Watch Lists
When creating a new security policy, the MikroCloud Security Essentials page offers these options to choose from.
RFC1918
RFC 1918, titled "Address Allocation for Private Internets The three IP address ranges defined in RFC 1918 are as follows:
- 10.0.0.0 to 10.255.255.255 (a single Class A network)
- 172.16.0.0 to 172.31.255.255 (16 contiguous Class B networks)
- 192.168.0.0 to 192.168.255.255 (256 contiguous Class C networks)
Organizations can use IP addresses from these ranges to create private networks without the risk of IP address conflicts with the public internet. This is especially useful for setting up local area networks (LANs) in homes, businesses, or data centers. By using these reserved IP address ranges, organizations can ensure that their internal network addresses are unique within their network while still being able to communicate with devices on the public internet through Network Address Translation (NAT) or other mechanisms provided by network devices like routers and firewalls. This helps conserve the limited pool of globally routable IP addresses.
FullBogons by Team Cymru
FullBogons is a term used to refer to a set of Bogon prefixes or IP address ranges that should not appear in the global BGP (Border Gateway Protocol) routing tables. Team Cymru, a company specializing in internet security and threat intelligence, maintains and publishes a list of these Bogon prefixes through their FullBogons project. Bogon prefixes are IP address ranges that should not be used on the public internet because they are not allocated or reserved for global routing. These prefixes might include IP addresses that are invalid, reserved for private networks, or otherwise should not be seen on the public internet. The FullBogons list provided by Team Cymru is a valuable resource for network administrators and security professionals to filter out these invalid or reserved IP address ranges from their BGP routing tables. By filtering out Bogon prefixes, network operators can enhance the security and stability of their networks, as it helps prevent routing anomalies, prefix hijacking, and other potential issues. Network administrators can download and update the FullBogons list provided by Team Cymru and use it in their network equipment to filter out these invalid or undesirable IP address ranges from their BGP routing updates, reducing the risk of routing and security problems.
FireHOL Level1
FireHOL is a firewall management tool for Linux systems that simplifies the process of configuring and maintaining iptables or nftables firewall rules. FireHOL comes with predefined sets of rules known as "FireHOL Levels" that are designed to make it easy for users to set up different levels of firewall protection. "FireHOL Level 1" is the most basic and permissive level of firewall protection provided by FireHOL. It is suitable for situations where you want to maintain a basic level of network connectivity while ensuring some level of security. FireHOL Level 1 allows essential network services to function while protecting against many common threats. When you apply FireHOL Level 1 rules, it typically opens up common services like SSH, DNS, and HTTP to allow incoming connections while still blocking potentially harmful traffic. The specific rules and policies included in FireHOL Level 1 may evolve over time to adapt to emerging threats and vulnerabilities, but the general idea is to provide a basic level of protection without causing significant disruption to network functionality. Keep in mind that FireHOL provides multiple levels of protection, and the higher the level, the more restrictive the firewall rules become to provide stronger security. It's essential to assess your network's specific requirements and the level of security you need when choosing a FireHOL level. FireHOL offers Level 2, Level 3, and Level 4 configurations that progressively increase the level of protection by tightening the firewall rules to various degrees.
Emerging Block IP’s by Emerging Threats
Emerging Threats is an organization that provides a collection of threat intelligence feeds and cybersecurity resources to help organizations protect their networks and systems from various security threats. One of the services they offer is the "Emerging Threats Snort rules," which includes sets of rules for intrusion detection systems, such as Snort and Suricata, to identify and block known malicious IP addresses and other network-based threats. The "Emerging Threats Snort rules" are regularly updated with information about emerging threats, malware, and malicious IP addresses. These rules can be used in intrusion detection and prevention systems to enhance network security. By subscribing to their rules, network administrators can stay informed about the latest threats and take proactive measures to protect their networks. It's important to note that the specific rules and IP addresses that are blocked by Emerging Threats may change frequently as new threats emerge and are identified. Therefore, administrators need to regularly update and apply these rules to maintain effective network security. To use Emerging Threats Snort rules, you typically need to install and configure an intrusion detection or prevention system (e.g., Snort or Suricata) and then integrate the rules provided by Emerging Threats into your setup. This allows your network to detect and block traffic originating from or directed toward known malicious IP addresses or patterns of network behavior.
