Blocking Known Threat IP Traffic using ThreatIQ

ThreatIQ enables you to monitor for security threats in your Aviatrix cloud network, set alerts when threats are detected in the network traffic flows, and block traffic that is associated with threats. All of these capabilities apply to your entire cloud network (multicloud or single cloud) that is managed by Aviatrix Controller.

Working with ThreatIQ

This section describes the ThreatIQ feature of Aviatrix CoPilot.

You access ThreatIQ in CoPilot by going to Home > Security > ThreatIQ or typing ThreatIQ in the navigation search.

ThreatIQ provides visibility into known malicious threats that have attempted to communicate to your cloud network. Aviatrix Cloud Network Platform communicates with a well known threat-IP source to stay abreast of malicious sites or IP addresses known to be bad actors (threat IPs). Netflow data is sent to CoPilot from Aviatrix Gateways in real time and CoPilot analyzes the traffic and compares it with a database of known malicious hosts to quickly detect traffic from threat IPs.

In ThreatIQ Threats view, a geographical map shows you the approximate locations of known malicious IPs that have communicated with your network within the specified time period selected. You can view the severity level of threat IPs detected and their associated attack classifications (as categorized by the well known threat-IP source).

In ThreatIQ, you can view detailed information about each threat record including the source IP of the threat, the destination IP, the gateways where the threat-IP traffic traversed, the associated traffic flow data (date and time, source and destination ports, and so on), and threat information such as why it was deemed a threat. For each threat record, you can open a network topology map where the associated compromised gateway is highlighted. You can drill down into the map to the instance level where the compromised instance (that is communicating and egressing to the threat IP) is highlighted. This topology view makes it easy to identify the subnet the compromised server was deployed on and the transit gateway it was using to communicate with the threat IP.

While the ThreatIQ Overview page provides visibility into the threats detected in your network, the ThreatIQ Configuration page enables you to take actions on those threats:

Enable alerts. You can enable alerts so you are notified when threat-IP traffic is first detected. You can configure your preferred communication channel (email) for sending these ThreatIQ alerts. In CoPilot, in the Notifications option, you can view historical information about when the alerts were triggered, including the names of the gateways within the threat-IP traffic flow. ThreatIQ alerts are based on threat-IP data stored in a database that is regularly updated with the most current threats (new or removed). When a threat IP is removed from the threat-IP source (that is, the IP is no longer deemed malicious), the update is automatically pushed to Aviatrix Cloud Network Platform
Block threat-IP traffic. You can enable blocking of threat-IP traffic. To block threat-IP traffic, alerts must first be enabled. When blocking is enabled, the Controller upon first detecting a threat IP in a traffic flow, instantiates security rules (stateful firewall rules) on all gateways that are within that flow (all gateways within the VPC/VNet/VCN) to immediately block the threat-IP associated traffic. If the threat IP is removed from the database of the threat-IP source, the Controller automatically removes the security rules for that specific threat IP from the affected gateways and associated traffic is no longer blocked. Otherwise, the security rules for that specific threat IP remain enforced. NOTE: If you disable ThreatIQ blocking, the action removes all existing firewall rules instantiated by Aviatrix Controller for all threats (that is, all threat IPs) detected up to that point.

You can add a custom list of IP addresses (you consider threat IPs) to the database of known malicious hosts used by ThreatIQ. For information, see Add a Custom ThreatIQ IP List.

Enable ThreatIQ Alerts

Enable ThreatIQ alerts to receive notifications when threat IPs are detected in your network traffic.

To enable ThreatIQ alerts, you must log in to CoPilot with a user account that belongs to a group that has either all_write or all_security_write permissions.

To enable ThreatIQ alerts, use the following steps:

In CoPilot, go to Home > Security > ThreatIQ.
Click the Configuration tab.
Click Send Alert to expand the settings area.
Click the Send Alert slider and slide it to the right. This opens the ThreatIQ Configuration dialog.
In tthis dialog, click Add Recipient(s). Select the email address destination to which you want to send ThreatIQ alerts. Repeat this for each recipient you want to receive the alert.
Click CONFIRM. ThreatIQ alerts are enabled. When a threat IP is detected in a traffic flow, CoPilot will now send a notification to the email you specified. The notification will state the threat IP that was detected in the blocked traffic.
(Optional) Verify that ThreatIQ alerts are enabled:
1. From the sidebar, click Notifications.
2. In the Configured Alerts list, locate the entry with the name ThreatIQ Alert that has the condition When Threat IP Detected. This entry validates that alerts are enabled.
(Optional) Enable ThreatIQ blocking. After alerts are enabled, you can opt to enable ThreatIQ blocking. See Enable ThreatIQ Blocking for instructions. When ThreatIQ blocking is enabled, Aviatrix Controller pushes down firewall policies to block threat-IP associated traffic as soon as it is detected.

