Mixing
Advised to block all traffic to/from specific IP addresses
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
55
down vote
favorite
My CFO received an email from a director at a financial institution advising that all traffic (inbound and outbound) from certain IP addresses should be blocked at the firewall. The director at the financial institution was advised by his IT department to send this mail. The list of addresses (about 40) was in an attached, password-protected PDF. The password was sent to my CFO by text message.
I initially thought this was a malicious attempt to get our CFO to open an infected PDF, or a phishing/whaling attempt, but it seems legit. We have spoken to the IT department at the FI and they say it's genuine, but they can't (won't) provide any more information. Due to the nature of the relationship between my company and the FI, refusing isn't really an option. From what I can see most of the IP addresses appear to belong to tech companies.
Does this approach strike you as suspicious? Is there some social engineering going on here? What could the nature of the threat be?
firewalls social-engineering
asked 2 days ago
upsidedowncreature
37624
New contributor
upsidedowncreature is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
 |Â
show 5 more comments
up vote
55
down vote
favorite
My CFO received an email from a director at a financial institution advising that all traffic (inbound and outbound) from certain IP addresses should be blocked at the firewall. The director at the financial institution was advised by his IT department to send this mail. The list of addresses (about 40) was in an attached, password-protected PDF. The password was sent to my CFO by text message.
I initially thought this was a malicious attempt to get our CFO to open an infected PDF, or a phishing/whaling attempt, but it seems legit. We have spoken to the IT department at the FI and they say it's genuine, but they can't (won't) provide any more information. Due to the nature of the relationship between my company and the FI, refusing isn't really an option. From what I can see most of the IP addresses appear to belong to tech companies.
Does this approach strike you as suspicious? Is there some social engineering going on here? What could the nature of the threat be?
firewalls social-engineering
asked 2 days ago
upsidedowncreature
37624
New contributor
upsidedowncreature is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
4
I think this question is missing sufficient detail to provide a good answer. What I find especially missing are more details on the affected IP addresses, the reasons given for the block and the original source of the recommendations (which is likely not a directory of a FI which usually has not much idea of IT security). It is not uncommon though that some information about potential dangers get only provided to selected potentially affected companies and not made public in order to not provide attackers too much information that they are known. This might explain the encrypted PDF.
– Steffen Ullrich
2 days ago
27
It's missing detail because I have't got any detail, other than a list of IP addresses. The fact that the request came from a director of a financial institution is what I find suspicious. I'm well aware such a person would be unlikely to be well versed in IT security matters. I know it's a vague question, something just doesn't sit right.
– upsidedowncreature
2 days ago
7
@jcaron ultimately, those 3 facts do not matter
– schroeder♦
2 days ago
7
@schroeder Ultimately, no. But: if IT department needed to communicate with all "partners" because they were aware of a specific risk (say, Wannacry++), they could have gone to the "director of partnerships" who actually has the list of all partners with the relevant contact info. This may remove one of the elements of uncertainty OP has with the way this was communicated. OP, when you spoke to the IT department at the FI, you of course used contact information you already had, not a phone number included in the e-mail, of course?
– jcaron
2 days ago
4
It might be worth pointing out that IP addresses can be spoofed, so blocking 40 addresses (assuming they're not IP range bans) seems fairly small and arbitrary.
– SSight3
yesterday
 |Â
show 5 more comments
up vote
55
down vote
favorite
up vote
55
down vote
favorite
My CFO received an email from a director at a financial institution advising that all traffic (inbound and outbound) from certain IP addresses should be blocked at the firewall. The director at the financial institution was advised by his IT department to send this mail. The list of addresses (about 40) was in an attached, password-protected PDF. The password was sent to my CFO by text message.
I initially thought this was a malicious attempt to get our CFO to open an infected PDF, or a phishing/whaling attempt, but it seems legit. We have spoken to the IT department at the FI and they say it's genuine, but they can't (won't) provide any more information. Due to the nature of the relationship between my company and the FI, refusing isn't really an option. From what I can see most of the IP addresses appear to belong to tech companies.
Does this approach strike you as suspicious? Is there some social engineering going on here? What could the nature of the threat be?
firewalls social-engineering
asked 2 days ago
upsidedowncreature
37624
New contributor
upsidedowncreature is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
My CFO received an email from a director at a financial institution advising that all traffic (inbound and outbound) from certain IP addresses should be blocked at the firewall. The director at the financial institution was advised by his IT department to send this mail. The list of addresses (about 40) was in an attached, password-protected PDF. The password was sent to my CFO by text message.
I initially thought this was a malicious attempt to get our CFO to open an infected PDF, or a phishing/whaling attempt, but it seems legit. We have spoken to the IT department at the FI and they say it's genuine, but they can't (won't) provide any more information. Due to the nature of the relationship between my company and the FI, refusing isn't really an option. From what I can see most of the IP addresses appear to belong to tech companies.
Does this approach strike you as suspicious? Is there some social engineering going on here? What could the nature of the threat be?
firewalls social-engineering
firewalls social-engineering
asked 2 days ago
upsidedowncreature
37624
New contributor
upsidedowncreature is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
upsidedowncreature
37624
New contributor
upsidedowncreature is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
upsidedowncreature
37624
New contributor
upsidedowncreature is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
upsidedowncreature
37624
asked 2 days ago
upsidedowncreature
37624
37624
New contributor
upsidedowncreature is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
upsidedowncreature is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
upsidedowncreature is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
4
I think this question is missing sufficient detail to provide a good answer. What I find especially missing are more details on the affected IP addresses, the reasons given for the block and the original source of the recommendations (which is likely not a directory of a FI which usually has not much idea of IT security). It is not uncommon though that some information about potential dangers get only provided to selected potentially affected companies and not made public in order to not provide attackers too much information that they are known. This might explain the encrypted PDF.
– Steffen Ullrich
2 days ago
27
It's missing detail because I have't got any detail, other than a list of IP addresses. The fact that the request came from a director of a financial institution is what I find suspicious. I'm well aware such a person would be unlikely to be well versed in IT security matters. I know it's a vague question, something just doesn't sit right.
– upsidedowncreature
2 days ago
7
@jcaron ultimately, those 3 facts do not matter
– schroeder♦
2 days ago
7
@schroeder Ultimately, no. But: if IT department needed to communicate with all "partners" because they were aware of a specific risk (say, Wannacry++), they could have gone to the "director of partnerships" who actually has the list of all partners with the relevant contact info. This may remove one of the elements of uncertainty OP has with the way this was communicated. OP, when you spoke to the IT department at the FI, you of course used contact information you already had, not a phone number included in the e-mail, of course?
– jcaron
2 days ago
4
It might be worth pointing out that IP addresses can be spoofed, so blocking 40 addresses (assuming they're not IP range bans) seems fairly small and arbitrary.
– SSight3
yesterday
 |Â
show 5 more comments
4
I think this question is missing sufficient detail to provide a good answer. What I find especially missing are more details on the affected IP addresses, the reasons given for the block and the original source of the recommendations (which is likely not a directory of a FI which usually has not much idea of IT security). It is not uncommon though that some information about potential dangers get only provided to selected potentially affected companies and not made public in order to not provide attackers too much information that they are known. This might explain the encrypted PDF.
– Steffen Ullrich
2 days ago
27
It's missing detail because I have't got any detail, other than a list of IP addresses. The fact that the request came from a director of a financial institution is what I find suspicious. I'm well aware such a person would be unlikely to be well versed in IT security matters. I know it's a vague question, something just doesn't sit right.
– upsidedowncreature
2 days ago
7
@jcaron ultimately, those 3 facts do not matter
– schroeder♦
2 days ago
7
@schroeder Ultimately, no. But: if IT department needed to communicate with all "partners" because they were aware of a specific risk (say, Wannacry++), they could have gone to the "director of partnerships" who actually has the list of all partners with the relevant contact info. This may remove one of the elements of uncertainty OP has with the way this was communicated. OP, when you spoke to the IT department at the FI, you of course used contact information you already had, not a phone number included in the e-mail, of course?
– jcaron
2 days ago
4
It might be worth pointing out that IP addresses can be spoofed, so blocking 40 addresses (assuming they're not IP range bans) seems fairly small and arbitrary.
– SSight3
yesterday
4
4
I think this question is missing sufficient detail to provide a good answer. What I find especially missing are more details on the affected IP addresses, the reasons given for the block and the original source of the recommendations (which is likely not a directory of a FI which usually has not much idea of IT security). It is not uncommon though that some information about potential dangers get only provided to selected potentially affected companies and not made public in order to not provide attackers too much information that they are known. This might explain the encrypted PDF.
– Steffen Ullrich
2 days ago
I think this question is missing sufficient detail to provide a good answer. What I find especially missing are more details on the affected IP addresses, the reasons given for the block and the original source of the recommendations (which is likely not a directory of a FI which usually has not much idea of IT security). It is not uncommon though that some information about potential dangers get only provided to selected potentially affected companies and not made public in order to not provide attackers too much information that they are known. This might explain the encrypted PDF.
– Steffen Ullrich
2 days ago
27
27
It's missing detail because I have't got any detail, other than a list of IP addresses. The fact that the request came from a director of a financial institution is what I find suspicious. I'm well aware such a person would be unlikely to be well versed in IT security matters. I know it's a vague question, something just doesn't sit right.
– upsidedowncreature
2 days ago
It's missing detail because I have't got any detail, other than a list of IP addresses. The fact that the request came from a director of a financial institution is what I find suspicious. I'm well aware such a person would be unlikely to be well versed in IT security matters. I know it's a vague question, something just doesn't sit right.
– upsidedowncreature
2 days ago
7
7
@jcaron ultimately, those 3 facts do not matter
– schroeder♦
2 days ago
@jcaron ultimately, those 3 facts do not matter
– schroeder♦
2 days ago
7
7
@schroeder Ultimately, no. But: if IT department needed to communicate with all "partners" because they were aware of a specific risk (say, Wannacry++), they could have gone to the "director of partnerships" who actually has the list of all partners with the relevant contact info. This may remove one of the elements of uncertainty OP has with the way this was communicated. OP, when you spoke to the IT department at the FI, you of course used contact information you already had, not a phone number included in the e-mail, of course?
– jcaron
2 days ago
@schroeder Ultimately, no. But: if IT department needed to communicate with all "partners" because they were aware of a specific risk (say, Wannacry++), they could have gone to the "director of partnerships" who actually has the list of all partners with the relevant contact info. This may remove one of the elements of uncertainty OP has with the way this was communicated. OP, when you spoke to the IT department at the FI, you of course used contact information you already had, not a phone number included in the e-mail, of course?
– jcaron
2 days ago
4
4
It might be worth pointing out that IP addresses can be spoofed, so blocking 40 addresses (assuming they're not IP range bans) seems fairly small and arbitrary.
– SSight3
yesterday
It might be worth pointing out that IP addresses can be spoofed, so blocking 40 addresses (assuming they're not IP range bans) seems fairly small and arbitrary.
– SSight3
yesterday
 |Â
show 5 more comments
5 Answers
5
active
oldest
votes
up vote
96
down vote
If you spoke to the FI on a separate channel, you actually spoke to the FI, and they know about this, then by definition, it is not a phish.
What strikes me as odd is "but they can't (won't) provide any more information", and "refusing isn't really an option". These 2 facts cannot co-exist if you are a separate entity from the FI.
Your push-back is simple: your firewall policy requires a legitimate reason along with an end-date for the rule to be reviewed/removed. You don't just add firewall rules because someone outside of the organisation told you to. The FI has no idea if blocking those IPs may impact your operations.
- what effect is this rule supposed to have?
- how long does the rule need to exist?
- who (named individual) owns this rule on the FI side?
- what remedies are expected if the rule has a negative effect on operations?
- what effect will there be between your companies if the rule is not implemented exactly as requested?
You will not add the firewall rule without knowing what the impact is, either positively or negatively. If they want greater control over your firewalls, then they can supply and manage your firewalls for you.
On the other hand, if they own you and the risks, then they take on the risks of this change, so then just add the rules.
As for a Director sending this request, it's not so strange. When you need someone to do something, you have the person with the most clout make the request. The Director may have no idea what a firewall is, but the request is being made in that person's name. I am also curious why so much clout is needed, though. It seems like they want to pressure you into doing it while not having to explain themselves. Don't let them dictate your policy and how you best protect your company.
answered 2 days ago
schroeder♦
64.4k24138173
17
@DonQuiKong then if politics beats proper security and risk management, then that's your policy
– schroeder♦
2 days ago
20
Re-read my answer. I did not say "just refuse", I said push back with specific requests for information.
– schroeder♦
2 days ago
9
I cannot possibly imagine any scenario where the politics overrides the liabilities that both companies are exposed to by the one dictating firewall rules to the other. If the FI wants to push, then they must also take on the liabilities, and that needs to be made clear.
– schroeder♦
2 days ago
31
You could always pretend to say yes. For example: "Sure, we can add those. Here's the standard form for requesting new firewall rules, please fill it out and send it back by Thursday." The form then asks for whatever information you want.
– Kevin
2 days ago
13
I think @Kevin's point is not so much deception (despite advocating for it at face value), but that you can put a friendly face on the demand. Rather than phrasing the request as a demand for information, emphasize your openness to fulfilling the request as long as reasonable policies are met: "Thanks for this suggestion. Per our policy, we need to record some more information before we can put it in place. We also need to better understand what the intended impact is, so that we can evaluate the rule in light of the rest of our policies/rules and whether we succeeded or not." Or similar.
– jpmc26
yesterday
 |Â
show 7 more comments
up vote
36
down vote
I would lean away from this being a social engineering attempt and more towards a peer FI being uber-cautious regarding information disclosure - they may have had some kind of incident involving these IPs and are not at the stage where they want to disclose anything further.
Look at it this way: what would an apparent threat actor really have to gain from this?
You mention that many of the IPs are related to technology companies.
- Do these companies provide any web hosting which could be used as malicious infrastructure?
- Do these companies provide any proxy services which could be abused?
- Do these companies provide any security testing software which could be used maliciously?
While the organizations themselves may be legitimate, they could be taken advantage of, however without further information from this FI, I would not take action: the burden of proof rests with the sender of this list.
This is effectively low-quality threat intelligence - it provides no evidence that the indicators are worthwhile actioning.
As an aside, is there any way you can set up monitoring on these IPs in the meantime? Some investigation on your end may yield the information you need to determine why these are allegedly worthy of blocking (some OSINT digging might be fruitful, also).
answered 2 days ago
Doomgoose
42227
New contributor
Doomgoose is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
5
Could requests from these IP addresses be sent to a separate server (perhaps on a link local network) and quarantined for analysis?
– Tracy Cramer
2 days ago
2
Two good options in this space; you could forward sinkhole them (such as link local) or you could allow and analyse "on the fly" but drop them further down the line if there was still a concern.
– Doomgoose
2 days ago
2
"what would an apparent threat actor really have to gain from this?" Some kind of denial of service to one of the blocked parties. The threat doesn't necessarily have to be directly to the OP's company, even though it's in their interest to ensure their customer's needs are met.
– jpmc26
yesterday
2
@jpmc26 - Absolutely correct that this is a possibility, however I feel this would be highly unlikely: it's not a tactic I've ever come across or even heard of used against an organisation. Given that this adversary would need to not only know the correct team to contact and the sender to spoof and that the blocking of these IPs would lead to service degradation for the target, I don't think it's a likely avenue of attack in this case.
– Doomgoose
yesterday
5
"what would an apparent threat actor have to gain from this" - they could be building precedence. This time it's block an IP list in your Firewall. They'll make a similar request a few more times and it'll become easier and easier to get through the red tape until it becomes almost normal. Then one request will include some whitelist rules and nobody thinks anything of it because they've been trained not to worry
– Darren H
20 hours ago
 |Â
show 1 more comment
up vote
11
down vote
My CFO received an email from a director at a financial institution advising that all traffic (inbound and outbound) from certain IP addresses should be blocked at the firewall. The director at the financial institution was advised by his IT department to send this mail. The list of addresses (about 40) was in an attached, password-protected PDF. The password was sent to my CFO by text message.
The only part about this that I find strange is that the CFO is involved at all in this. CTOs (or subordinates) routinely deal with cyberintelligence and information sharing amongst institutions and national intelligence agencies (FBI, CERT, etc.).
I initially thought this was a malicious attempt to get our CFO to open an infected PDF, or a phishing/whaling attempt, but it seems legit. We have spoken to the IT department at the FI and they say it's genuine, but they can't (won't) provide any more information. Due to the nature of the relationship between my company and the FI, refusing isn't really an option. From what I can see most of the IP addresses appear to belong to tech companies.
Your diligence is worth applause; that is a plausible vector.
You don't specify what these "tech companies" are, but if they are things like AWS, DigitalOcean, Linode, Vultr, Choopa, Hetzner, OVH, Velia, et al. then you should know that these tech companies (and many other smaller ones, including torrent seedboxes) are routinely implicated in botnets, malware and financial fraud. Anything offering shared hosting or VPS services is a possible platform for launching attacks. I can tell you from direct experience that many of the HSA, W2, tax return fraud and other scams journalists like Krebs reports on are launched from cheap VPS services like these.
Does this approach strike you as suspicious? Is there some social engineering going on here?
Information about current incidents can get shared formally (through publication to US-CERT mailing lists, amongst institutions on DIBNET, FS-ISAC, etc.) or via weird PDF-sharing schemes between executives that originated from what was supposed to be a non-disclosable, non-attributable FBI tip. It happens.
When the FBI is the originating source, they generally provide little to no detail or context and so shaking the tree and refusing to take action without further information may not be received well by your superiors. Keep holding out and you'll end up like the shmuck at Equifax who delayed patching Struts prior to the breach; he was the first person to get thrown under the bus. You apparently have a business agreement obligating you to implement some IP blocks based on threat intelligence received. Just do it.
Again, the only fishy part to me is that the CFO was the recipient. But that could just be due to the nature of an existing relationship between him and that director.
It is entirely possible someone is trying to cause chaos by having you block IPs of companies you do business with, but that seems farfetched-- it requires a lot of inside knowledge and effort to accomplish a small interruption at worst.
What could the nature of the threat be?
Director at financial institution X was made aware of an incident. They were likely compromised by one or more of those 40 IPs, or made aware of a threat from an external source. They may or may not have observed evidence that your company may also be a potential target, either through credentials they saw attempted, endpoints requested, or data exfiltrated. They saw fit to share this information with your company so you could take proactive measures.
Between you and me, I'm not fazed by this scenario. This is the sort of thing I come in to find in my mailbox every Monday (and especially in the days following national holidays-- foreign attackers love waiting until they know nobody's going to be in the office for a few days. Labor Day was last week...).
What I personally do with these lists before implementing blocks is run them through our own logs and see what activity the same actors may have been up to with our own systems. Look for activity by any IPs within the same subnets; the IPs supplied may not have been the same ones that might have targeted you already. Sometimes it uncovers evidence of compromise that wasn't within the scope of the supplied intelligence.
answered 2 days ago
Ivan
5,63321422
4
I would not really advise anyone to block a list of disposable DigitalOcean droplets on a per-IP(v4?) basis without creating a process of maintaining those blacklist records. NB: DO alone has hundreds of thousands if not millions IPv4 addresses which an attacker is able to move between in maybe minutes. And, say, AWS deploys much, much more.
– ximaera
2 days ago
5
Also, AWS is not just a botnet hoster, it's a popular provider of convenient whatever-aaS functions, frequently used by enterprises. What if any of your customers or partners is also using AWS? What if they occasinally migrate to one of those blocked IP addresses once a malicious application is removed from those by the Amazon security team? No, this is just asking for trouble.
– ximaera
2 days ago
1
The CFO involvement suggests this might be a compliance issue, not a security issue.
– Sentinel
yesterday
1
I don't see what's suspicious ... a financial institution's contact with your company is most likely the CFO, or someone under his command. If they contacted the CTO, there'd be a longer delay as the CTO tried to confirm the origin of the message. If the CFO contacted you directly, and you report to the CTO or CIO, then yes, get some confirmation from your higher-up, but if something goes wrong, and you just dismiss it because it seemed strange, you're the one that's going to be hung out to dry. It might be worth getting a policy of which CxO is 'confirm later' vs. 'confirm first'.
– Joe
yesterday
2
@ximaera Doing nothing in the face of a stated threat (CVE) is what led to the Equifax breach. Under the (former) CEO the prevailing mentality there was one of "waaah we can't do anything that will impact production." Look where that got them. Accidentally blocking a segment of customer/partner infrastructure (if that's even applicable in this case) is at worst a technical error, the resolution of which is governed by contracts and SLAs, and the consequences of which are significantly lesser than getting pwned altogether.
– Ivan
yesterday
add a comment |Â
up vote
6
down vote
Does this approach strike you as suspicious?
You said, "Due to the nature of the relationship between my company and the FI, refusing isn't really an option."
That is a very interesting statement. Ultimately, without being forthcoming on the details of that relationship I don't think anyone can say whether this approach is suspicious or not. It certainly sounds like the contractual arrangements between the two companies covered this scenario. If that's true, then no this is not suspicious.
Is there some social engineering going on here?
Doesn't sound like it. If you have verbally confirmed that the other company's IT department has in fact sent this request/order then no, this is not a social engineering problem.
What could the nature of the threat be?
Maybe the other company has proof that those tech companies have been infiltrated. Maybe the other company is simply concerned that their IP might be stolen by those companies. Without knowing who is involved it is impossible to guess.
answered 2 days ago
NotMe
641310
add a comment |Â
up vote
6
down vote
The fact that the IT department does not know the reasons for blocking the IPs and the fact that the FI execs are liaising with the CFO, as opposed to CTO, suggests this is a compliance issue.
You may be facing implementation of sanctions, AML, or antiterrorism blacklists. Possibly PCI audit.
I have worked in banks, and compliance procedures can be quite bizarre, and challenging to implement. You could ask Compliance for approval on the measure itself.
answered yesterday
Sentinel
1813
add a comment |Â
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
96
down vote
If you spoke to the FI on a separate channel, you actually spoke to the FI, and they know about this, then by definition, it is not a phish.
What strikes me as odd is "but they can't (won't) provide any more information", and "refusing isn't really an option". These 2 facts cannot co-exist if you are a separate entity from the FI.
Your push-back is simple: your firewall policy requires a legitimate reason along with an end-date for the rule to be reviewed/removed. You don't just add firewall rules because someone outside of the organisation told you to. The FI has no idea if blocking those IPs may impact your operations.
- what effect is this rule supposed to have?
- how long does the rule need to exist?
- who (named individual) owns this rule on the FI side?
- what remedies are expected if the rule has a negative effect on operations?
- what effect will there be between your companies if the rule is not implemented exactly as requested?
You will not add the firewall rule without knowing what the impact is, either positively or negatively. If they want greater control over your firewalls, then they can supply and manage your firewalls for you.
On the other hand, if they own you and the risks, then they take on the risks of this change, so then just add the rules.
As for a Director sending this request, it's not so strange. When you need someone to do something, you have the person with the most clout make the request. The Director may have no idea what a firewall is, but the request is being made in that person's name. I am also curious why so much clout is needed, though. It seems like they want to pressure you into doing it while not having to explain themselves. Don't let them dictate your policy and how you best protect your company.
answered 2 days ago
schroeder♦
64.4k24138173
17
@DonQuiKong then if politics beats proper security and risk management, then that's your policy
– schroeder♦
2 days ago
20
Re-read my answer. I did not say "just refuse", I said push back with specific requests for information.
– schroeder♦
2 days ago
9
I cannot possibly imagine any scenario where the politics overrides the liabilities that both companies are exposed to by the one dictating firewall rules to the other. If the FI wants to push, then they must also take on the liabilities, and that needs to be made clear.
– schroeder♦
2 days ago
31
You could always pretend to say yes. For example: "Sure, we can add those. Here's the standard form for requesting new firewall rules, please fill it out and send it back by Thursday." The form then asks for whatever information you want.
– Kevin
2 days ago
13
I think @Kevin's point is not so much deception (despite advocating for it at face value), but that you can put a friendly face on the demand. Rather than phrasing the request as a demand for information, emphasize your openness to fulfilling the request as long as reasonable policies are met: "Thanks for this suggestion. Per our policy, we need to record some more information before we can put it in place. We also need to better understand what the intended impact is, so that we can evaluate the rule in light of the rest of our policies/rules and whether we succeeded or not." Or similar.
– jpmc26
yesterday
 |Â
show 7 more comments
up vote
96
down vote
If you spoke to the FI on a separate channel, you actually spoke to the FI, and they know about this, then by definition, it is not a phish.
What strikes me as odd is "but they can't (won't) provide any more information", and "refusing isn't really an option". These 2 facts cannot co-exist if you are a separate entity from the FI.
Your push-back is simple: your firewall policy requires a legitimate reason along with an end-date for the rule to be reviewed/removed. You don't just add firewall rules because someone outside of the organisation told you to. The FI has no idea if blocking those IPs may impact your operations.
- what effect is this rule supposed to have?
- how long does the rule need to exist?
- who (named individual) owns this rule on the FI side?
- what remedies are expected if the rule has a negative effect on operations?
- what effect will there be between your companies if the rule is not implemented exactly as requested?
You will not add the firewall rule without knowing what the impact is, either positively or negatively. If they want greater control over your firewalls, then they can supply and manage your firewalls for you.
On the other hand, if they own you and the risks, then they take on the risks of this change, so then just add the rules.
As for a Director sending this request, it's not so strange. When you need someone to do something, you have the person with the most clout make the request. The Director may have no idea what a firewall is, but the request is being made in that person's name. I am also curious why so much clout is needed, though. It seems like they want to pressure you into doing it while not having to explain themselves. Don't let them dictate your policy and how you best protect your company.
answered 2 days ago
schroeder♦
64.4k24138173
17
@DonQuiKong then if politics beats proper security and risk management, then that's your policy
– schroeder♦
2 days ago
20
Re-read my answer. I did not say "just refuse", I said push back with specific requests for information.
– schroeder♦
2 days ago
9
I cannot possibly imagine any scenario where the politics overrides the liabilities that both companies are exposed to by the one dictating firewall rules to the other. If the FI wants to push, then they must also take on the liabilities, and that needs to be made clear.
– schroeder♦
2 days ago
31
You could always pretend to say yes. For example: "Sure, we can add those. Here's the standard form for requesting new firewall rules, please fill it out and send it back by Thursday." The form then asks for whatever information you want.
– Kevin
2 days ago
13
I think @Kevin's point is not so much deception (despite advocating for it at face value), but that you can put a friendly face on the demand. Rather than phrasing the request as a demand for information, emphasize your openness to fulfilling the request as long as reasonable policies are met: "Thanks for this suggestion. Per our policy, we need to record some more information before we can put it in place. We also need to better understand what the intended impact is, so that we can evaluate the rule in light of the rest of our policies/rules and whether we succeeded or not." Or similar.
– jpmc26
yesterday
 |Â
show 7 more comments
up vote
96
down vote
up vote
96
down vote
If you spoke to the FI on a separate channel, you actually spoke to the FI, and they know about this, then by definition, it is not a phish.
What strikes me as odd is "but they can't (won't) provide any more information", and "refusing isn't really an option". These 2 facts cannot co-exist if you are a separate entity from the FI.
Your push-back is simple: your firewall policy requires a legitimate reason along with an end-date for the rule to be reviewed/removed. You don't just add firewall rules because someone outside of the organisation told you to. The FI has no idea if blocking those IPs may impact your operations.
- what effect is this rule supposed to have?
- how long does the rule need to exist?
- who (named individual) owns this rule on the FI side?
- what remedies are expected if the rule has a negative effect on operations?
- what effect will there be between your companies if the rule is not implemented exactly as requested?
You will not add the firewall rule without knowing what the impact is, either positively or negatively. If they want greater control over your firewalls, then they can supply and manage your firewalls for you.
On the other hand, if they own you and the risks, then they take on the risks of this change, so then just add the rules.
As for a Director sending this request, it's not so strange. When you need someone to do something, you have the person with the most clout make the request. The Director may have no idea what a firewall is, but the request is being made in that person's name. I am also curious why so much clout is needed, though. It seems like they want to pressure you into doing it while not having to explain themselves. Don't let them dictate your policy and how you best protect your company.
answered 2 days ago
schroeder♦
64.4k24138173
If you spoke to the FI on a separate channel, you actually spoke to the FI, and they know about this, then by definition, it is not a phish.
What strikes me as odd is "but they can't (won't) provide any more information", and "refusing isn't really an option". These 2 facts cannot co-exist if you are a separate entity from the FI.
Your push-back is simple: your firewall policy requires a legitimate reason along with an end-date for the rule to be reviewed/removed. You don't just add firewall rules because someone outside of the organisation told you to. The FI has no idea if blocking those IPs may impact your operations.
- what effect is this rule supposed to have?
- how long does the rule need to exist?
- who (named individual) owns this rule on the FI side?
- what remedies are expected if the rule has a negative effect on operations?
- what effect will there be between your companies if the rule is not implemented exactly as requested?
You will not add the firewall rule without knowing what the impact is, either positively or negatively. If they want greater control over your firewalls, then they can supply and manage your firewalls for you.
On the other hand, if they own you and the risks, then they take on the risks of this change, so then just add the rules.
As for a Director sending this request, it's not so strange. When you need someone to do something, you have the person with the most clout make the request. The Director may have no idea what a firewall is, but the request is being made in that person's name. I am also curious why so much clout is needed, though. It seems like they want to pressure you into doing it while not having to explain themselves. Don't let them dictate your policy and how you best protect your company.
answered 2 days ago
schroeder♦
64.4k24138173
edited yesterday
answered 2 days ago
schroeder♦
64.4k24138173
answered 2 days ago
schroeder♦
64.4k24138173
answered 2 days ago
schroeder♦
64.4k24138173
64.4k24138173
17
@DonQuiKong then if politics beats proper security and risk management, then that's your policy
– schroeder♦
2 days ago
20
Re-read my answer. I did not say "just refuse", I said push back with specific requests for information.
– schroeder♦
2 days ago
9
I cannot possibly imagine any scenario where the politics overrides the liabilities that both companies are exposed to by the one dictating firewall rules to the other. If the FI wants to push, then they must also take on the liabilities, and that needs to be made clear.
– schroeder♦
2 days ago
31
You could always pretend to say yes. For example: "Sure, we can add those. Here's the standard form for requesting new firewall rules, please fill it out and send it back by Thursday." The form then asks for whatever information you want.
– Kevin
2 days ago
13
I think @Kevin's point is not so much deception (despite advocating for it at face value), but that you can put a friendly face on the demand. Rather than phrasing the request as a demand for information, emphasize your openness to fulfilling the request as long as reasonable policies are met: "Thanks for this suggestion. Per our policy, we need to record some more information before we can put it in place. We also need to better understand what the intended impact is, so that we can evaluate the rule in light of the rest of our policies/rules and whether we succeeded or not." Or similar.
– jpmc26
yesterday
 |Â
show 7 more comments
17
@DonQuiKong then if politics beats proper security and risk management, then that's your policy
– schroeder♦
2 days ago
20
Re-read my answer. I did not say "just refuse", I said push back with specific requests for information.
– schroeder♦
2 days ago
9
I cannot possibly imagine any scenario where the politics overrides the liabilities that both companies are exposed to by the one dictating firewall rules to the other. If the FI wants to push, then they must also take on the liabilities, and that needs to be made clear.
– schroeder♦
2 days ago
31
You could always pretend to say yes. For example: "Sure, we can add those. Here's the standard form for requesting new firewall rules, please fill it out and send it back by Thursday." The form then asks for whatever information you want.
– Kevin
2 days ago
13
I think @Kevin's point is not so much deception (despite advocating for it at face value), but that you can put a friendly face on the demand. Rather than phrasing the request as a demand for information, emphasize your openness to fulfilling the request as long as reasonable policies are met: "Thanks for this suggestion. Per our policy, we need to record some more information before we can put it in place. We also need to better understand what the intended impact is, so that we can evaluate the rule in light of the rest of our policies/rules and whether we succeeded or not." Or similar.
– jpmc26
yesterday
17
17
@DonQuiKong then if politics beats proper security and risk management, then that's your policy
– schroeder♦
2 days ago
@DonQuiKong then if politics beats proper security and risk management, then that's your policy
– schroeder♦
2 days ago
20
20
Re-read my answer. I did not say "just refuse", I said push back with specific requests for information.
– schroeder♦
2 days ago
Re-read my answer. I did not say "just refuse", I said push back with specific requests for information.
– schroeder♦
2 days ago
9
9
I cannot possibly imagine any scenario where the politics overrides the liabilities that both companies are exposed to by the one dictating firewall rules to the other. If the FI wants to push, then they must also take on the liabilities, and that needs to be made clear.
– schroeder♦
2 days ago
I cannot possibly imagine any scenario where the politics overrides the liabilities that both companies are exposed to by the one dictating firewall rules to the other. If the FI wants to push, then they must also take on the liabilities, and that needs to be made clear.
– schroeder♦
2 days ago
31
31
You could always pretend to say yes. For example: "Sure, we can add those. Here's the standard form for requesting new firewall rules, please fill it out and send it back by Thursday." The form then asks for whatever information you want.
– Kevin
2 days ago
You could always pretend to say yes. For example: "Sure, we can add those. Here's the standard form for requesting new firewall rules, please fill it out and send it back by Thursday." The form then asks for whatever information you want.
– Kevin
2 days ago
13
13
I think @Kevin's point is not so much deception (despite advocating for it at face value), but that you can put a friendly face on the demand. Rather than phrasing the request as a demand for information, emphasize your openness to fulfilling the request as long as reasonable policies are met: "Thanks for this suggestion. Per our policy, we need to record some more information before we can put it in place. We also need to better understand what the intended impact is, so that we can evaluate the rule in light of the rest of our policies/rules and whether we succeeded or not." Or similar.
– jpmc26
yesterday
I think @Kevin's point is not so much deception (despite advocating for it at face value), but that you can put a friendly face on the demand. Rather than phrasing the request as a demand for information, emphasize your openness to fulfilling the request as long as reasonable policies are met: "Thanks for this suggestion. Per our policy, we need to record some more information before we can put it in place. We also need to better understand what the intended impact is, so that we can evaluate the rule in light of the rest of our policies/rules and whether we succeeded or not." Or similar.
– jpmc26
yesterday
 |Â
show 7 more comments
up vote
36
down vote
I would lean away from this being a social engineering attempt and more towards a peer FI being uber-cautious regarding information disclosure - they may have had some kind of incident involving these IPs and are not at the stage where they want to disclose anything further.
Look at it this way: what would an apparent threat actor really have to gain from this?
You mention that many of the IPs are related to technology companies.
- Do these companies provide any web hosting which could be used as malicious infrastructure?
- Do these companies provide any proxy services which could be abused?
- Do these companies provide any security testing software which could be used maliciously?
While the organizations themselves may be legitimate, they could be taken advantage of, however without further information from this FI, I would not take action: the burden of proof rests with the sender of this list.
This is effectively low-quality threat intelligence - it provides no evidence that the indicators are worthwhile actioning.
As an aside, is there any way you can set up monitoring on these IPs in the meantime? Some investigation on your end may yield the information you need to determine why these are allegedly worthy of blocking (some OSINT digging might be fruitful, also).
answered 2 days ago
Doomgoose
42227
New contributor
Doomgoose is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
5
Could requests from these IP addresses be sent to a separate server (perhaps on a link local network) and quarantined for analysis?
– Tracy Cramer
2 days ago
2
Two good options in this space; you could forward sinkhole them (such as link local) or you could allow and analyse "on the fly" but drop them further down the line if there was still a concern.
– Doomgoose
2 days ago
2
"what would an apparent threat actor really have to gain from this?" Some kind of denial of service to one of the blocked parties. The threat doesn't necessarily have to be directly to the OP's company, even though it's in their interest to ensure their customer's needs are met.
– jpmc26
yesterday
2
@jpmc26 - Absolutely correct that this is a possibility, however I feel this would be highly unlikely: it's not a tactic I've ever come across or even heard of used against an organisation. Given that this adversary would need to not only know the correct team to contact and the sender to spoof and that the blocking of these IPs would lead to service degradation for the target, I don't think it's a likely avenue of attack in this case.
– Doomgoose
yesterday
5
"what would an apparent threat actor have to gain from this" - they could be building precedence. This time it's block an IP list in your Firewall. They'll make a similar request a few more times and it'll become easier and easier to get through the red tape until it becomes almost normal. Then one request will include some whitelist rules and nobody thinks anything of it because they've been trained not to worry
– Darren H
20 hours ago
 |Â
show 1 more comment
up vote
36
down vote
I would lean away from this being a social engineering attempt and more towards a peer FI being uber-cautious regarding information disclosure - they may have had some kind of incident involving these IPs and are not at the stage where they want to disclose anything further.
Look at it this way: what would an apparent threat actor really have to gain from this?
You mention that many of the IPs are related to technology companies.
- Do these companies provide any web hosting which could be used as malicious infrastructure?
- Do these companies provide any proxy services which could be abused?
- Do these companies provide any security testing software which could be used maliciously?
While the organizations themselves may be legitimate, they could be taken advantage of, however without further information from this FI, I would not take action: the burden of proof rests with the sender of this list.
This is effectively low-quality threat intelligence - it provides no evidence that the indicators are worthwhile actioning.
As an aside, is there any way you can set up monitoring on these IPs in the meantime? Some investigation on your end may yield the information you need to determine why these are allegedly worthy of blocking (some OSINT digging might be fruitful, also).
answered 2 days ago
Doomgoose
42227
New contributor
Doomgoose is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
5
Could requests from these IP addresses be sent to a separate server (perhaps on a link local network) and quarantined for analysis?
– Tracy Cramer
2 days ago
2
Two good options in this space; you could forward sinkhole them (such as link local) or you could allow and analyse "on the fly" but drop them further down the line if there was still a concern.
– Doomgoose
2 days ago
2
"what would an apparent threat actor really have to gain from this?" Some kind of denial of service to one of the blocked parties. The threat doesn't necessarily have to be directly to the OP's company, even though it's in their interest to ensure their customer's needs are met.
– jpmc26
yesterday
2
@jpmc26 - Absolutely correct that this is a possibility, however I feel this would be highly unlikely: it's not a tactic I've ever come across or even heard of used against an organisation. Given that this adversary would need to not only know the correct team to contact and the sender to spoof and that the blocking of these IPs would lead to service degradation for the target, I don't think it's a likely avenue of attack in this case.
– Doomgoose
yesterday
5
"what would an apparent threat actor have to gain from this" - they could be building precedence. This time it's block an IP list in your Firewall. They'll make a similar request a few more times and it'll become easier and easier to get through the red tape until it becomes almost normal. Then one request will include some whitelist rules and nobody thinks anything of it because they've been trained not to worry
– Darren H
20 hours ago
 |Â
show 1 more comment
up vote
36
down vote
up vote
36
down vote
I would lean away from this being a social engineering attempt and more towards a peer FI being uber-cautious regarding information disclosure - they may have had some kind of incident involving these IPs and are not at the stage where they want to disclose anything further.
Look at it this way: what would an apparent threat actor really have to gain from this?
You mention that many of the IPs are related to technology companies.
- Do these companies provide any web hosting which could be used as malicious infrastructure?
- Do these companies provide any proxy services which could be abused?
- Do these companies provide any security testing software which could be used maliciously?
While the organizations themselves may be legitimate, they could be taken advantage of, however without further information from this FI, I would not take action: the burden of proof rests with the sender of this list.
This is effectively low-quality threat intelligence - it provides no evidence that the indicators are worthwhile actioning.
As an aside, is there any way you can set up monitoring on these IPs in the meantime? Some investigation on your end may yield the information you need to determine why these are allegedly worthy of blocking (some OSINT digging might be fruitful, also).
answered 2 days ago
Doomgoose
42227
New contributor
Doomgoose is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I would lean away from this being a social engineering attempt and more towards a peer FI being uber-cautious regarding information disclosure - they may have had some kind of incident involving these IPs and are not at the stage where they want to disclose anything further.
Look at it this way: what would an apparent threat actor really have to gain from this?
You mention that many of the IPs are related to technology companies.
- Do these companies provide any web hosting which could be used as malicious infrastructure?
- Do these companies provide any proxy services which could be abused?
- Do these companies provide any security testing software which could be used maliciously?
While the organizations themselves may be legitimate, they could be taken advantage of, however without further information from this FI, I would not take action: the burden of proof rests with the sender of this list.
This is effectively low-quality threat intelligence - it provides no evidence that the indicators are worthwhile actioning.
As an aside, is there any way you can set up monitoring on these IPs in the meantime? Some investigation on your end may yield the information you need to determine why these are allegedly worthy of blocking (some OSINT digging might be fruitful, also).
answered 2 days ago
Doomgoose
42227
New contributor
Doomgoose is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 2 days ago
answered 2 days ago
Doomgoose
42227
New contributor
Doomgoose is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 2 days ago
Doomgoose
42227
answered 2 days ago
Doomgoose
42227
42227
New contributor
Doomgoose is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Doomgoose is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Doomgoose is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
5
Could requests from these IP addresses be sent to a separate server (perhaps on a link local network) and quarantined for analysis?
– Tracy Cramer
2 days ago
2
Two good options in this space; you could forward sinkhole them (such as link local) or you could allow and analyse "on the fly" but drop them further down the line if there was still a concern.
– Doomgoose
2 days ago
2
"what would an apparent threat actor really have to gain from this?" Some kind of denial of service to one of the blocked parties. The threat doesn't necessarily have to be directly to the OP's company, even though it's in their interest to ensure their customer's needs are met.
– jpmc26
yesterday
2
@jpmc26 - Absolutely correct that this is a possibility, however I feel this would be highly unlikely: it's not a tactic I've ever come across or even heard of used against an organisation. Given that this adversary would need to not only know the correct team to contact and the sender to spoof and that the blocking of these IPs would lead to service degradation for the target, I don't think it's a likely avenue of attack in this case.
– Doomgoose
yesterday
5
"what would an apparent threat actor have to gain from this" - they could be building precedence. This time it's block an IP list in your Firewall. They'll make a similar request a few more times and it'll become easier and easier to get through the red tape until it becomes almost normal. Then one request will include some whitelist rules and nobody thinks anything of it because they've been trained not to worry
– Darren H
20 hours ago
 |Â
show 1 more comment
5
Could requests from these IP addresses be sent to a separate server (perhaps on a link local network) and quarantined for analysis?
– Tracy Cramer
2 days ago
2
Two good options in this space; you could forward sinkhole them (such as link local) or you could allow and analyse "on the fly" but drop them further down the line if there was still a concern.
– Doomgoose
2 days ago
2
"what would an apparent threat actor really have to gain from this?" Some kind of denial of service to one of the blocked parties. The threat doesn't necessarily have to be directly to the OP's company, even though it's in their interest to ensure their customer's needs are met.
– jpmc26
yesterday
2
@jpmc26 - Absolutely correct that this is a possibility, however I feel this would be highly unlikely: it's not a tactic I've ever come across or even heard of used against an organisation. Given that this adversary would need to not only know the correct team to contact and the sender to spoof and that the blocking of these IPs would lead to service degradation for the target, I don't think it's a likely avenue of attack in this case.
– Doomgoose
yesterday
5
"what would an apparent threat actor have to gain from this" - they could be building precedence. This time it's block an IP list in your Firewall. They'll make a similar request a few more times and it'll become easier and easier to get through the red tape until it becomes almost normal. Then one request will include some whitelist rules and nobody thinks anything of it because they've been trained not to worry
– Darren H
20 hours ago
5
5
Could requests from these IP addresses be sent to a separate server (perhaps on a link local network) and quarantined for analysis?
– Tracy Cramer
2 days ago
Could requests from these IP addresses be sent to a separate server (perhaps on a link local network) and quarantined for analysis?
– Tracy Cramer
2 days ago
2
2
Two good options in this space; you could forward sinkhole them (such as link local) or you could allow and analyse "on the fly" but drop them further down the line if there was still a concern.
– Doomgoose
2 days ago
Two good options in this space; you could forward sinkhole them (such as link local) or you could allow and analyse "on the fly" but drop them further down the line if there was still a concern.
– Doomgoose
2 days ago
2
2
"what would an apparent threat actor really have to gain from this?" Some kind of denial of service to one of the blocked parties. The threat doesn't necessarily have to be directly to the OP's company, even though it's in their interest to ensure their customer's needs are met.
– jpmc26
yesterday
"what would an apparent threat actor really have to gain from this?" Some kind of denial of service to one of the blocked parties. The threat doesn't necessarily have to be directly to the OP's company, even though it's in their interest to ensure their customer's needs are met.
– jpmc26
yesterday
2
2
@jpmc26 - Absolutely correct that this is a possibility, however I feel this would be highly unlikely: it's not a tactic I've ever come across or even heard of used against an organisation. Given that this adversary would need to not only know the correct team to contact and the sender to spoof and that the blocking of these IPs would lead to service degradation for the target, I don't think it's a likely avenue of attack in this case.
– Doomgoose
yesterday
@jpmc26 - Absolutely correct that this is a possibility, however I feel this would be highly unlikely: it's not a tactic I've ever come across or even heard of used against an organisation. Given that this adversary would need to not only know the correct team to contact and the sender to spoof and that the blocking of these IPs would lead to service degradation for the target, I don't think it's a likely avenue of attack in this case.
– Doomgoose
yesterday
5
5
"what would an apparent threat actor have to gain from this" - they could be building precedence. This time it's block an IP list in your Firewall. They'll make a similar request a few more times and it'll become easier and easier to get through the red tape until it becomes almost normal. Then one request will include some whitelist rules and nobody thinks anything of it because they've been trained not to worry
– Darren H
20 hours ago
"what would an apparent threat actor have to gain from this" - they could be building precedence. This time it's block an IP list in your Firewall. They'll make a similar request a few more times and it'll become easier and easier to get through the red tape until it becomes almost normal. Then one request will include some whitelist rules and nobody thinks anything of it because they've been trained not to worry
– Darren H
20 hours ago
 |Â
show 1 more comment
up vote
11
down vote
My CFO received an email from a director at a financial institution advising that all traffic (inbound and outbound) from certain IP addresses should be blocked at the firewall. The director at the financial institution was advised by his IT department to send this mail. The list of addresses (about 40) was in an attached, password-protected PDF. The password was sent to my CFO by text message.
The only part about this that I find strange is that the CFO is involved at all in this. CTOs (or subordinates) routinely deal with cyberintelligence and information sharing amongst institutions and national intelligence agencies (FBI, CERT, etc.).
I initially thought this was a malicious attempt to get our CFO to open an infected PDF, or a phishing/whaling attempt, but it seems legit. We have spoken to the IT department at the FI and they say it's genuine, but they can't (won't) provide any more information. Due to the nature of the relationship between my company and the FI, refusing isn't really an option. From what I can see most of the IP addresses appear to belong to tech companies.
Your diligence is worth applause; that is a plausible vector.
You don't specify what these "tech companies" are, but if they are things like AWS, DigitalOcean, Linode, Vultr, Choopa, Hetzner, OVH, Velia, et al. then you should know that these tech companies (and many other smaller ones, including torrent seedboxes) are routinely implicated in botnets, malware and financial fraud. Anything offering shared hosting or VPS services is a possible platform for launching attacks. I can tell you from direct experience that many of the HSA, W2, tax return fraud and other scams journalists like Krebs reports on are launched from cheap VPS services like these.
Does this approach strike you as suspicious? Is there some social engineering going on here?
Information about current incidents can get shared formally (through publication to US-CERT mailing lists, amongst institutions on DIBNET, FS-ISAC, etc.) or via weird PDF-sharing schemes between executives that originated from what was supposed to be a non-disclosable, non-attributable FBI tip. It happens.
