Dynamic Blocklist
Dynamic Blocklist (DBL) is a feature included with Samurai MDR. The list is a feed of high fidelity indicators of compromise (IOC) which when subscribed to by a supporting device, provides the ability to block traffic to the identified threat actor. Typical devices which can make use of DBL include Secure Web Gateways (SWG) and Next Generation Firewalls (NGFW).
The DBL contains IP addresses, domain names and Uniform Resource Locators (URLs) of servers hosting malware, exploits, botnet Command and Control (C&C) servers and other known malicious activity.
Feeds are updated hourly and as emerging threats are discovered. Devices which are subscribed to the DBL will receive updated IoCs at the next “push” or “pull” event, depending on the manufacturer.
Our high fidelity IoCs contained in the Dynamic Blocklist originate from sources including:
- NTT’s proprietary Threat Intelligence data sources
- IoCs based on security incident investigations from all clients subscribed to NTT’s threat detection services
- Threat Intelligence obtained via partner intelligence relationships
- Open Source Intelligence feeds which have been analyzed and vetted by NTT
- NTT analysis tools which detect malicious websites (especially phishing and fraud) and extract intelligence of phishing reports from social media.
Onboarding
During the MDR onboarding or during service, the client can choose to enable DBL.
If the client elects to enable DBL and has Supported Devices:
- The client must submit a DBL Request via the Samurai MDR portal
- Include the relevant information required within the request as outlined within the DBL Configuration Guide
- Once access has been enabled, the client will be notified via the ticket with relevant configuration information.
- The client may then proceed with configuration of their devices as per the relevant DBL Configuration Guide
Supported Devices
NTT provides configuration guides to assist the Client in configuring Dynamic Blocklist on supported devices. The following device types are currently supported:
Depending on the capabilities of individual device types, DBL will be configured using one of two possible methods:
- “pull”: In a “pull” configuration the device is set up to connect to NTT’s servers and fetch the threat feed. The frequency of retrieval is dependent on the device configuration.
- “push”: In a “push” configuration the device is set up to receive connections from NTT’s servers in order to receive the threat feed. The frequency with which the threat feed is pushed to the client device is usually determined by the configuration of the client device.
If the client is interested in using DBL with a device that is currently not supported, this can be discussed with NTT during onboarding.
Connectivity Requirements
In addition to configuring the devices for DBL, the client will also need to ensure that Internet connectivity is in place:
- for devices using a “pull” configuration, outbound TCP connections to the DBL server, typically on port 443.
- for devices using a “push” configuration, inbound TCP connections are possible from DBL servers to the client device.
NTT will provide the client with the DBL server IP addresses and/or URLs and other relevant details of the via the ‘DBL On-boarding request’ ticket.
1 - Dynamic Block List Configuration Guides
1.1 - Cisco Firepower DBL Configuration Guide
The guide outlined steps to automatically integrate DBL with Cisco Firepower. The maximum list size for DBL is 20,000. This maximum is subject to change without notice due to device specifications and performance.
Submit a ticket
To continue with this configuration guide you must first submit a ticket via the Samurai MDR portal. Add the following information within your request:
Ticket field | Information |
---|
Title | DBL Onboarding Request for Cisco Firepower device(s) |
Description | Add hostname and IP address (internet facing) of your Cisco Firepower devices. For example: mycfw1.acme.org, 19.16*.2*.2 If enrolling multiple devices please add each device on individual line* |
Submit the ticket and you will hear back from us with additional information (e.g DBL URL) to continue with the configuration below.
Connection Requirements
You will need to ensure your Firepower device(s) can reach a specific URL to obtain the DBL. This information will be provided to you once subscribed.
Parameter | Note |
---|
Connection Port | TCP / 80 |
DBL URL | NTT will provide a unique URL to you to download the DBL URL list |
Table 1: Connections requirements
To complete this integration you have to:
- Have submitted a ticket via the Samurai MDR portal and have been provided the necessary DBL endpoint URL/IP address.
