ThreatSTOP Intelligence List Types

Overview

ThreatSTOP provides a comprehensive variety of target lists that provide protection to all kinds of internet connected networks and devices. Our target lists are derived from a number of Threat Intelligence sources, both public and proprietary, and we use our own custom algorithms to identify currently bad domains, IP addresses and networks broken down by the kind of threat they present.

Threat List Types

The breadth and depth of our Threat Lists is one area where ThreatSTOP surpasses the competition. Thanks to our founder and CEO Tom Byrnes having decades of experience in security, we have extremely deep trust relationships with many malware research groups on both the commercial and academic sides. Some of these researchers, such as Johannes Ullrich of the DSHIELD project, are represented on the ThreatSTOP advisory board. Our Threat Intelligence lists are constantly monitored for accuracy and we do, from time to time, remove threat Intelligence lists that are no longer maintained or are otherwise providing limited value. We also add more intelligence as we determine that they contain valuable data that we can use to determine the maliciousness of domains, IP addresses and subnets.

Our data suppliers include the Network Security Research Lab at 360, Farsight, the Internet Systems Consortium (ISC), Shadow Server, Abuse.ch and DSHIELD as well as researchers from the University of Georgia and Cambridge University (UK). In some cases we have considerably more data than is provided to the general internet or security communities. For example we are a DSHIELD mirror and have an archive of all DSHIELD data ever gathered, this permits us to do far more analysis than is possible with just the data DSHIELD offer to the general public.

We protect IT infrastructure against the most current and active criminals via our Botnet C&C hosts, phishing and Malware dropper intelligence for both inbound and outbound connections, while at the same time protecting data center infrastructure via our Server centric lists against inbound attacks. In addition, our customers’ VOIP infrastructure is safeguarded against criminals that use VOIP servers to relay their calls and we also provide geographical filtering on regional, country and in special cases ZIP/Postal code level granularity. With such a variety of threat intelligence, so closely monitored and as up-to-date as possible, ThreatSTOP makes every effort possible to protect our customers against the most malicious threats networks face today.

 

Making Threat Intelligence Actionable

While the accuracy of our Threat Intelligence is what makes ThreatSTOP different, the fact that we make this intelligence actionable is what truly sets us apart. This is achieved in near real time via frequent updates and uses proprietary algorithms that we apply to each and every list we capture.

Depending on the data source and specific method used to collect the data, ThreatSTOP utilizes various techniques to ensure the validity of each entry. Based on our experience in the security space as well as our background in signal processing we have developed proprietary algorithms to identify currently active threats from these sources. Using techniques adapted from signal processing and noise reduction we are able to identify the domains and IP addresses that are currently malicious. We also remove BOGONs, Martians and other invalid data while we are aging out IP addresses and domains no longer deemed a threat. These correlation and processing heuristics have been carefully tuned over the last 5 years to ensure that they optimize the output to minimize false positives without missing serious threats.

Aside from scrubbing each of the sources tracked by ThreatSTOP and ensuring their validity, our protection takes it a step further by running our threat intelligence against our proven whitelists of known and trusted sites to effectively guard against botnet controllers deliberately trying to make IP reputation ineffective. Our whitelists are rigorously maintained, with domains only deemed ‘trusted’ after meeting ThreatSTOP’s strict evaluation to ensure that they are highly unlikely to contain a threat for a significant period of time.

Our overall approach has been validated by the US Department of Homeland Security (DHS) who gave us a phase 1 SBIR grant to develop our fully scalable and reliable DNS based distribution architecture.