About ThreatIQ Firewall Rules

ThreatIQ firewall rules are stateful firewall rules that are applied to Aviatrix gateways to block traffic for threats detected by the ThreatIQ feature. Threats are either IP addresses from the threat-IP source that Aviatrix Cloud Network Platform communicates with or from your custom ThreatIQ IP List. For information about ThreatIQ, see Working with ThreatIQ.

Aviatrix CoPilot scans flow records for threats. When ThreatIQ blocking is enabled, when CoPilot detects a threat IP in a traffic flow, it calls the controller with the firewall rules to add. The controller instantiates the ThreatIQ firewall rules on all gateways that are within that flow — all gateways within the VPC/VNet — to immediately block the threat-IP associated traffic.

By default, when ThreatIQ blocking is enabled, blocking occurs in all VPCs/VNets. When configuring ThreatIQ blocking, you have the option to exclude any VPC/VNet in your network from ThreatIQ blocking.

If a threat IP is removed from the database of the threat-IP source or from your custom ThreatIQ IP List, the controller automatically removes the ThreatIQ firewall rules for that specific threat IP from the affected gateways and associated traffic is no longer blocked. Otherwise, the ThreatIQ firewall rules for that specific threat IP remain enforced.

If you disable ThreatIQ blocking, the action removes all existing ThreatIQ firewall rules instantiated by Aviatrix Controller for all threats (all threat IPs) detected up to that point.

When a ThreatIQ firewall rule is newly applied on a gateway that has existing rules applied, note the following:

The ThreatIQ firewall-rule drop policies are in addition to the existing firewall policies applied to the same gateways.
If you configure ThreatIQ firewall rules to append instantiated rules (default), Aviatrix Controller adds the ThreatIQ rule to the end of the rules list at the time the threat triggered the rule.
If you configure ThreatIQ firewall rules to prepend instantiated rules, Aviatrix Controller adds the ThreatIQ rule to the beginning of the rules list at the time the threat triggered the rule. Note: The prepend feature is available starting from Controller release 6.6.5544.
If you change the append/prepend configuration, the new configuration applies to new rules. The rules instantiated before the configuration change will retain their placement in the rules list.
Firewall rules are followed in order by the first matching condition. The rule that applies first is the action taken and no subsequent rules are used.

Enable ThreatIQ Blocking

Enable ThreatIQ blocking to block traffic at Aviatrix Gateways where threat IPs have traversed. When blocking is enabled, Aviatrix Controller pushes down firewall policies to block threat-IP associated traffic as soon as it is detected. All gateways in the VPC/VNet will block when threat IPs traverse them.

To enable ThreatIQ blocking, you must log in to CoPilot with a user account that belongs to a group that has either all_write or all_security_write permissions.

To enable ThreatIQ blocking:

In CoPilot, go to Home > Security > ThreatIQ.
Click the Configuration tab.
Verify that ThreatIQ alerts are enabled. The alerts are enabled when the Send Alert status has a checkmark. ThreatIQ alerts must be enabled before blocking can be enabled. See Enable ThreatIQ Alerts for instructions.
Click the Block Threats slider and slide it to the right. The Select VPC/VNets to allow/deny ThreatIQ Protection dialog may open. If so, select all the instances to protect with ThreatIQ and click Save.

You may see a confirmation message about blocking threats. If so, click Confirm.

ThreatIQ blocking is enabled. Aviatrix Controller now enforces firewall policies to block threat-IP associated traffic as soon as it is detected. Each time a different IP threat is detected, a new firewall rule is instantiated on the gateway. By default, all gateways in a VPC/VNet will block the associated traffic. You can be selective about which VPC/VNets block threat IPs in the next step.
(Optional - Deny ThreatIQ protection) Select VPC/VNets for which you do not want ThreatIQ blocking enabled.
- Click the pen icon next to Configure Exclusion List for VPCs.
- In the Protected with ThreatIQ list, select the check box of each VPC/VNet for which you do not want ThreatIQ blocking enabled.
- Transfer the VPC/VNets to the Not Protected list and click Save.
- For any VPC/VNets listed in the Not Protected list, the gateways in them will not block threat IPs when detected.
(Optional - Prepend ThreatIQ rules) By default, ThreatIQ firewall rules append instantiated rules — Aviatrix Controller adds the ThreatIQ rule to the end of the rules list at the time the threat triggered the rule. If you want Controller to add the ThreatIQ rule to the beginning of the rules list, select the Prepend radio button. For more information, see About ThreatIQ Firewall Rules.
(Optional - Disable blocking)

When you disable ThreatIQ blocking, the action removes all existing ThreatIQ firewall rules instantiated by Aviatrix Controller for all threats detected up to that point.