From your Cisco Firepower Management Console (FMC):
Create a feed that captures the DBL URLs
Login to your FMC
Click Objects – Object Management
- Click Security Intelligence – URL Lists and Feeds in the left pane.
- Click Add URL Lists and Feeds
- Enter the following information in Security Intelligence for URL List/Feed and click Save
Parameter | Entry |
---|
Name | whatever you want, in our example we have used ABTI_for_URL |
Feed URL | Feed URL will be provided to you upon enablement of the add-on Our screen captures display an example URL |
MD5 URL | MD5 URL will be provided to you upon enablement of the add-on Our screen captures display an example URL |
Update Frequency | (Optional) - If you set the Update Frequency to less than 30 minutes, the MD5 URL is required |
Set Security Intelligence Settings
Set the feed you created in Create a feed that captures the DBL URLsto Security Intelligence.
- Click Policies – Access Control
- Select the Policy for which you want to set the Feed
(For example: Select sample-fp-policy as depicted below)
If you do not have a Policy, create one from New Policy and follow the procedure
Select Security Intelligence
- Select URLs
- Select the Feed you created in Create a feed that captures the DBL URLs(our example was ABTI_for_URL)
- Under Available Zones, select Any and click Add to Block List
- Click Save
- Click Deploy
Confirm Blocking
Verify that the test URL is blocked.
- From a browser that leverages the Cisco Firepower inspection path, access the following test URL:
- Verify that it is blocked. If blocking does not occur check through the configuration again. Our example block screen looks like this:
Create a feed that captures the DBL IP list
- Click Objects – Object Management
- Click Security Intelligence – Network Lists and Feeds in the left pane
Click Add Network Lists and Feeds
Enter the following information in Security Intelligence for URL List/Feed and click Save
Parameter | Entry |
---|
Name | whatever you want, in our example we have used ABTI_for_IP |
Feed URL | Feed URL will be provided to you upon enablement of the add-on Our screen captures display an example URL |
MD5 URL | MD5 URL will be provided to you upon enablement of the add-on Our screen captures display an example URL |
Update Frequency | (Optional) - If you set the Update Frequency to less than 30 minutes, the MD5 URL is required |
Set Security Intelligence Settings for DBL IP
- Click Policies – Access Control**
- Select the Policy for which you want to set the Feed
(For example: Select sample-fp-policy as depicted below)
If you do not have a Policy, create one from New Policy and follow the procedure
Select Security Intelligence
- Select Networks
- Select the Feed you created in Create a feed that captures the DBL IP list (our example was ABTI_for_IP)
- Under Available Zones, select Any and click Add to Block List
- Click Save
- Click Deploy
Our Dynamic Block List (DBL) configuration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a ticket in the Samurai MDR portal and we shall get it updated.
1.2 - McAfee Web Gateway (Skyhigh Secure Web Gateway) DBL Configuration Guide
The DBL provides a maximum of 80,000 listings. This limit may be updated without notice.
Submit a ticket
To continue with this configuration guide you must first submit a ticket via the Samurai MDR application. Add the following information within your request:
Ticket field | Information |
---|
Title | DBL Onboarding Request for McAfee Gateway device(s) |
Description | Add hostname and IP address (internet facing) of your McAfee Gateway(s). For example: mysecureproxy1.acme.org, 19.16*.2*.2 If enrolling multiple gateways please add the information on individual lines.* |
Submit the ticket and you will hear back from us with additional information (e.g DBL URL’s) to continue with the configuration below.
Connection Requirements
You will need to ensure your Secure Web Gateway can reach a specific URL to obtain the DBL. This information will be provided to you once subscribed.
Parameter | Note |
---|
Connection Port | TCP / 80 |
URL DBL | NTT will provide a unique URL to you to download the DBL URL list |
IP DBL | NTT will provide a unique URL to you to download the DBL IP list |
Table 1: Connections requirements
From your Secure Web Gateway:
Follow the steps outlined within the Skyhigh Security documentation:
Use the following parameters when completing the steps:
Field Name | Parameter |
---|
Name | Whatever you want, however we suggest NTT_DBL |
Data Source Type | Web Service |
Web service’s URL | URL will be provided to you upon enablement of the add-on |
Advanced Parameters - Maximum number of entries to fetch | 100000 |
Advanced Parameters - Maximum size of data fetch in kb | 100000 |
Table 2: External Lists Module
Tip: To find out more information about External Lists refer to Skyhigh Security documentation About External Lists
Create a Rule
Follow the steps outlined within the Skyhigh Security documentation:
You need to configure a rule that denies access if the URL requested by the client matches the external list previously created.
