Manually configuring firewall policies without a C2 threat feed can be challenging, as it involves managing multiple rules simultaneously. Poor management can result in a pile of outdated rules, leading to indiscriminate traffic blocking and confusion about which rules should be added or removed. In this article, we explore how to automate the blocking of malicious IP addresses with Criminal IP’s C2 threat feed, thereby addressing the challenges of manual firewall policy rule configuration.
Creating and Managing a List of Malicious IPs Associated with C2 Servers Using Criminal IP Detection Data
Typical open-source databases often contain large, unorganized amounts of data, making it difficult to isolate specific threat information, such as connections to C2 servers. This makes it even harder to derive coherent rules from the data. In contrast, Criminal IP’s C2 threat feed has a whole system set up for immediate classification of incoming data based on each threat characteristic, making it especially suitable for automating the firewall policy to block IP addresses linked to C2 servers.
We hereby introduce our official GitHub repositories that can help automate setting block rules in firewall policy with Criminal IP’s C2 threat feed:
- Fortinet-Maliciousip-AutoBlock: This repository contains code for creating block rules in Fortinet firewalls on IP addresses identified as malicious by the Criminal IP service and managing these rules automatically.
- Visit the repository: https://github.com/criminalip/Fortinet-Maliciousip-AutoBlock
- Malicious-ip-Handler: This repository includes code that manages a list of malicious IP addresses detected by the Criminal IP service in CSV or JSON file format. It contains the features of collecting a list of malicious IP addresses related to C2 servers in Criminal IP C2 threat feed, adding new IP addresses to the file, and automatically deleting the list of old IP addresses.
- Visit the repository: https://github.com/criminalip/Malicious-ip-Handler
1. Add ‘Banner Information’ Query to Connect With Criminal IP C2 Threat Feed
The C2 threat feed of Criminal IP employs several classification indicators to isolate the open-source data that are linked to specific cyber threats from those that are left in a disorderly fashion. One such indicator is banner information, which refers to information provided by the server host and gives details on the software version, operating systems, and other specifics of the service or system. Banner information is a key indicator that provides a general understanding of the nature of a server linked to an IP address. It is also used to separately call data related to malicious IP addresses, such as those with the presence of a C2 server (Command and Control), from a vast database of Criminal IP.
When typing in a query to create a list of C2 server-related IP addresses to be blocked by a firewall policy, you can use v1/banner/search API to retrieve the results of a C2 server-related banner search in Criminal IP. Instructions and examples for using this API can be found at the following link:
2. Add ‘Tag Information’ Query for C2 Server Data in Criminal IP Database
By filling in query values based on the cip_c2_detect_query.json file, you can further block malicious IP addresses associated with C2 server-related tags in your firewall policy. Tags also serve as crucial classification indicators. Criminal IP tags elements associated with malicious activity, enabling Criminal IP C2 threat feed to efficiently identify and categorize large volumes of IP addresses associated with remote server control-related factors including, for example, C2 server.
Examples of query values related to C2 server tags can be found in the official GitHub repository of Criminal IP, Fortinet-Maliciousip-AutoBlock.
3. Add Custom Condition Query to Firewall Policy
If you wish to add a custom auto-block condition related to C2 servers to your firewall policy, you can do so by adding the desired query information in the specified format within the JSON file.
For further details on additional malicious tags related to C2 servers, refer to Criminal IP’s tag usage guide.
4. Manage and Update C2 Server-Associated IP Addresses Within Firewall Policy
To keep firewall policies updated based on the latest data, the newly discovered C2-related IP addresses must be classified. For this, you can refer to Malicious-ip-Handler, one of the official GitHub repositories of Criminal IP.
Executing the repository’s code will synchronize query results with Criminal IP’s C2 threat feed, saving updates in the ./core/input/yesterday_detect_IP_{date} file. The newly discovered C2-related IP addresses will undergo a verification process for 7 days before being applied to the blocking rules of the firewall policy, to ensure they are not redundantly registered. If the IP address is still identified as malicious with connectivity to the C2 server after the aforementioned 7 days, it will be added as a new rule in the firewall policy to maintain the blocking.
Things to Consider When Applying C2 Server List of Criminal IP Threat Feed to Firewall Policy
Manually adding each malicious IP address from the C2 threat feed to FortiGate firewall policies can be difficult to manage and may hit IP address limits. To solve this problem, group the IP addresses into a single group and implement them in the firewall policy. This allows for better management of the IP addresses by date, leading to more efficient management overall.
Be mindful of the priority of block policies in firewall policy. In a firewall policy, block policies are applied by priority. Thus, you need to check that the block policies at the top and bottom do not contradict each other. For instance, if the configured firewall policy is set to ‘deny’ and the condition is set to ‘any’, the priority of the firewall policy must be placed higher for the blocking rule to work properly. This is because even if the ‘any’ condition is set to block all traffic, the block policy may not be applied depending on the priority. This includes a case where a block firewall policy of a lower priority is not executed because overlapping traffic is already permitted by a higher-priority firewall policy.
When a group is set up normally within a firewall policy, a list of malicious IP addresses related to C2 servers included in the group is displayed as shown in the picture above, allowing you to check the IP addresses put into effect in the firewall policy.
Checking Whether Malicious C2 IP Addresses Are Properly Blocked According to Firewall Policy with Criminal IP
Now let’s check if the automatic blocking rule in the firewall policy based on the C2 threat feed is working properly. In the query set above, the tag: c2_meshagent tag setting creates a group containing multiple IP addresses associated with the C2 server, and 178.xx87 is one of the IP addresses included in the block list. Let’s try accessing this IP address. The Criminal IP Asset Search Report page provides open port information of an IP address, along with accessible links to the IP address in question. This enables you to easily access to the individual IP addresses and check the block status.
Clicking on the red mark will take you to the web page linked to the IP address in question associated with the C2 server, and you can check that access to the page is currently blocked, as shown in the screen below.
Log records can also confirm whether the blocking rule in the firewall policy was effectively applied. Access the logs through FortiGate’s Log & Report > Forward Traffic menu to check the log for the web page of the corresponding IP address. To easily review logs for rules that executed blocking based on the C2 threat feed, simply enter the policy ID in the search bar to filter to isolate blocked traffic.
Effectiveness of Firewall Policy Configuration for Automatic Blocking of C2 Server-Related IP Addresses Using Criminal IP Threat Feed
By integrating Criminal IP’s C2 threat feed into your firewall policy, security administrators no longer need to spend a lot of time manually managing massive traffic data to prevent C2 server infiltration and can instead focus on analyzing and responding to important security threats. This enables efficient security management and enhances the ability to respond preemptively to C2 server threats, ultimately creating a more secure network environment. For related information, refer to STIX Vulnerability Analysis Using IP Intelligence: Analyzing Criminal IP Data With STIX (1).
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Source: Criminal IP (https://www.criminalip.io)
Related articles: