Dynamic Blocklist (DBL) is a feature included with Samurai MDR. The list is a feed of high fidelity indicators of compromise (IOC) which when subscribed to by a supporting device, provides the ability to block traffic to the identified threat actor. Typical devices which can make use of DBL include Secure Web Gateways (SWG) and Next Generation Firewalls (NGFW).
The DBL contains IP addresses, domain names and Uniform Resource Locators (URLs) of servers hosting malware, exploits, botnet Command and Control (C&C) servers and other known malicious activity.
Feeds are updated hourly and as emerging threats are discovered. Devices which are subscribed to the DBL will receive updated IoCs at the next "push" or "pull" event, depending on the manufacturer.
Our high fidelity IoCs contained in the Dynamic Blocklist originate from sources including:
- NTT's proprietary Threat Intelligence data sources
- IoCs based on security incident investigations from all clients subscribed to NTT's threat detection services
- Threat Intelligence obtained via partner intelligence relationships
- Open Source Intelligence feeds which have been analyzed and vetted by NTT
- NTT analysis tools which detect malicious websites (especially phishing and fraud) and extract intelligence of phishing reports from social media.
During the MDR onboarding or during service, the client can choose to enable DBL.
If the client elects to enable DBL and has Supported Devices, the client must submit a DBL Onboarding Request via the Samurai Help Center and complete the relevant information required within the request. Once access has been enabled, the client will be notified via the ticket. The client may then proceed with configuration of their devices as per the relevant Configuration Guide.
NTT provides configuration guides to assist the Client in configuring Dynamic Blocklist on supported devices. The following device types are currently supported:
- McAfee WebGateway (Skyhigh Secure Web Gateway)
- Palo Alto Networks NGFW
- ZScaler Internet Access (ZIA) - Proxy
- Squid proxy
- Cisco Firepower
Depending on the capabilities of individual device types, DBL will be configured using one of two possible methods:
- "pull": In a "pull" configuration the device is set up to connect to NTT's servers and fetch the threat feed. The frequency of retrieval is dependent on the device configuration.
- "push": In a "push" configuration the device is set up to receive connections from NTT's servers in order to receive the threat feed. The frequency with which the threat feed is pushed to the client device is usually determined by the configuration of the client device.
If the client is interested in using DBL with a device that is currently not supported, this can be discussed with NTT during onboarding.
In addition to configuring the devices for DBL, the client will also need to ensure that Internet connectivity is in place:
- for devices using a "pull" configuration, outbound TCP connections to the DBL server, typically on port 443.
- for devices using a "push" configuration, inbound TCP connections are possible from DBL servers to the client device.
NTT will provide the client with the DBL server IP addresses and/or URLs and other relevant details of the via the 'DBL On-boarding request' ticket.