To disable blocking, in ThreatIQ Configuration view, click the Block Traffic check and then click the Block Threats slider. Click Confirm to disable all ThreatIQ firewall rules and stop ThreatIQ blocking.

Add a Custom ThreatIQ IP List

Add a custom list of IP addresses to the database of known malicious hosts used by ThreatIQ. The custom threat IPs are handled by Aviatrix Controller in the same manner as the threat IPs identified through ThreatIQ with ThreatIQ (detection, alerts, blocking, and unblocking functionality is the same).

You must log in to CoPilot with a user account that has all_write or all_security_write permissions to add, modify, or delete a custom ThreatIQ IP list.

To add a custom ThreatIQ IP list:

In CoPilot, go to Home > Security > ThreatIQ.
Click the Custom Threat List tab.
Click +Threat IP and enter the details:
- IP: An IP address you consider a threat IP.
- Severity: Any term you want to use that indicates the severity of this threat IP.
- Color: The color you want to associate with this threat IP. The color is used in lists and charts of the ThreatIQ dashboard.
- Classification: Any term you want to use that indicates the classification of this threat IP.
- Info: Any custom note you want to state for this threat IP.
To add more IP addresses to the list, click the plus sign and enter the details for each one.
Click Confirm.

The IP addresses are added to the database of known malicious hosts used by ThreatIQ.

To change a threat IP entry, click the pen icon, double-click on a value to change it, and click the save icon. Threat records generated prior to the change retain earlier values (for example, if you change the color from blue to red, threat records generated before the color change still show blue).

To delete an IP address from the list, click the trash icon. The IP address is removed from the database of known malicious hosts used by ThreatIQ. If ThreatIQ blocking has been applied for this threat IP, the Controller automatically removes the security rules for that specific threat IP from the affected gateways and associated traffic is no longer blocked.

Threats View Properties

Descriptions of the properties in the CoPilot ThreatIQ Threats view listed in alphabetical order:

All Threats (Total)

Since ThreatIQ was turned on, the number of times total an action or event was detected that was correlated with any of the unique threat IPs.
Start Time and End Time

(Start Time) Date and time from which you want to view what malicious IPs were occurring in the fabric of your Aviatrix transit network.

(End Time) Date and time up to which you want to view what malicious IPs were occurring in the fabric of your Aviatrix transit network.
Threat Classifications

Of the number of threats in the time period specified (by Start Time and End Time), what number of them is in a specific threat classification.
Threat Count

The number of times the unique Threat IPs have been detected across your Aviatrix transit network within the time period specified (by Start Time and End Time).
Threat Details

The Threat Details dialog provides a network topology diagram highlighting the location of the compromised host in your network, the flow data and overall netflow, and a summary of the threat severity as defined by the threat-IP source.
Threat Severity

Of the number of threats in the time period specified (by Start Time and End Time), what number of them is in the Major threat severity category and Medium (Audit) threat severity category.
Threats Over Time

Over the time period specified (by Start and End Time), a graph showing the number of threats that were detected. Spikes in the graph reflect days when more threats were detected.
Total Threats Over Time

Over the time period specified (by Start and End Time), a graph showing the total count of threats. The count accumulates as you see more threats over time in that time period.
Unique Threat IPs

The number of unique threat IPs that were detected across your Aviatrix transit network within the time period specified (by the Start Time and End Time). These are malicious IP addresses defined by a well known threat-IP source.

ThreatIQ Configuration View Properties

Descriptions of the properties in the CoPilot ThreatIQ Configuration view listed in alphabetical order:

Blocked Threat IPs

The number of unique threat IPs that traffic was blocked for.
Block Traffic

Enable Aviatrix Gateways to block traffic that is associated with a threat IP.
Firewall Rules Per Gateway

A pie chart showing the percentage of rules that are instantiated on each Aviatrix gateway.
Gateways

The number of Aviatrix gateways that have instantiated firewall rules to block threat IP traffic.
Rules

The number of firewall rules that were instantiated to block threat IP traffic.
Send Alert

Enable CoPilot to send alert notifications (to one or more email/Webhook systems) when traffic that is associated with a threat IP is detected.
Threats Blocked Per Gateway

A pie chart showing the percentage of threats that are blocked on each Aviatrix gateway.
View Rules dialog

The View Rules dialog shows the ThreatIQ firewall rules that are applied on Aviatrix gateways.