Security Intelligence Blacklisting

The following topics provide an overview of Security Intelligence, including use for blacklisting and whitelisting traffic and basic configuration.

About Security Intelligence

As an early line of defense against malicious internet content, Security Intelligence uses reputation intelligence to quickly block connections to or from IP addresses, URLs, and domain names. This is called Security Intelligence blacklisting.

Security Intelligence is the first phase of access control, before the system performs more resource-intensive evaluation. Blacklisting improves performance by quickly excluding traffic that does not require inspection.

Note

You cannot blacklist fastpathed traffic. 8000 Series fastpathing occurs before Security Intelligence filtering. Fastpathed traffic bypasses all further evaluation, including Security Intelligence.

Although you can configure custom blacklists, Cisco provides access to regularly updated intelligence feeds. Sites representing security threats such as malware, spam, botnets, and phishing appear and disappear faster than you can update and deploy custom configurations.

You can refine Security Intelligence blacklisting with whitelists and monitor-only blacklists. These mechanisms exempt traffic from being blacklisted, but do not automatically trust or fastpath matching traffic. Traffic whitelisted or monitored at the Security Intelligence stage is intentionally subject to further analysis with the rest of access control.

Best Practices for Security Intelligence

Configure all of the following locations to take action on all of the system-provided Security Intelligence categories:
- For IP addresses:
  
  Configure this in: Access control policy, Security Intelligence tab, Networks sub-tab
  
  For more information, see Configure Security Intelligence.
- For URLs:
  
  Configure this in: Access control policy, Security Intelligence tab, URLs sub-tab
  
  For more information, see Configure Security Intelligence.
- For domains:
  
  Configure this in: DNS policy, DNS tab in DNS rule
  
  For more information, see DNS Policies.
System-provided Security Intelligence categories may change without notice.

You should occasionally check for changes and modify all of the above rules and policies accordingly.
Optionally, supplement system-provided Security Intelligence and fine-tune other intelligence, as described in Security Intelligence Sources.

Security Intelligence Sources

Cisco-provided feeds—Cisco provides access to regularly updated intelligence feeds. Sites representing security threats such as malware, spam, botnets, and phishing appear and disappear faster than you can update and deploy custom configurations.
Third-party feeds—Supplement Cisco-provided feeds with third-party reputation feeds, which are dynamic lists that the Firepower Management Center downloads from the internet on a regular basis.
Global and custom blacklists—Blacklist specific IP addresses, URLs, or domain names. To improve performance, you may want to target enforcement, for example, restricting spam blacklisting to a security zone that handles email traffic.
Whitelists to eliminate false positives—When a blacklist is too broad in scope, or preemptively blocks traffic that you want to further analyze with the rest of access control, you can override a blacklist with a custom whitelist. See whitelisting examples in Custom Security Intelligence Sources.

Custom Security Intelligence Sources

If you want to whitelist, blacklist, or monitor specific IP addresses, URLs, or domain names, you must configure custom objects, lists, or feeds. You have the following options:

To configure network, URL, or DNS feeds, see Creating Security Intelligence Feeds.
To configure network, URL, or DNS lists, see Updating Security Intelligence Lists.
To configure network objects and object groups, see Creating Network Objects.
To configure URL objects and object groups, see Creating URL Objects.

Blacklisting, whitelisting, or monitoring traffic based on a DNS list or feed also requires that you:

Create a DNS policy. See Creating Basic DNS Policies for more information.
Configure DNS rules that reference your DNS lists or feeds. See Creating and Editing DNS Rules for more information.

Because you deploy the DNS policy as part of your access control policy, you must associate both policies. See DNS Policy Deploy for more information.

Whitelisting: Examples

Example: Whitelisting

If a reputable feed improperly blocks your access to vital resources but is overall useful to your organization, you can whitelist only the improperly classified IP addresses, rather than removing the whole feed from the blacklist.

Example: Security Intelligence by Zone

You can whitelist an improperly classified URL, but then restrict the whitelist object using a security zone used by those in your organization who need to access those URLs. That way, only those with a business need can access the whitelisted URLs. Or, you could use a third-party spam feed to blacklist traffic on an email server security zone.

Security Intelligence Monitoring

Monitoring instead of blacklisting based on Security Intelligence is especially useful in passive deployments and for testing feeds before you implement them; you can merely monitor and log the violating sessions instead of blocking them, generating end-of-connection events.

Note

In passive deployments, to optimize performance, we recommend that you use monitor-only settings. Managed devices that are deployed passively cannot affect traffic flow; there is no advantage to configuring the system to block traffic. Additionally, because blocked connections are not actually blocked in passive deployments, the system may report multiple beginning-of-connection events for each blocked connection.

Example: Monitor-Only Blacklisting

Consider a scenario where you want to test a third-party feed before you implement blocking using that feed. When you set the feed to monitor-only, the system allows connections that would have been blocked to be further analyzed by the system, but also logs a record of each of those connections for your evaluation.

Configure Security Intelligence


Smart License	Classic License	Supported Devices	Supported Domains	Access
Threat	Protection	Any	Any	Admin/Access Admin/Network Admin

Each access control policy has Security Intelligence options. You can whitelist or blacklist network objects, URL objects and lists, and Security Intelligence feeds and lists, all of which you can constrain by security zone. You can also associate a DNS policy with your access control policy, and whitelist or blacklist domain names.

The number of objects in the whitelists plus the number in the blacklists cannot exceed 255 network objects, or 32767 URL objects and lists.

Note

The system builds a separate network map for each leaf domain. In a multidomain deployment, using literal IP addresses to constrain this configuration can have unexpected results. Using override-enabled objects allows descendant domain administrators to tailor Global configurations to their local environments.

Caution

From Security Intelligence in an access control policy, adding multiple objects to a whitelist or blacklist, or deleting multiple objects, sometimes restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information. Note that whether the Snort process restarts can vary by device, depending on the memory available for inspection.

Before you begin

To ensure that all options are available to select, add at least one managed device to your management center.
In passive deployments, or if you want to set Security Intelligence filtering to monitor-only, enable logging; see Logging Connections with Security Intelligence.
Configure a DNS policy to take Security Intelligence action for domains. For more information, see DNS Policies.

Procedure

Step 1	In the access control policy editor, click Security Intelligence. If the controls are dimmed, settings are inherited from an ancestor policy, or you do not have permission to modify the configuration. If the configuration is unlocked, uncheck Inherit from base policy to enable editing.
Step 2	You have the following options: Click Networks to add network objects (IP addresses). Click URLs to add URL objects.
Step 3	Find the Available Objects you want to add to the whitelist or blacklist. You have the following options: Search the available objects by typing in the Search by name or value field. Clear the search string by clicking reload () or clear (). If no existing list or feed meets your needs, click add (), select New Network List or New URL List, and proceed as described in Creating Security Intelligence Feeds or Uploading New Security Intelligence Lists to the Firepower Management Center. If no existing object meets your needs, click add (), select New Network Object or New URL Object, and proceed as described in Creating Network Objects. Security Intelligence ignores IP address blocks using a `/0` netmask.
Step 4	Choose one or more Available Objects to add.
Step 5	(Optional) Choose an Available Zone to constrain the selected objects by zone. You cannot constrain system-provided Security Intelligence lists by zone.
Step 6	Click Add to Whitelist or Add to Blacklist, or click and drag the selected objects to either list. To remove an object from a whitelist or blacklist, click delete icon () To remove multiple objects, choose the objects and right-click to Delete Selected.
Step 7	(Optional) Set blacklisted objects to monitor-only by right-clicking the object under Blacklist, then choosing Monitor-only (do not block). You cannot set system-provided Security Intelligence lists to monitor only.
Step 8	Choose a DNS policy from the DNS Policy drop-down list; see DNS Policy Overview.
Step 9	Click Save.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.

Security Intelligence Options

Use the Security Intelligence tab in the access control policy editor to configure network (IP address) and URL Security Intelligence, and to associate the access control policy with a DNS policy in which you have configured Security Intelligence for domains.

Object, Zone, and Blacklist Icons

On the Security Intelligence tab of the access control policy editor, each type of object or zone is distinguished with a different icon.

In the blacklist, objects set to block are marked with the block icon () while monitor-only objects are marked with the monitor icon (). Monitor-only allows the system to handle connections involving blacklisted IP addresses and URLs using access control, but also logs the connection’s match to the blacklist.

Because the whitelist overrides the blacklist, if you add the same object to both lists, the system displays the blacklisted object with a strikethrough.

Zone Constraints

Except for the system-provded Global lists, you can constrain Security Intelligence filtering by zone. To enforce Security Intelligence filtering for an object on multiple zones, you must add the object to the whitelist or blacklist separately for each zone.

Logging

Security Intelligence logging, enabled by default, logs all blocked and monitored connections handled by an access control policy’s target devices. However, the system does not log whitelist matches; logging of whitelisted connections depends on their eventual disposition. You must enable logging for blacklisted connections before you can set blacklisted objects to monitor-only.

Security Intelligence Categories

These categories appear in the Networks sub-tab on the Security Intelligence tab of an access control policy. Parallel categories appear under the URLs tab beside the Networks tab, and in a DNS policy on the DNS tab in the DNS rule configuration page.

Categories are updated by Talos from the cloud, and this list may change independently of Firepower releases.

Table 1. Cisco Talos Intelligence Group (Talos) Feed Categories
Security Intelligence Category	Description
Attackers	Active scanners and blacklisted hosts known for outbound malicious activity
Banking_fraud	Sites that engage in fraudulent activities that relate to electronic banking
Bogon	Bogon networks and unallocated IP addresses
Bots	Sites that host binary malware droppers
CnC	Sites that host command-and-control servers for botnets
Cryptomining	Hosts providing remote access to pools and wallets for the purpose of mining cryptocurrency
Dga	Malware algorithms used to generate a large number of domain names acting as rendezvous points with their command-and-control servers
Exploitkit	Software kits designed to identify software vulnerabilities in clients
High_risk	Domains and hostnames that match against the OpenDNS predictive security algorithms from security graph
Ioc	Hosts that have been observed to engage in Indicators of Compromise (IOC)
Link_sharing	Websites that share copyrighted files without permission
Malicious	Sites exhibiting malicious behavior that do not necessarily fit into another, more granular, threat category
Malware	Sites that host malware binaries or exploit kits
Newly_seen	Domains that have recently been registered, or not yet seen via telemetry
Open_proxy	Open proxies that allow anonymous web browsing
Open_relay	Open mail relays that are known to be used for spam
Phishing	Sites that host phishing pages
Response	IP addresses and URLs that are actively participating in malicious or suspicious activity
Spam	Mail hosts that are known for sending spam
Spyware	Sites that are known to contain, serve, or support spyware and adware activities
Suspicious	Files that appear to be suspicious and have characteristics that resemble known malware
Tor_exit_node	Hosts known to offer exit node services for the Tor Anonymizer network

Troubleshooting Security Intelligence

Security Intelligence Categories Are Missing from the Available Options List

Symptoms: On the Security Intelligence tab of the access control policy, Security Intelligence categories (such as CnC or Exploitkit) are not displayed in the Networks tab under Available Options.

Cause: These options do not appear until you have added at least one managed device to your management center. You must add a device in order to pull all TALOS feeds.

Troubleshooting Memory Use

Symptoms: Connections that should be blacklisted by Security Intelligence are instead evaluated by access control rules. The Security Intelligence health module alerts that it is out of memory.

Cause: Memory limitations. Cisco Intelligence Feeds are based on the latest threat intelligence from Cisco Talos Intelligence Group (Talos). These feeds tend to get larger as time passes. When a Firepower device receives a feed update, it loads as many entries as it can into the memory it has allocated for Security Intelligence. When a device cannot load all the entries, it may not block traffic as expected. Some connections that should be blacklisted instead continue to be evaluated by access control rules.

Affected platforms: Lower-memory devices are most likely to have this issue, especially if you blacklist a lot of Security Intelligence categories or are also filtering URLs based on category and reputation. These devices include Firepower 7010, 7020, and 7030; ASA 5506-X, 5508-X, 5516-X, 5512-X, 5515-X, and 5525-X; NGIPSv.

Workaround: If you think this is happening, redeploy configurations to the affected devices. This can allocate more memory to Security Intelligence. If the issue persists, contact Cisco Technical Assistance Center (TAC), who can help you verify the issue and propose a solution appropriate to your deployment.

History for Security Intelligence Blacklisting


Feature	Version	Details
New Security Intelligence categories	All	Talos has added the following new Security Intelligence categories: banking_fraud ioc high_risk link_sharing malicious newly_seen spyware You should update your access control and DNS policies to address the new categories, and check periodically for future changes. New/modified pages: Security Intelligence tab, Networks and URLs sub-tabs; DNS rules in DNS policies Supported platforms: FMC

Firepower Management Center Configuration Guide, Version 6.0.1

Bias-Free Language

Book Title

Firepower Management Center Configuration Guide, Version 6.0.1

Chapter Title