Compromised IP’s by Emerging Threats
Emerging Threats, now part of Proofpoint, is an organization that provides threat intelligence feeds and cybersecurity resources to help organizations identify and defend against various security threats. One of the services they offer is threat intelligence feeds that include information about compromised IP addresses. These feeds are designed to help organizations identify and block traffic from IP addresses that are known to be associated with malicious activities or have been compromised by threat actors. The list of compromised IP addresses provided by Emerging Threats is typically based on a combination of data sources, including threat intelligence, malware analysis, network traffic analysis, and other security research methods. The information in these feeds is continuously updated to stay current with the evolving threat landscape. By subscribing to Emerging Threats' threat intelligence feeds, organizations can incorporate this data into their security infrastructure, such as firewall rules, intrusion detection and prevention systems, and security information and event management (SIEM) platforms. This allows network administrators to proactively block or monitor traffic originating from or directed to compromised IP addresses, helping to improve network security and reduce the risk of cyberattacks and data breaches. The specific IP addresses listed as compromised may change frequently as new threat intelligence is gathered and threats evolve, so regular updates and timely response to these threats are essential for maintaining network security. Organizations can leverage threat intelligence feeds like those provided by Emerging Threats as a valuable component of their overall cybersecurity strategy.
Fedo Tracker
Feodo Tracker is a tool or service that provides real-time information and tracking of Feodo, also known as Cridex, a notorious banking Trojan and botnet. Feodo is designed to steal sensitive financial and personal information from infected systems and is often used by cybercriminals for financial fraud and other malicious activities. Feodo Tracker is typically maintained by cybersecurity researchers or organizations dedicated to monitoring and mitigating threats like Feodo. It compiles and publishes information about Feodo-related infrastructure, such as command and control servers, compromised IP addresses, and domains associated with the botnet. This information is continuously updated as new threats emerge and existing ones evolve.
The purpose of Feodo Tracker is to provide cybersecurity professionals and network administrators with real-time threat intelligence about Feodo-related activities. This information can be used to enhance security measures, detect and block malicious traffic associated with Feodo, and investigate potential compromises within an organization's network. By using a Feodo Tracker service, security professionals can stay informed about the latest threats and take proactive measures to protect their networks and systems against Feodo infections and other similar banking Trojans. Additionally, this information can be used to coordinate efforts to mitigate the impact of Feodo on a larger scale, such as notifying internet service providers and law enforcement agencies.
CINS Score by Sentinel IPS
CINS, which stands for Cyber Intelligence Notification System, is a threat intelligence and scoring system developed by Sentinel IPS, a cybersecurity company specializing in intrusion detection and prevention solutions. The CINS score is used to help organizations assess the threat level of IP addresses and domains by assigning a numerical score to them based on their observed malicious activity or association with cyber threats. The CINS score is designed to assist organizations in making informed decisions regarding network security. It provides a real-time assessment of the risk associated with specific IP addresses or domains. IP addresses and domains with higher CINS scores are considered to be associated with more malicious or suspicious activity, while those with lower scores are deemed less risky.
By monitoring the CINS scores of IP addresses and domains, network administrators can proactively block or restrict access to potentially harmful sources, reducing the risk of cyberattacks and data breaches. The CINS score system takes into account various factors, including known indicators of compromise (IoCs), malware distribution, command and control (C2) servers, and other threat intelligence sources to generate its scores. CINS scores are often integrated into intrusion detection and prevention systems (IDPS) provided by Sentinel IPS, allowing network administrators to automate the response to threats with certain CINS scores. This helps organizations enhance their cybersecurity posture by swiftly identifying and mitigating potential threats. It's important to note that the CINS score is just one of many threat intelligence and scoring systems used in the cybersecurity field, and organizations often combine multiple sources of threat intelligence to make more informed security decisions.
DOH and DOT
DOH (DNS over HTTPS) and DOT (DNS over TLS) are two encryption protocols designed to enhance the privacy and security of DNS (Domain Name System) queries by encrypting the communication between DNS clients and DNS servers. DNS is a critical component of internet communication responsible for translating human-readable domain names (e.g., www.example.com) into IP addresses.
- DOH (DNS over HTTPS):
- Protocol: DOH encrypts DNS queries using the HTTPS protocol, which is the same protocol used to secure web traffic. This means that DNS queries are encapsulated within HTTPS requests.
- Port: DOH typically uses port 443, the default port for HTTPS.
- Benefits: DOH offers strong encryption, which can protect DNS queries from eavesdropping, censorship, and tampering. It is often used to enhance privacy, especially on public Wi-Fi networks or in regions with restrictive internet policies.
- Drawbacks: While DOH enhances privacy, it may also make it more challenging for network administrators to monitor and manage DNS traffic, potentially causing operational challenges for some organizations.
- DOT (DNS over TLS):
- Protocol: DOT secures DNS communication by using the Transport Layer Security (TLS) protocol, which is the same protocol used for securing web traffic, email, and other internet services.
- Port: DOT typically uses port 853 for DNS queries over TLS.