When the FBI is the originating source, they generally provide little to no detail or context and so shaking the tree and refusing to take action without further information may not be received well by your superiors. Keep holding out and you'll end up like the shmuck at Equifax who delayed patching Struts prior to the breach; he was the first person to get thrown under the bus. You apparently have a business agreement obligating you to implement some IP blocks based on threat intelligence received. Just do it.
Again, the only fishy part to me is that the CFO was the recipient. But that could just be due to the nature of an existing relationship between him and that director.
It is entirely possible someone is trying to cause chaos by having you block IPs of companies you do business with, but that seems farfetched-- it requires a lot of inside knowledge and effort to accomplish a small interruption at worst.
What could the nature of the threat be?
Director at financial institution X was made aware of an incident. They were likely compromised by one or more of those 40 IPs, or made aware of a threat from an external source. They may or may not have observed evidence that your company may also be a potential target, either through credentials they saw attempted, endpoints requested, or data exfiltrated. They saw fit to share this information with your company so you could take proactive measures.
Between you and me, I'm not fazed by this scenario. This is the sort of thing I come in to find in my mailbox every Monday (and especially in the days following national holidays-- foreign attackers love waiting until they know nobody's going to be in the office for a few days. Labor Day was last week...).
What I personally do with these lists before implementing blocks is run them through our own logs and see what activity the same actors may have been up to with our own systems. Look for activity by any IPs within the same subnets; the IPs supplied may not have been the same ones that might have targeted you already. Sometimes it uncovers evidence of compromise that wasn't within the scope of the supplied intelligence.
answered 2 days ago
Ivan
5,63321422
4
I would not really advise anyone to block a list of disposable DigitalOcean droplets on a per-IP(v4?) basis without creating a process of maintaining those blacklist records. NB: DO alone has hundreds of thousands if not millions IPv4 addresses which an attacker is able to move between in maybe minutes. And, say, AWS deploys much, much more.
– ximaera
2 days ago
5
Also, AWS is not just a botnet hoster, it's a popular provider of convenient whatever-aaS functions, frequently used by enterprises. What if any of your customers or partners is also using AWS? What if they occasinally migrate to one of those blocked IP addresses once a malicious application is removed from those by the Amazon security team? No, this is just asking for trouble.
– ximaera
2 days ago
1
The CFO involvement suggests this might be a compliance issue, not a security issue.
– Sentinel
yesterday
1
I don't see what's suspicious ... a financial institution's contact with your company is most likely the CFO, or someone under his command. If they contacted the CTO, there'd be a longer delay as the CTO tried to confirm the origin of the message. If the CFO contacted you directly, and you report to the CTO or CIO, then yes, get some confirmation from your higher-up, but if something goes wrong, and you just dismiss it because it seemed strange, you're the one that's going to be hung out to dry. It might be worth getting a policy of which CxO is 'confirm later' vs. 'confirm first'.
– Joe
yesterday
2
@ximaera Doing nothing in the face of a stated threat (CVE) is what led to the Equifax breach. Under the (former) CEO the prevailing mentality there was one of "waaah we can't do anything that will impact production." Look where that got them. Accidentally blocking a segment of customer/partner infrastructure (if that's even applicable in this case) is at worst a technical error, the resolution of which is governed by contracts and SLAs, and the consequences of which are significantly lesser than getting pwned altogether.
– Ivan
yesterday
add a comment |Â
up vote
11
down vote
My CFO received an email from a director at a financial institution advising that all traffic (inbound and outbound) from certain IP addresses should be blocked at the firewall. The director at the financial institution was advised by his IT department to send this mail. The list of addresses (about 40) was in an attached, password-protected PDF. The password was sent to my CFO by text message.
The only part about this that I find strange is that the CFO is involved at all in this. CTOs (or subordinates) routinely deal with cyberintelligence and information sharing amongst institutions and national intelligence agencies (FBI, CERT, etc.).
I initially thought this was a malicious attempt to get our CFO to open an infected PDF, or a phishing/whaling attempt, but it seems legit. We have spoken to the IT department at the FI and they say it's genuine, but they can't (won't) provide any more information. Due to the nature of the relationship between my company and the FI, refusing isn't really an option. From what I can see most of the IP addresses appear to belong to tech companies.
Your diligence is worth applause; that is a plausible vector.
You don't specify what these "tech companies" are, but if they are things like AWS, DigitalOcean, Linode, Vultr, Choopa, Hetzner, OVH, Velia, et al. then you should know that these tech companies (and many other smaller ones, including torrent seedboxes) are routinely implicated in botnets, malware and financial fraud. Anything offering shared hosting or VPS services is a possible platform for launching attacks. I can tell you from direct experience that many of the HSA, W2, tax return fraud and other scams journalists like Krebs reports on are launched from cheap VPS services like these.
Does this approach strike you as suspicious? Is there some social engineering going on here?
Information about current incidents can get shared formally (through publication to US-CERT mailing lists, amongst institutions on DIBNET, FS-ISAC, etc.) or via weird PDF-sharing schemes between executives that originated from what was supposed to be a non-disclosable, non-attributable FBI tip. It happens.
When the FBI is the originating source, they generally provide little to no detail or context and so shaking the tree and refusing to take action without further information may not be received well by your superiors. Keep holding out and you'll end up like the shmuck at Equifax who delayed patching Struts prior to the breach; he was the first person to get thrown under the bus. You apparently have a business agreement obligating you to implement some IP blocks based on threat intelligence received. Just do it.
Again, the only fishy part to me is that the CFO was the recipient. But that could just be due to the nature of an existing relationship between him and that director.
It is entirely possible someone is trying to cause chaos by having you block IPs of companies you do business with, but that seems farfetched-- it requires a lot of inside knowledge and effort to accomplish a small interruption at worst.
What could the nature of the threat be?
Director at financial institution X was made aware of an incident. They were likely compromised by one or more of those 40 IPs, or made aware of a threat from an external source. They may or may not have observed evidence that your company may also be a potential target, either through credentials they saw attempted, endpoints requested, or data exfiltrated. They saw fit to share this information with your company so you could take proactive measures.
Between you and me, I'm not fazed by this scenario. This is the sort of thing I come in to find in my mailbox every Monday (and especially in the days following national holidays-- foreign attackers love waiting until they know nobody's going to be in the office for a few days. Labor Day was last week...).
What I personally do with these lists before implementing blocks is run them through our own logs and see what activity the same actors may have been up to with our own systems. Look for activity by any IPs within the same subnets; the IPs supplied may not have been the same ones that might have targeted you already. Sometimes it uncovers evidence of compromise that wasn't within the scope of the supplied intelligence.
answered 2 days ago
Ivan
5,63321422
4
I would not really advise anyone to block a list of disposable DigitalOcean droplets on a per-IP(v4?) basis without creating a process of maintaining those blacklist records. NB: DO alone has hundreds of thousands if not millions IPv4 addresses which an attacker is able to move between in maybe minutes. And, say, AWS deploys much, much more.
– ximaera
2 days ago
5
Also, AWS is not just a botnet hoster, it's a popular provider of convenient whatever-aaS functions, frequently used by enterprises. What if any of your customers or partners is also using AWS? What if they occasinally migrate to one of those blocked IP addresses once a malicious application is removed from those by the Amazon security team? No, this is just asking for trouble.
– ximaera
2 days ago
1
The CFO involvement suggests this might be a compliance issue, not a security issue.
– Sentinel
yesterday
1
I don't see what's suspicious ... a financial institution's contact with your company is most likely the CFO, or someone under his command. If they contacted the CTO, there'd be a longer delay as the CTO tried to confirm the origin of the message. If the CFO contacted you directly, and you report to the CTO or CIO, then yes, get some confirmation from your higher-up, but if something goes wrong, and you just dismiss it because it seemed strange, you're the one that's going to be hung out to dry. It might be worth getting a policy of which CxO is 'confirm later' vs. 'confirm first'.
– Joe
yesterday
2
@ximaera Doing nothing in the face of a stated threat (CVE) is what led to the Equifax breach. Under the (former) CEO the prevailing mentality there was one of "waaah we can't do anything that will impact production." Look where that got them. Accidentally blocking a segment of customer/partner infrastructure (if that's even applicable in this case) is at worst a technical error, the resolution of which is governed by contracts and SLAs, and the consequences of which are significantly lesser than getting pwned altogether.
– Ivan
yesterday
add a comment |Â
up vote
11
down vote
up vote
11
down vote
My CFO received an email from a director at a financial institution advising that all traffic (inbound and outbound) from certain IP addresses should be blocked at the firewall. The director at the financial institution was advised by his IT department to send this mail. The list of addresses (about 40) was in an attached, password-protected PDF. The password was sent to my CFO by text message.
The only part about this that I find strange is that the CFO is involved at all in this. CTOs (or subordinates) routinely deal with cyberintelligence and information sharing amongst institutions and national intelligence agencies (FBI, CERT, etc.).
I initially thought this was a malicious attempt to get our CFO to open an infected PDF, or a phishing/whaling attempt, but it seems legit. We have spoken to the IT department at the FI and they say it's genuine, but they can't (won't) provide any more information. Due to the nature of the relationship between my company and the FI, refusing isn't really an option. From what I can see most of the IP addresses appear to belong to tech companies.
Your diligence is worth applause; that is a plausible vector.
You don't specify what these "tech companies" are, but if they are things like AWS, DigitalOcean, Linode, Vultr, Choopa, Hetzner, OVH, Velia, et al. then you should know that these tech companies (and many other smaller ones, including torrent seedboxes) are routinely implicated in botnets, malware and financial fraud. Anything offering shared hosting or VPS services is a possible platform for launching attacks. I can tell you from direct experience that many of the HSA, W2, tax return fraud and other scams journalists like Krebs reports on are launched from cheap VPS services like these.
