Blacklisting IP addresses

RichT · ‎05-12-2020

Hi

I'm interested in gauging the community's thoughts on the effectiveness of blacklisting IP addresses.

I see high levels of failed login attempts to our Microsoft 365 environments and could spend my life blacklisting these IP addresses which are probably all part of a botnet and I therefore could be fighting a losing battle. We have other layers of controls in place but would like to address the issue at source.

There are several choices available to me:

>Carry on blacklisting through Microsoft's security tools - does this get picked up and acted upon by Microsoft or does it just benefit our environment?

> Notify the ISP of the sending IP address through their abuse notification email address if they have one.

> Share the offending IP addresses with a threat exchange such as AlienVaut OTX

> Spamhaus or similar.

A similar question applies to the volume of malicious emails that we receive, mostly blocked but sometimes getting through the net. Again, I could spend my life blacklisting senders.

I'd be happy to hear your thoughts on the most effective measures to deal with these malicious computers, bearing in mind that the owners may not know they are involved.

Thanks

Richard

CraginS · ‎05-12-2020

@RichT wrote:
Hi

I'm interested in gauging the community's thoughts on the effectiveness of blacklisting IP addresses.
...

1. See Deny is the New Black.

2. See IP addresses and Privacy up for debate again'

Both threads are peripheral to your question, but nice to have current aspects of the discussion in front of us.

Craig

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

CISOScott · ‎05-12-2020

Another thing to take into consideration is if an attacker is using a compromised IP address then you could end up blacklisting a legitimate IP address under normal conditions. We used to blacklist if we had a compromised account as part of our remediation activities because we knew that the attacker, who had been successful once, would most likely try again. We had numerous attempts and we knew if we spent time trying to blacklist them all then we would be really busy spending a lot of time managing blacklists. Plus in some applications we were limited to the number of blacklisted IP addresses we could apply.

Vasan · ‎05-12-2020

How about subscribing IP Reputation based filters? I believe it should have some automation in place to list and delist bad and good IPs.

harvinderdhami · ‎05-12-2020

You can always create Null route on your border router and add list of blacklisted IP address on that if you are not an ISP. Another way is creating a Network Object Group on your Firewall which you can block for upstream and downstream. You should verify the IP addresses that you are blocking on the border router /firewall otherwise you can break stuff.

vt100 · ‎05-12-2020

I had mixed experience using RBLs or maintaining one. In conventional environments, I am frequently relying on Check Point's Suspicious Activity Rules that are being dynamically created to block originating IPs for predefined period of time after x failed logon attempts, network or port scans.

This not only deals with botnet-infested sources, but limits the activity of Shodan and alike services from spilling the data about your network.

In case of Office 365, I think you can achieve something similar using Netscope or other CASB vendor's proxy solutions. In case of your other Azure-based properties, you can still use Check Point or other vendor's solution with similar capabilities.