have added dozens of targets. In turn, it has become difficult to select targets when creating new Policies or adding new targets to existing Policies.

The redesigned Policy Editor makes the creation and maintenance of Policies easier by bringing several new features. It can be accessed using the Policies link in the menu of the ThreatSTOP Admin Portal. The Legacy Policy Editor is now reached using the Policy (Legacy) menu.

Easier target selection

New Target Attributes

New attributes have been added to targets to refine the selection of targets when creating custom policies. They are described in the table below.

Target Attribute	Description
Severity	The level of damage that the Threat exerts.
Risk	The likelyhood that a DNS Lookup for (DNS Defense), or a connection to (IP Defense), the IOC is related to the Threat. For example, connection to an IP address that is associated with a CDN that hosts a Threat is less likely to be malicious than a connection to a Botnet C&C node.
Confidence Level	ThreatSTOP’s confidence level that the IoC (IP or domain) is currently associated with the Threat. This is a factor of the accuracy of the Threat Intelligence source and track records for false positives.
IOC Type	ThreatSTOP organizes IoCs into IP addresses (and subnets) and Domains. Targets that identify IP addresess can be added in all products (IP Defense, DNS Defense, Roaming Defense) while Domain-based targets are only available in DNS and Roaming Defense products.
Industry	Threats targetting specific industries have become more common.
Traffic Type	Identifies the direction or type of network traffic associated with the Threat
Threat Type	Identifies the type of Threat

The new user interface lets you filter and sort the list of targets based on these attributes. It is also possible to filter the list of targets based on their name and description - for example, to locate a target based on a threat name.

Target Bundles

In the new policy editor, target bundles replace Standard and Expert targets. Standard Targets of the original Policy Editor provided a mechanism to block groups of similar Threats without handling granular targets. For example, the Botnet standard target provides a target to block all Botnets, without having to manipulate targets for each botnets.

Target Bundles fulfill the same purpose but have several advantages:

They are simply groups of targets and it is possible to view the individual targets that they contain.
Policies can be built by mixing target bundles and individual targets, thus not requiring using the Expert mode for all targets if your need is add a specific one-off target, while using bundles for the rest of the policy.
Policies can be configured to exclude targets from the bundles. Although this is an uncommon requirement, it is possible to use a bundle by exclude a specific advanced target.
It is now possible to list the targets and bundles included in ThreatSTOP’s predefined policies.
As with standard targets, ThreatSTOP maintains the list of Targets included in Target Bundles so to keep the list of Threats that they block current with the latest additions. For example, adding the Botnet bundle to your policy will automatically add any new botnet targets to your policy without having to login to change your policy configuration. Of course, you can continue to create a policy that does not use target bundles and use targets only. This gives you full control over when targets are added to your policy.
The recommended method to add a target bundle to a policy is to add the bundle itself, so the policy will reflect changes made by ThreatSTOP’s Security Team to the bundle. Choosing to add a bundle ‘as targets’ will add the invididual targets to the policy based on the current definition of the bundle, and future changes will not be automatically propagated.

Note: If you add the same target through multiple bundles, the system will only include it once in your policy. Targets are not duplicated in your policy, thus not increasing its size.

More information about using bundles is available in this <a href=/advanced_bundles.html”>article</a>.

New User Interface

Creating a new policy

Creating a new policy has also become easier as it doesn’t require creating them from scratch. You can now copy an existing policy - either a custom policy, or a ThreatSTOP-provided predefined policy and use it as the starting point, adding or removing targets and target bundles.

The content (targets, bundles and user defined lists) of the policy is shown in the lower right corner of your browser. Additional details such as the size, associated zone names and the list of devices currently using this policy are also shown.

Target selection

The Policy Editor has five tabs:

The Policy settings tab to define the name and type of the policy.
The Target Bundles tab to list and add or remove bundles.
The Targets tab to add or remove individual bundles from the policy - similar to the expert mode of the existing editor.
The Excluded Targets tab to exclude targets from the policy, even if the excluded target is added to a bundle present in your policy.
The User-Defined Lists, to add your block lists or whitelists to the policy.

As you click on targets and bundles, their details are displayed in the lower left part of your browser. This includes the description, the list of targets that a bundle includes and the current size of the target/bundle, although the size changes throughout the day as ThreatSTOP’s system updates with the latest Threat Intelligence data.

Actions

Actions applied to targets have not changed compared to the existing editor.

For IP targets, there are two actions possible:

Block: configure the policy block the IP addresses contained in the targets
Allow: configure the policy to allow traffic from and to the IP addresses contained in the targets - typically, used for whitelists only.

For DNS Defense and Roaming targets, you can choose from the following actions to apply to the domains and IPs contain in the target:

ThreatSTOP Default: the recommended action for the target based on the Threat type.
NXDOMAIN: reject DNS lookup; it will appear to the client that the name doesn’t exist.
NODATA: reject DNS lookup; it will appear to the client that there are no records for the name.
DROP: don’t reply to the client; the client might timeout or select another DNS server.
GARDEN: replace response with CNAME, thus redirecting the client.
Pass-Thru: allow the query to go through (whitelisting) but log the query.
A custom RPZ behavior if you have created one, for example your own walled garden.

Migrating

The redesigned Policy Editor will soon replace the existing one; it includes every feature of the existing Policy Editor along with some nice enhancements. The two most noticeable changes are the new user interface, and the targets in your policy being replaced by bundles that are comparable to the standard or expert targets in your existing policy.

Automated migration:When the existing Policy Editor is retired, any existing policy not already converted will be migrated to the new Policy Editor automatically. The list of domains and IPs included in your policy will not change significantly as equivalent bundles will replace targets in your policy. No change to the device configuration will be required, and ThreatSTOP will notify users ahead of the automated migration date.

However, you can migrate to the new editor to take advantage of the new features. You can migrate your own configuration or contact ThreatSTOP Support and we will assist you with the process.

Warning: Once a policy definition has been migrated to the new format, it cannot be converted back. It is however possible to continue the existing policy editor to create and assign policies to your devices.

The migration wizard will create a new policy that replaces your selected targets with the new bundles, but the effective list of threats and IOCs being blocked will remain consistent with your previous policy. Migration is an automated process, and little to no change will be made to the actual filtering performed on your device following the migration.

For custom policies:
- The name of the policy will remain unchanged.
- No change to the device configuration is required.
For predefined policies:
- The migration will create a copy. You will be prompted for a new policy name, which must be reflected in the configuration on the device.
- Until their configuration is updated, devices will continue to retrieve the existing pre-defined policy without interruption.
- Devices using the Web Automation feature will update their configuration automatically.
- If you prefer to wait until the automated migration takes place, the content of the predefined policy will be replaced with the new format. In this case, no change to the device configuration is required.