Use the following parameters when completing the steps:
Field Name | Parameter |
---|
Rule Name | Whatever you want, however we suggest ‘Block URLS that match the NTT DBL’ |
Enable Rule | Selected |
Rule Criteria/Apply this rule | If the following criteria is matched |
Rule Criteria Type | URL/Host criteria |
Filter | URL |
Selected Operator | is in list |
Compare with | ExtLists, StringList (String, String, String) |
Settings | Select your external list created in Configure the External Lists Module |
Parameters Property “Exlists.String” | 1. Placeholder ${0} Data (String) |
Action | Block |
Settings | URL Blocked |
Table 3: Rule creation
Our Dynamic Block List (DBL) configuration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a ticket in the Samurai MDR portal and we shall get it updated.
1.3 - Palo Alto Networks DBL Configuration Guide
The DBL is sized at approximately 40,000 URLs. Should memory exhaustion occur due to multiple Profile usage, ensure to manage your device(s) to avoid such a situation by performance and log monitoring.
Submit a ticket
To continue with this configuration guide you must first submit a ticket via the Samurai MDR portal. Add the following information within your request:
Ticket field | Information |
---|
Title | DBL Onboarding Request for Palo Alto Networks device(s) |
Description | Add hostname and IP address (internet facing) of your Palo Alto Networks NGFW(s). For example: mysecureproxy1.acme.org, 19.16*.2*.2 If enrolling multiple gateways please add each gateway on individual lines.* |
Submit the ticket and you will hear back from us with additional information (e.g DBL URL) to continue with the configuration below.
Connection Requirements
You will need to ensure your Palo Alto Networks device(s) can reach a specific URL to obtain the DBL. This information will be provided to you once subscribed.
Parameter | Note |
---|
Connection Port | TCP / 80 |
DBL URL | NTT will provide a unique URL to you to download the DBL URL list |
Table 1: Connections requirements
To complete this configuration you will need to:
From your Palo Alto Networks device:
Follow the steps outlined within the Palo Alto Networks documentation:
Use the following parameters when completing the steps:
Field Name | Parameter |
---|
Name | Whatever you want, however we suggest NTT_DBL |
Type | URL List |
Source | DBL URL will be provided to you upon enablement of the add-on |
Certificate Profile | None |
Check for updates | hourly |
Table 2: EDL Configuration
Tips:
- Select your specific PAN OS version when reviewing Palo Alto Networks documentation (we have linked version 10.2)
- To find out more information about EDL’s refer to Palo Alto Networks documentation External Dynamic Lists
- Once completed, follow the Palo Alto Networks documentation linked to y’Test Source URL’ to ensure the DBL can be accessed
Follow the steps outlined within the Palo Alto Networks documentation:
Use the following parameters for the EDL created in Configure an External Dynamic List when completing the steps:
Field Name | Parameter |
---|
Profile Name | We suggested NTT_DBL |
Site Access | Block |
User Credential Submission | Block |
Table 3: URL filtering profile
Follow the steps outlined within the Palo Alto Networks documentation:
Use the following parameters in the Actions tab when completing the steps:
Field Name | Parameter |
---|
Profile Setting Type | Profiles |
URL Filtering Profile | we suggested NTT_DBL |
Log at Session Start | Disabled |
Log at Session End | Enabled |
Table 4: Security policy rule
Our Dynamic Block List (DBL) configuration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a ticket in the Samurai MDR portal and we shall get it updated.
