One of the challenges in threat intelligence is taking the massive amount of data we have about the threat landscape and distilling it into its most relevant components. A huge part of the reason for growth in data science (and in cyber security specifically) is habitually struggling with too much information. (With some exceptions) With this roadblock, it’s a challenge to focus in on the data that’s truly relevant.

One type of feed that ThreatSTOP has always had in its policies is various targets to block entire countries. There are countless reasons to do this (concern about sanctions with ITAR and OFAC), with the prevalence of certain geographies when it comes to cybercrime. Or, simply that there’s no reason machines in a specific organization should ever communicate with those countries.

On the other hand, there are very good reasons for organizations to decide not to deploy these policies. A prime example being customers who need access who are traveling overseas. (For instance, I’m currently writing this blog from Brazil) Some organizations need to do a binary tradeoff, blocking countries that may be problematic for them, or leave the door wide open.

The Security Research Team at ThreatSTOP has just finished another data analysis project using telemetry we receive from the field. As a defining feature of the ThreatSTOP product, our users, especially our free community users, send back logs of what they are blocking in the field. This information lets us find attacks being blocked we might not have identified other ways. This telemetry lets us to create a feedback loop based on the malicious activity our users see in the wild, providing better and more fine-tuned protection. In this case, we have created a new expert mode target that allows you to block the most frequent attackers from suspect geographies.

With this target, you to have the best of both worlds. Block suspicious traffic, but still allow potential customers or partners to access your resources from their country. By examining the hits we're seeing from environments who do block those countries, we can examine those who are the most frequent and most malicious and make that data available as targeted protection for our customers.


With this, our Security Team is announcing its newest target, “ThreatSTOP Emerging IPs,” available now. As with all targets, please keep in mind that this target is also prone to some degree to false positives.

To learn more about how ThreatSTOP protects your organization against phishing attacks like these, all at an affordable cost, check us out below. We offer a free, 14-day trial or you can request a quick demo of our platform.

Get a Demo