Does this approach strike you as suspicious? Is there some social engineering going on here?
Information about current incidents can get shared formally (through publication to US-CERT mailing lists, amongst institutions on DIBNET, FS-ISAC, etc.) or via weird PDF-sharing schemes between executives that originated from what was supposed to be a non-disclosable, non-attributable FBI tip. It happens.
When the FBI is the originating source, they generally provide little to no detail or context and so shaking the tree and refusing to take action without further information may not be received well by your superiors. Keep holding out and you'll end up like the shmuck at Equifax who delayed patching Struts prior to the breach; he was the first person to get thrown under the bus. You apparently have a business agreement obligating you to implement some IP blocks based on threat intelligence received. Just do it.
Again, the only fishy part to me is that the CFO was the recipient. But that could just be due to the nature of an existing relationship between him and that director.
It is entirely possible someone is trying to cause chaos by having you block IPs of companies you do business with, but that seems farfetched-- it requires a lot of inside knowledge and effort to accomplish a small interruption at worst.
What could the nature of the threat be?
Director at financial institution X was made aware of an incident. They were likely compromised by one or more of those 40 IPs, or made aware of a threat from an external source. They may or may not have observed evidence that your company may also be a potential target, either through credentials they saw attempted, endpoints requested, or data exfiltrated. They saw fit to share this information with your company so you could take proactive measures.
Between you and me, I'm not fazed by this scenario. This is the sort of thing I come in to find in my mailbox every Monday (and especially in the days following national holidays-- foreign attackers love waiting until they know nobody's going to be in the office for a few days. Labor Day was last week...).
What I personally do with these lists before implementing blocks is run them through our own logs and see what activity the same actors may have been up to with our own systems. Look for activity by any IPs within the same subnets; the IPs supplied may not have been the same ones that might have targeted you already. Sometimes it uncovers evidence of compromise that wasn't within the scope of the supplied intelligence.
answered 2 days ago
Ivan
5,63321422
My CFO received an email from a director at a financial institution advising that all traffic (inbound and outbound) from certain IP addresses should be blocked at the firewall. The director at the financial institution was advised by his IT department to send this mail. The list of addresses (about 40) was in an attached, password-protected PDF. The password was sent to my CFO by text message.
The only part about this that I find strange is that the CFO is involved at all in this. CTOs (or subordinates) routinely deal with cyberintelligence and information sharing amongst institutions and national intelligence agencies (FBI, CERT, etc.).
I initially thought this was a malicious attempt to get our CFO to open an infected PDF, or a phishing/whaling attempt, but it seems legit. We have spoken to the IT department at the FI and they say it's genuine, but they can't (won't) provide any more information. Due to the nature of the relationship between my company and the FI, refusing isn't really an option. From what I can see most of the IP addresses appear to belong to tech companies.
Your diligence is worth applause; that is a plausible vector.
You don't specify what these "tech companies" are, but if they are things like AWS, DigitalOcean, Linode, Vultr, Choopa, Hetzner, OVH, Velia, et al. then you should know that these tech companies (and many other smaller ones, including torrent seedboxes) are routinely implicated in botnets, malware and financial fraud. Anything offering shared hosting or VPS services is a possible platform for launching attacks. I can tell you from direct experience that many of the HSA, W2, tax return fraud and other scams journalists like Krebs reports on are launched from cheap VPS services like these.
Does this approach strike you as suspicious? Is there some social engineering going on here?
Information about current incidents can get shared formally (through publication to US-CERT mailing lists, amongst institutions on DIBNET, FS-ISAC, etc.) or via weird PDF-sharing schemes between executives that originated from what was supposed to be a non-disclosable, non-attributable FBI tip. It happens.
When the FBI is the originating source, they generally provide little to no detail or context and so shaking the tree and refusing to take action without further information may not be received well by your superiors. Keep holding out and you'll end up like the shmuck at Equifax who delayed patching Struts prior to the breach; he was the first person to get thrown under the bus. You apparently have a business agreement obligating you to implement some IP blocks based on threat intelligence received. Just do it.
Again, the only fishy part to me is that the CFO was the recipient. But that could just be due to the nature of an existing relationship between him and that director.
It is entirely possible someone is trying to cause chaos by having you block IPs of companies you do business with, but that seems farfetched-- it requires a lot of inside knowledge and effort to accomplish a small interruption at worst.
What could the nature of the threat be?
Director at financial institution X was made aware of an incident. They were likely compromised by one or more of those 40 IPs, or made aware of a threat from an external source. They may or may not have observed evidence that your company may also be a potential target, either through credentials they saw attempted, endpoints requested, or data exfiltrated. They saw fit to share this information with your company so you could take proactive measures.
Between you and me, I'm not fazed by this scenario. This is the sort of thing I come in to find in my mailbox every Monday (and especially in the days following national holidays-- foreign attackers love waiting until they know nobody's going to be in the office for a few days. Labor Day was last week...).
What I personally do with these lists before implementing blocks is run them through our own logs and see what activity the same actors may have been up to with our own systems. Look for activity by any IPs within the same subnets; the IPs supplied may not have been the same ones that might have targeted you already. Sometimes it uncovers evidence of compromise that wasn't within the scope of the supplied intelligence.
answered 2 days ago
Ivan
5,63321422
edited 2 days ago
answered 2 days ago
Ivan
5,63321422
answered 2 days ago
Ivan
5,63321422
answered 2 days ago
Ivan
5,63321422
5,63321422
4
I would not really advise anyone to block a list of disposable DigitalOcean droplets on a per-IP(v4?) basis without creating a process of maintaining those blacklist records. NB: DO alone has hundreds of thousands if not millions IPv4 addresses which an attacker is able to move between in maybe minutes. And, say, AWS deploys much, much more.
– ximaera
2 days ago
5
Also, AWS is not just a botnet hoster, it's a popular provider of convenient whatever-aaS functions, frequently used by enterprises. What if any of your customers or partners is also using AWS? What if they occasinally migrate to one of those blocked IP addresses once a malicious application is removed from those by the Amazon security team? No, this is just asking for trouble.
– ximaera
2 days ago
1
The CFO involvement suggests this might be a compliance issue, not a security issue.
– Sentinel
yesterday
1
I don't see what's suspicious ... a financial institution's contact with your company is most likely the CFO, or someone under his command. If they contacted the CTO, there'd be a longer delay as the CTO tried to confirm the origin of the message. If the CFO contacted you directly, and you report to the CTO or CIO, then yes, get some confirmation from your higher-up, but if something goes wrong, and you just dismiss it because it seemed strange, you're the one that's going to be hung out to dry. It might be worth getting a policy of which CxO is 'confirm later' vs. 'confirm first'.
– Joe
yesterday
2
@ximaera Doing nothing in the face of a stated threat (CVE) is what led to the Equifax breach. Under the (former) CEO the prevailing mentality there was one of "waaah we can't do anything that will impact production." Look where that got them. Accidentally blocking a segment of customer/partner infrastructure (if that's even applicable in this case) is at worst a technical error, the resolution of which is governed by contracts and SLAs, and the consequences of which are significantly lesser than getting pwned altogether.
– Ivan
yesterday
add a comment |Â
4
I would not really advise anyone to block a list of disposable DigitalOcean droplets on a per-IP(v4?) basis without creating a process of maintaining those blacklist records. NB: DO alone has hundreds of thousands if not millions IPv4 addresses which an attacker is able to move between in maybe minutes. And, say, AWS deploys much, much more.
– ximaera
2 days ago
5
Also, AWS is not just a botnet hoster, it's a popular provider of convenient whatever-aaS functions, frequently used by enterprises. What if any of your customers or partners is also using AWS? What if they occasinally migrate to one of those blocked IP addresses once a malicious application is removed from those by the Amazon security team? No, this is just asking for trouble.
– ximaera
2 days ago
1
The CFO involvement suggests this might be a compliance issue, not a security issue.
– Sentinel
yesterday
1
I don't see what's suspicious ... a financial institution's contact with your company is most likely the CFO, or someone under his command. If they contacted the CTO, there'd be a longer delay as the CTO tried to confirm the origin of the message. If the CFO contacted you directly, and you report to the CTO or CIO, then yes, get some confirmation from your higher-up, but if something goes wrong, and you just dismiss it because it seemed strange, you're the one that's going to be hung out to dry. It might be worth getting a policy of which CxO is 'confirm later' vs. 'confirm first'.
– Joe
yesterday
2
@ximaera Doing nothing in the face of a stated threat (CVE) is what led to the Equifax breach. Under the (former) CEO the prevailing mentality there was one of "waaah we can't do anything that will impact production." Look where that got them. Accidentally blocking a segment of customer/partner infrastructure (if that's even applicable in this case) is at worst a technical error, the resolution of which is governed by contracts and SLAs, and the consequences of which are significantly lesser than getting pwned altogether.
– Ivan
yesterday
4
4
I would not really advise anyone to block a list of disposable DigitalOcean droplets on a per-IP(v4?) basis without creating a process of maintaining those blacklist records. NB: DO alone has hundreds of thousands if not millions IPv4 addresses which an attacker is able to move between in maybe minutes. And, say, AWS deploys much, much more.
– ximaera
2 days ago
I would not really advise anyone to block a list of disposable DigitalOcean droplets on a per-IP(v4?) basis without creating a process of maintaining those blacklist records. NB: DO alone has hundreds of thousands if not millions IPv4 addresses which an attacker is able to move between in maybe minutes. And, say, AWS deploys much, much more.
– ximaera
2 days ago
5
5
Also, AWS is not just a botnet hoster, it's a popular provider of convenient whatever-aaS functions, frequently used by enterprises. What if any of your customers or partners is also using AWS? What if they occasinally migrate to one of those blocked IP addresses once a malicious application is removed from those by the Amazon security team? No, this is just asking for trouble.