1.4 - Squid DBL Configuration Guide
Refer to Squid Documentation as needed: http://www.squid-cache.org/
Submit a ticket
To continue with this configuration guide you must first submit a ticket via the Samurai MDR portal. Add the following information within your request:
Ticket field | Information |
---|
Title | DBL Onboarding Request for Squid device(s) |
Description | Add hostname and IP address (internet facing) details of your Squid proxy(s). For example: mysecureproxy1.acme.org, 19.16*.2*.2. If enrolling multiple gateways please add each gateway on individual lines.* |
Submit the ticket and you will hear back from us with additional information (e.g DBL URL) to continue with the configuration below.
Connection Requirements
You will need to ensure your Squid proxy can reach a specific URL to obtain the DBL. This information will be provided to you once subscribed.
Parameter | Note |
---|
Connection Port | TCP / 80 |
URL DBL | NTT will provide a unique URL to you to download the DBL URL list |
IP DBL | NTT will provide a unique URL to you to download the DBL IP list |
Table 1: Connections requirements
From your Squid Proxy:
Import the DBL
- Store the DBL list retrieval script as below:
/usr/local/squidList/getSquidACL.sh
- Back up the script file:
# cp /usr/local/squidList/getSquidACL.sh /usr/local/squidList/getSquidACL.sh.org
- Open the script file using your favorite editor. In the examples we use “vi” for editing
# vi /usr/local/squidList/getSquidACL.sh
- Set the DBL URL to import URL list.
(Example)DBL_URL="http://<IP address>/dbl/block_plain.txt"
- Set the DBL URL to import IP list.
(Example)DBL_IP="http://<IP address>/dbl/block_ip_plain.txt"
- Rewrite the reboot command to any command which used in production environment.
(Example)restart =/etc/rc.d/init.d/squid restart
- Set the place to output the URL list
(Example)DBL_URL_OUTPUT="/etc/squid/block_plain.txt"
- Set the place to output the IP list
(Example)DBL_IP_OUTPUT="/etc/squid/block_ip_plain.txt"
9.Save and close ”vi”
# :wq
- Give the execute permission to the script.
# chmod 775 /usr/local/squidList/getSquidACL.sh
ACL Configuration
- Edit the “squid.conf” file
# vi /etc/squid/squid.conf
- Add ACL setting for the list that set in steps 7 and 8 of the previous section.
(Example)acl blocklist_regex url_regex“/etc/squid/block_plain.txt”acl blockip dst “/etc/squid/block_ip_plain.txt”http_access deny blocklist_regexhttp_access deny blockip
- Save and close
# :wq
Confirm configuration and auto run
- Run the DBL retrieval script manually with the following command:
# /usr/local/squidList/getSquidACL.sh
After execution, check your standard Squid logs. If you receive an error, check the status of your network because it is highly likely that the DBL destination URL is not communicating.
- If there are no errors, set the execute command on Cron. (Following setting is run every 10 minutes.)
*/10 * * * * /usr/local/squidList/getSquidACL.sh
Our Dynamic Block List (DBL) configuration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a ticket in the Samurai MDR portal and we shall get it updated.
1.5 - Zscaler Internet Access DBL Configuration Guide
Follow the steps below and then submit a ticket via the Samurai MDR portal.
Access Requirements
Threat data will be pushed using the Zscaler native API with standard HTTPS TCP/443 to your Zscaler cloud instance.
From Zscaler Internet Access Portal:
Once completed you will need to provide specific information to NTT via a ticket in the Samurai MDR portal.
