Targets are the atomic building blocks of ThreatSTOP policies. They contain either domain names or IP addresses (IOCs) grouped based on the Threat they track. Similar targets may be combined into Target Bundles for use in policies (see below). In addition to their IOC contents, targets have a set of attributes, described below.
To view the list of targets, login into the Admin Portal and click on the Target List menu entry. The page will display a list of targets including the IOC Type, Target Type, Severity score and description. You can also restrict the search based on targets included in predefined or custom policies.
Targets contain either IP/subnets, or domains and DNS server identifiers respectively. Targets contain only one of the two, and never a combination of IPs and domains.
Targets are associated with a type of Threat, such as a specific botnet or ransomware variant.
|Geo||Geo targets are lists of IPs or TLDs that are specific to a certain country or geography. This can be used, for instance, if an organization wanted to block all Russian IP addresses from communicating with their network.|
|Services||These are whitelist targets for critical internet infrastructure. Indicators with this type would result in highly disruptive outages if they were blocked, such as major Content Delivery Networks.|
|Whitelists||This type is used for whitelists that don’t fit into any other category but should never be blocked in any organization.|
|Anon Proxies||This type is used for various services used to anonymize internet traffic such as TOR or open proxies. This can be used to block employees in an organization from using such services or to block such services from communicating to your network.|
|Scams||This type is used for indicators related to scams of various sorts but unrelated to direct cybercrime. For instance, romance scams, pill scams, and charity fraud would fit into this target type.|
|Policy Violations||This type refers to indicators that related to various forms of internet acceptable use policy. Items like pornography and gambling sites would fall under this type.|
|Spam||This type refers to remote systems that are engaging in the sending of unsolicited commercial e-mail or other forms of broad-based messaging abuse|
|Scanners||This type refers to systems that are engaged in reconnaissance for vulnerable systems on the internet.|
|Inbound Attacks||This type refers to infrastructure that is being used to compromise services. This could refer to systems that are engaging in brute force attacks, web attacks, or automated attempts to compromise network services.|
|DDOS||This type refers to indicators that are being used in distributed denial of service attacks either as drones or command and control infrastructure used by a botnet to control drones.|
|Cryptomining||This type refers to infrastructure that is used by attacks to mine cryptocurrency on victim machines. This could be various forms of web-based attacks to mine cryptocurrency in a web browser or cryptocurrency mining generally.|
|Sinkholes||This target type refers to infrastructure used by security researchers to monitor abuse. These are typically domain names seized by benevolent actors. While traffic to sinkholes is not an active compromise, it usually indicates a victim machine is compromised with malware and should be remediated.|
|General||This target type is a catch-all for threats not otherwise categorized or for threats that multiple labels may apply to. It is also used for anomalous indicators that our internal machine learning algorithms have identified as highly probable as malicious but have not been able to specify a specific type of attack yet.|
|Phishing||The type refers to attacks that use social engineering and brand impersonation to attempt to get users to compromise themselves. Traffic to indicators of this type indicate a victim has clicked on a link or visited a phishing website and an investigation should be performed to determine if sensitive data was compromised.|
|Exploit Kits||This type refers to malicious web pages that are designed to exploit vulnerabilities in the web browser or associated software for the purposes of installing malware on a victim machine.|
|Infection Sites||This type refers to crafted web pages, repositories, or other services that are used to store malware for installation on victim machines|
|Malware||This type refers to indicators present in malware that are not represented by a more specific category (for instance, APT or ransomware). This can include banking trojans, RATs, and other commodity malware.|
|Botnet||This type refers to botnet controller infrastructure and those services that control large numbers of machines to accomplish the operators objectives. Communication with these indicators show that a machine in your organization is under complete adversarial control.|
|C2||This type refers to command-and-control servers. That is infrastructure used by a criminal who has already breached an organization and wants to control victim machines inside the victim organization.|
|Exfiltration||This type relates to infrastructure used by adversaries to get information out of an organization once it has been compromised. This could be DNS exfiltration, file drops, or other remote infrastructure used to receive stolen information once an organization has been breached.|
|APT||This type stands for advanced persistent threat or for those classes of attacks related to espionage or other state-nexus cyberattacks.|
|Ransomware||This type relates to indicators used in ransomware attacks (both those that encrypt data for money and those that are simply data destruction). Any communication with these indicators should be treated seriously and immediately as data encryption or destruction may be imminent.|
Purpose of whitelisting targets
- Threat Actors often use legitimate networks to host malicious contents - Content Delivery Networks, Google Drive, AWS or Azure resources.
- If ThreatSTOP detects a threat hosted on an IP address from such hosting services, it will be added to the corresponding target, blocking connections and lookups matching it.
- If you are using such providers for mission-critical communications, you can use the Whitelist targets to allow the traffic, and take precedence over the block.
- For DNS targets, make sure to select an RPZ Behavior which will not block the DNS requests (e.g. Passthru)
- Severity 0 – No/Unknown Threat Level – Threat does not pose a significant risk of harm to your network. Typically used for whitelisting.
- Severity 1 – Low Threat Level - Threat poses a low risk of harm to your network.
- Severity 2 – Low/Medium Threat Level - Threat poses a low-to-moderate risk of harm to your network.
- Severity 3 – Medium Threat Level - Threat poses a moderate risk of harm to your network.
- Severity 4 – Medium/High Threat Level - Threat poses a medium-to-high risk of harm to your network.
- Severity 5 – Highest Threat Level - Threat poses a very high risk of harm to your network.
The confidence level indicates how confident ThreatSTOP is in the classification of the IP address or Domain name as the Threat Type associated with the target. The level is on a scale of 1 (low confidence) to 5 (very high).
The Risk level is the likelihood that traffic from or to the IP addresses in the target (or resolving the domains/IPs) is malicious. For example: a connection to a CDN that is currently hosting malware has a low risk of being related to a request for the malware download.
The Traffic Type is the type of network traffic associated with the IOCs:
- Inbound - IP traffic originated by the malicious IP address (e.g. vulnerability scanner).
- Outbound - traffic originated by an infected machine in your network (IP or DNS Lookup).
- Traffic associated with specific applications or devices such as VOIP or Point of sale.
The industry setting identifies the targeted industry for an attack campaign or industry-specific IOCs (e.g. financial institutions).
ThreatSTOP also tags Targets with names, for example:
- To identify targets that are recommended in every policy (Core Protection).
- To add additional details to threat types or traffic types.
Target Bundles are groups of targets that have been bundled together by ThreatSTOP’s Security Team. Target Bundles are defined based on the attributes of the targets they contain.
When a target bundle is present in a policy, targets will be added and removed dynamically as the landscape changes. For example, if your policy contains the Ransomware bundle, new Ransomware targets created by the ThreatSTOP Security Team will automatically be added to the target bundle, and therefore automatically added to your policy on your device.