About Security Intelligence
The Security Intelligence policy gives you an early opportunity to drop unwanted traffic based on source/destination IP address or destination URL. The system drops this unwanted traffic before evaluating it with the access control policy, thus reducing the amount of system resources used.
You can block traffic based on the following:
-
Cisco Talos Intelligence Group (Talos) feeds—Talos provides access to regularly updated security intelligence feeds. Sites representing security threats such as malware, spam, botnets, and phishing appear and disappear faster than you can update and deploy custom configurations. The system downloads feed updates regularly, and thus new threat intelligence is available without requiring you to redeploy the configuration.
Note
Talos feeds are updated by default every hour. You can change the update frequency, and even update the feeds on demand, from the page.
-
Network and URL objects—If you know of specific IP addresses or URLs you want to block, you can create objects for them and add them to the blocked list or the exception list. Note that you cannot use network objects with FQDN or range specifications.
You create separate lists for IP addresses (networks) and URLs.
Note |
If an HTTP/HTTPS request is to a URL that uses an IP address instead of a hostname, the system looks up the IP address reputation in the network address lists. You do not need to duplicate IP addresses in the network and URL lists. |
Making Exceptions to the Block Lists
For each block list, you can create an associated exception list, also known as the do not block list. The only purpose of the exception list is to exempt IP addresses or URLs that appear in the block list. That is, if you find an address or URL you need to use, and you know to be safe, is in a feed configured on the block list, you can exempt that network/URL without completely removing the category from the block list.
Exempted traffic is subsequently evaluated by the access control policy. The ultimate decision on whether the connections are allowed or dropped is based on the access control rule the connections match. The access rule also determines whether intrusion or malware inspection is applied to the connection.
Security Intelligence Feed Categories
The following table describes the categories available in the Cisco Talos Intelligence Group (Talos) feeds. These categories are available for both network and URL blocking.
These categories can change over time, so a newly-downloaded feed might have category changes. When configuring Security Intelligence, you can click the info icon next to a category name to see a description.
Security Intelligence Category | Description | ||
---|---|---|---|
Attackers |
Active scanners and hosts known for outbound malicious activity |
||
Banking_fraud |
Sites that engage in fraudulent activities that relate to electronic banking |
||
Bogon |
Bogon networks and unallocated IP addresses |
||
Bots |
Sites that host binary malware droppers |
||
CnC |
Sites that host command-and-control servers for botnets |
||
Cryptomining |
Hosts providing remote access to pools and wallets for the purpose of mining cryptocurrency |
||
Dga |
Malware algorithms used to generate a large number of domain names acting as rendezvous points with their command-and-control servers |
||
Exploitkit |
Software kits designed to identify software vulnerabilities in clients |
||
High_risk |
Domains and hostnames that match against the OpenDNS predictive security algorithms from security graph |
||
Ioc |
Hosts that have been observed to engage in Indicators of Compromise (IOC) |
||
Link_sharing |
Websites that share copyrighted files without permission |
||
Malicious |
Sites exhibiting malicious behavior that do not necessarily fit into another, more granular, threat category |
||
Malware |
Sites that host malware binaries or exploit kits |
||
Newly_seen |
Domains that have recently been registered, or not yet seen via telemetry.
|
||
Open_proxy |
Open proxies that allow anonymous web browsing |
||
Open_relay |
Open mail relays that are known to be used for spam |
||
Phishing |
Sites that host phishing pages |
||
Response |
IP addresses and URLs that are actively participating in malicious or suspicious activity |
||
Spam |
Mail hosts that are known for sending spam |
||
Spyware |
Sites that are known to contain, serve, or support spyware and adware activities |
||
Suspicious |
Files that appear to be suspicious and have characteristics that resemble known malware |
||
Tor_exit_node |
Hosts known to offer exit node services for the Tor Anonymizer network |