Create a dedicated user with a specific role for NTT
Follow the steps outlined in Zscaler documentation to create an admin role:
Use the following parameters when completing the steps:
Field Name | Parameter |
---|
Name | Whatever you want, however we suggest: NTT_DBL |
Enable Permissions for Executive Insights | disabled |
Log Limit (Days) | 60 days |
Dashboard Access | View Only |
Reporting Access | Full |
Insights Access | View Only |
Policy Access | Full |
Administrators Access | None |
User Names | Obfuscated |
Device Information | Obfuscated |
Functional Scope | All options disabled (Advanced Settings, Data Loss Prevention, Security, SSL Policy, Virtual Service Edge Configuration, Firewall, DNAT, DNS & IPS, NSS Configuration, Partner Integration, Remote Assistance Management) |
Access Control (Web and Mobile) | Enabled (Policy and Resource Management, Custom URL Category Management, Override Existing Categories, Tenant Profile Management) |
Traffic Forwarding | Disabled |
Authentication Configuration | Disabled |
Table 1: Admin role
Follow the steps outlined in Zscaler documentation to create a user and assign the role:
Use the following parameters when completing the steps:
Field Name | Parameter |
---|
Login ID | Whatever you want, however we suggest: NTT_DBL |
Email | support@nttsh.zendesk.com |
Name | Whatever you want, however we suggest: NTT Dynamic Block List |
Role | The role previous created, we suggested*: NTT_DBL* |
Status | Enable |
Scope | As per your organization |
Executive Insights App Access | Disabled |
Comments | What you want |
Security Updates | Disabled |
Service Updates | Disabled |
Product Updates | Disabled |
Password Based Login | Enable (enter password) |
Table 2: Admin user
You will need to share these credentials when raising a ticket with us.
Provide your API base URL and API key
Review the Zscaler documentation to find your Base URL and API Key:
You can also read more information about the Zscaler API at:
You will need this information when raising a ticket with us.
Create a dedicated URL category for the DBL:
Follow the Zscaler documentation:
You need to create two URL categories. Use the following parameters when completing the steps:
Field Name | Parameter |
---|
Name | Whatever you want, however we suggest: NTT_Block |
URL Super Category | User-Defined |
Administrator Operational Scope | Any |
Custom URLs | example.com (this entry will be removed in the first DBL list retrieval as one value is mandatory for creation) |
Table 3: Custom URL category 1
Field Name | Parameter |
---|
Name | Whatever you want, however we suggest: NTT_Notify |
URL Super Category | User-Defined |
Administrator Operational Scope | Any |
Custom URLs | example.com (this entry will be removed in the first DBL list retrieval as one value is mandatory for creation) |
Table 4: Custom URL category 2
Follow the steps outlined in Zscaler documentation:
Use the following applicable parameters when completing the steps (set other parameters according to your specific configuration):
Field Name | Parameter |
---|
Rule Order | 1 (Recommended) |
Rule Name | Whatever you want, however we suggest: NTT DBL |
URL Category | Select the previously created categories, we suggested NTT_Block & NTT_Notify |
Protocol | DNS Over HTTPS, FTP Over HTTP, HTTP, HTTPS, HTTP Proxy, SSL, Tunnel and Tunnel SSL |
Action | Block |
Table 5: URL filtering policy
To enable improvements of DBL we recommend that you schedule monthly reports that are automatically emailed to us.
Follow the steps in the Zscaler documentation, Refer to Copying a Standard Report:
Select the Blocked Web Traffic Overview under Standard Reports - Web Activity to copy
Field Name | Parameter |
---|
Report Name | Anything you want, however we recommend ‘NTT_DBL_MonthlyReport’ |
Time Frame | Previous Month |
Table 6: Copy Report
Follow the steps in Zscaler documentation to Schedule the Report:
Use the following parameters when completing the steps:
Field Name | Parameter |
---|
Schedule Name | Whatever you want, however we suggest: NTT_MonthlyReport_Schedule |
Report | Report previously created, we recommended ‘NTT_DBL_MonthlyReport’ |
Recipients | rtmd_esc-cp@ntt.com |
Status | Enabled |
Frequency | Monthly |
Time zone | Asia/Tokyo |
Table 7: Scheduled Report
Submit a ticket
Now that you have completed all of the steps above you must now submit a ticket via the Samurai MDR portal. Add the following information (created from the steps above) within your request:
Ticket field | Information |
---|
Title | DBL Onboarding Request for Zscaler Internet Access |
Description | - Zscaler Login ID
- Password
- Base URL for API
- API KeyUpdate Interval (minimum 10 minutes)
|
Submit the ticket and you will hear back from us when onboarding is complete.
Our Dynamic Block List (DBL) configuration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a ticket in the Samurai MDR portal and we shall get it updated.