- Benefits: DOT provides encryption and data integrity for DNS queries, making them resistant to eavesdropping and tampering. It is suitable for organizations and individuals who want the security of encrypted DNS without the operational challenges of DOH.
- Drawbacks: Implementing DOT might require more configuration and management compared to DOH. It does not use the familiar HTTPS protocol.
Both DOH and DOT are designed to address privacy and security concerns related to DNS. The choice between them depends on factors such as the specific use case, network configuration, and the desired level of privacy and operational control. Many DNS resolver services, as well as modern web browsers, support both DOH and DOT, allowing users to select the one that best fits their needs.
The Onion Router
The Onion Router, commonly known as TOR, is a privacy-focused technology and network that allows users to browse the internet with a high degree of anonymity. It achieves this anonymity through a system of layered encryption and routing, which makes it extremely challenging to trace internet traffic back to its source. TOR is often used by individuals and organizations seeking to protect their online privacy and anonymity.
Here's how TOR works:
- Onion Routing: TOR routes internet traffic through a series of volunteer-operated servers known as "nodes." Each node in the chain only knows the immediately preceding and following nodes in the path. This layered approach is where the name "Onion Router" comes from. The actual data traffic is encrypted in layers, like the layers of an onion, making it difficult for any one node to trace the traffic's source and destination.
- Entry Node: The user's connection to the TOR network begins at an entry node. This is the first node in the chain that the user's data packet encounters.
- Middle Node: After the entry node, the data is then sent through a series of middle nodes, which further obfuscate the origin of the traffic.
- Exit Node: Finally, the data exits the TOR network through an exit node and is then sent to its destination on the regular internet. The website or service being accessed can't easily determine the original source of the request.
- Encryption: The data transmitted through the TOR network is encrypted at each step, and each node in the chain only knows the previous and next nodes, not the source or final destination of the traffic. Key points about TOR:
- Anonymity: TOR is primarily used to protect the identity and privacy of users by masking their IP addresses and routing their traffic through a network of nodes.
- Censorship Resistance: It can be used to bypass internet censorship and access websites or services that might be blocked in certain countries.
- Legal and Ethical Considerations: While TOR can be a valuable tool for privacy and security, it is sometimes associated with illegal activities due to the anonymity it provides. It's important to use TOR responsibly and in compliance with the laws and regulations of your jurisdiction.
- Browser: The Tor Project also maintains the Tor Browser, which is a modified version of the Mozilla Firefox browser designed to work seamlessly with the TOR network.
- Volunteer-Operated: The TOR network relies on volunteers who run nodes to maintain the network's infrastructure.
It's essential to understand that while TOR provides strong anonymity, it does not guarantee absolute security, and its effectiveness depends on the user's behavior and the specific use case. Users should be cautious and aware of the potential limitations and risks associated with using the TOR network.
AlienVault Reputation IP Address Block List
AlienVault, now part of AT&T Cybersecurity, offers a threat intelligence service known as the AlienVault Reputation IP Address Block List. This service provides a list of IP addresses and domains that have been associated with malicious or suspicious activities on the internet. These indicators are compiled from a variety of sources, including security researchers, threat intelligence feeds, and the AlienVault Open Threat Exchange (OTX) community.
Key points about the AlienVault Reputation IP Address Block List:
- Malicious IP Addresses: The list primarily focuses on identifying and blocking IP addresses that are known to be involved in cyberattacks, spamming, malware distribution, phishing, and other malicious activities. Network administrators can use this list to enhance their security measures.
- OTX Integration: The AlienVault Reputation IP Address Block List is closely integrated with the AlienVault OTX, a crowd-sourced threat intelligence platform. This integration allows security professionals to access and contribute to a vast repository of threat data and indicators.
- Real-time Updates: The list is continuously updated with new threat indicators and is designed to provide real-time information about malicious IP addresses and domains. Keeping the list up to date is essential for effective threat detection and prevention.
- Integration with Security Solutions: Organizations can integrate the AlienVault Reputation IP Address Block List into their security infrastructure, such as firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS), to automatically block traffic from known malicious sources.
- Community Collaboration: The OTX community encourages security professionals and organizations to share threat intelligence and contribute to the collective understanding of cybersecurity threats. This collaboration helps in collectively identifying and mitigating threats.
- Open Source and Commercial Solutions: AlienVault offers both open-source and commercial security solutions, including the AlienVault USM (Unified Security Management) platform, which includes features for threat detection, threat intelligence, and security monitoring.
Using the AlienVault Reputation IP Address Block List can help organizations proactively protect their networks and systems against known threats, as well as identify potential compromises and suspicious activity. It's part of a broader strategy to enhance network security and respond to evolving cybersecurity threats.