– ximaera
2 days ago
Also, AWS is not just a botnet hoster, it's a popular provider of convenient whatever-aaS functions, frequently used by enterprises. What if any of your customers or partners is also using AWS? What if they occasinally migrate to one of those blocked IP addresses once a malicious application is removed from those by the Amazon security team? No, this is just asking for trouble.
– ximaera
2 days ago
1
1
The CFO involvement suggests this might be a compliance issue, not a security issue.
– Sentinel
yesterday
The CFO involvement suggests this might be a compliance issue, not a security issue.
– Sentinel
yesterday
1
1
I don't see what's suspicious ... a financial institution's contact with your company is most likely the CFO, or someone under his command. If they contacted the CTO, there'd be a longer delay as the CTO tried to confirm the origin of the message. If the CFO contacted you directly, and you report to the CTO or CIO, then yes, get some confirmation from your higher-up, but if something goes wrong, and you just dismiss it because it seemed strange, you're the one that's going to be hung out to dry. It might be worth getting a policy of which CxO is 'confirm later' vs. 'confirm first'.
– Joe
yesterday
I don't see what's suspicious ... a financial institution's contact with your company is most likely the CFO, or someone under his command. If they contacted the CTO, there'd be a longer delay as the CTO tried to confirm the origin of the message. If the CFO contacted you directly, and you report to the CTO or CIO, then yes, get some confirmation from your higher-up, but if something goes wrong, and you just dismiss it because it seemed strange, you're the one that's going to be hung out to dry. It might be worth getting a policy of which CxO is 'confirm later' vs. 'confirm first'.
– Joe
yesterday
2
2
@ximaera Doing nothing in the face of a stated threat (CVE) is what led to the Equifax breach. Under the (former) CEO the prevailing mentality there was one of "waaah we can't do anything that will impact production." Look where that got them. Accidentally blocking a segment of customer/partner infrastructure (if that's even applicable in this case) is at worst a technical error, the resolution of which is governed by contracts and SLAs, and the consequences of which are significantly lesser than getting pwned altogether.
– Ivan
yesterday
@ximaera Doing nothing in the face of a stated threat (CVE) is what led to the Equifax breach. Under the (former) CEO the prevailing mentality there was one of "waaah we can't do anything that will impact production." Look where that got them. Accidentally blocking a segment of customer/partner infrastructure (if that's even applicable in this case) is at worst a technical error, the resolution of which is governed by contracts and SLAs, and the consequences of which are significantly lesser than getting pwned altogether.
– Ivan
yesterday
add a comment |Â
up vote
6
down vote
Does this approach strike you as suspicious?
You said, "Due to the nature of the relationship between my company and the FI, refusing isn't really an option."
That is a very interesting statement. Ultimately, without being forthcoming on the details of that relationship I don't think anyone can say whether this approach is suspicious or not. It certainly sounds like the contractual arrangements between the two companies covered this scenario. If that's true, then no this is not suspicious.
Is there some social engineering going on here?
Doesn't sound like it. If you have verbally confirmed that the other company's IT department has in fact sent this request/order then no, this is not a social engineering problem.
What could the nature of the threat be?
Maybe the other company has proof that those tech companies have been infiltrated. Maybe the other company is simply concerned that their IP might be stolen by those companies. Without knowing who is involved it is impossible to guess.
answered 2 days ago
NotMe
641310
add a comment |Â
up vote
6
down vote
Does this approach strike you as suspicious?
You said, "Due to the nature of the relationship between my company and the FI, refusing isn't really an option."
That is a very interesting statement. Ultimately, without being forthcoming on the details of that relationship I don't think anyone can say whether this approach is suspicious or not. It certainly sounds like the contractual arrangements between the two companies covered this scenario. If that's true, then no this is not suspicious.
Is there some social engineering going on here?
Doesn't sound like it. If you have verbally confirmed that the other company's IT department has in fact sent this request/order then no, this is not a social engineering problem.
What could the nature of the threat be?
Maybe the other company has proof that those tech companies have been infiltrated. Maybe the other company is simply concerned that their IP might be stolen by those companies. Without knowing who is involved it is impossible to guess.
answered 2 days ago
NotMe
641310
add a comment |Â
up vote
6
down vote
up vote
6
down vote
Does this approach strike you as suspicious?
You said, "Due to the nature of the relationship between my company and the FI, refusing isn't really an option."
That is a very interesting statement. Ultimately, without being forthcoming on the details of that relationship I don't think anyone can say whether this approach is suspicious or not. It certainly sounds like the contractual arrangements between the two companies covered this scenario. If that's true, then no this is not suspicious.
Is there some social engineering going on here?
Doesn't sound like it. If you have verbally confirmed that the other company's IT department has in fact sent this request/order then no, this is not a social engineering problem.
What could the nature of the threat be?
Maybe the other company has proof that those tech companies have been infiltrated. Maybe the other company is simply concerned that their IP might be stolen by those companies. Without knowing who is involved it is impossible to guess.
answered 2 days ago
NotMe
641310
Does this approach strike you as suspicious?
You said, "Due to the nature of the relationship between my company and the FI, refusing isn't really an option."
That is a very interesting statement. Ultimately, without being forthcoming on the details of that relationship I don't think anyone can say whether this approach is suspicious or not. It certainly sounds like the contractual arrangements between the two companies covered this scenario. If that's true, then no this is not suspicious.
Is there some social engineering going on here?
Doesn't sound like it. If you have verbally confirmed that the other company's IT department has in fact sent this request/order then no, this is not a social engineering problem.
What could the nature of the threat be?
Maybe the other company has proof that those tech companies have been infiltrated. Maybe the other company is simply concerned that their IP might be stolen by those companies. Without knowing who is involved it is impossible to guess.
answered 2 days ago
NotMe
641310
answered 2 days ago
NotMe
641310
answered 2 days ago
NotMe
641310
answered 2 days ago
NotMe
641310
641310
add a comment |Â
add a comment |Â
up vote
6
down vote
The fact that the IT department does not know the reasons for blocking the IPs and the fact that the FI execs are liaising with the CFO, as opposed to CTO, suggests this is a compliance issue.
You may be facing implementation of sanctions, AML, or antiterrorism blacklists. Possibly PCI audit.
I have worked in banks, and compliance procedures can be quite bizarre, and challenging to implement. You could ask Compliance for approval on the measure itself.
answered yesterday
Sentinel
1813
add a comment |Â
up vote
6
down vote
The fact that the IT department does not know the reasons for blocking the IPs and the fact that the FI execs are liaising with the CFO, as opposed to CTO, suggests this is a compliance issue.
You may be facing implementation of sanctions, AML, or antiterrorism blacklists. Possibly PCI audit.
I have worked in banks, and compliance procedures can be quite bizarre, and challenging to implement. You could ask Compliance for approval on the measure itself.
answered yesterday
Sentinel
1813
add a comment |Â
up vote
6
down vote
up vote
6
down vote
The fact that the IT department does not know the reasons for blocking the IPs and the fact that the FI execs are liaising with the CFO, as opposed to CTO, suggests this is a compliance issue.
You may be facing implementation of sanctions, AML, or antiterrorism blacklists. Possibly PCI audit.
I have worked in banks, and compliance procedures can be quite bizarre, and challenging to implement. You could ask Compliance for approval on the measure itself.
answered yesterday
Sentinel
1813
The fact that the IT department does not know the reasons for blocking the IPs and the fact that the FI execs are liaising with the CFO, as opposed to CTO, suggests this is a compliance issue.
You may be facing implementation of sanctions, AML, or antiterrorism blacklists. Possibly PCI audit.
I have worked in banks, and compliance procedures can be quite bizarre, and challenging to implement. You could ask Compliance for approval on the measure itself.
answered yesterday
Sentinel
1813
edited yesterday
answered yesterday
Sentinel
1813
answered yesterday
Sentinel
1813
answered yesterday
Sentinel
1813
1813
add a comment |Â
add a comment |Â
upsidedowncreature is a new contributor. Be nice, and check out our Code of Conduct.
upsidedowncreature is a new contributor. Be nice, and check out our Code of Conduct.
upsidedowncreature is a new contributor. Be nice, and check out our Code of Conduct.
upsidedowncreature is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f193393%2fadvised-to-block-all-traffic-to-from-specific-ip-addresses%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
4
I think this question is missing sufficient detail to provide a good answer. What I find especially missing are more details on the affected IP addresses, the reasons given for the block and the original source of the recommendations (which is likely not a directory of a FI which usually has not much idea of IT security). It is not uncommon though that some information about potential dangers get only provided to selected potentially affected companies and not made public in order to not provide attackers too much information that they are known. This might explain the encrypted PDF.
– Steffen Ullrich
2 days ago
27
It's missing detail because I have't got any detail, other than a list of IP addresses. The fact that the request came from a director of a financial institution is what I find suspicious. I'm well aware such a person would be unlikely to be well versed in IT security matters. I know it's a vague question, something just doesn't sit right.
– upsidedowncreature
2 days ago
7
@jcaron ultimately, those 3 facts do not matter
– schroeder♦
2 days ago
7
@schroeder Ultimately, no. But: if IT department needed to communicate with all "partners" because they were aware of a specific risk (say, Wannacry++), they could have gone to the "director of partnerships" who actually has the list of all partners with the relevant contact info. This may remove one of the elements of uncertainty OP has with the way this was communicated. OP, when you spoke to the IT department at the FI, you of course used contact information you already had, not a phone number included in the e-mail, of course?
– jcaron
2 days ago
4
It might be worth pointing out that IP addresses can be spoofed, so blocking 40 addresses (assuming they're not IP range bans) seems fairly small and arbitrary.
– SSight3
yesterday