Last month I had promised some commenters and readers I would publish some of my blacklists when I got home. In my defence I’m still not home but I organised some of my blacklists and other resources anyway. The list published below is a small collection from people I have met (CL merci) who have shared their lists with me. Chris’ list is not a comprehensive list but a good starter point for organising with examples. The document can be easily changed around for you or your organisation.
The list can be a basis for scraping data into ArcSight via a Flex Connector to update suspect or blacklists (active lists, metrics for reports, trends. They can also be used for built-in tools for ArcSight or similar with a small amount of scripting. ArcSight has a built in Who Is search tool, using similar parameters you can build a Google Safe Search Diagnostics too based on IP or Domain or perhaps search Virus Total. The information can also be added to intelligent web proxy servers. This is ideal since about 80% of traffic now goes over web HTTP/HTTPS. Web proxy servers are a major egress point in the perimeter.
This type of list can be helpful in operations when analysts need to find, use and reference resources quickly. The list can be used to build a department favourites list/internet based tools list. Also, many times information security websites will be marked and filtered by web proxy servers or anti-virus software. For example, I spoke at the 28C3 CCC last year and my anti-virus was Comodo on my laptop. The anti-virus software blocked the 28C3 CCC and affiliated Chaos Computer Club websites even after I disabled the DNS feature, physically pointed my DNS elsewhere and examined my hosts file. I had to reinstall a fresh OS to access the Chaos Computer Club websites. This type of list can be used to add exclusions to anti-virus or filters as legitimate resources for the security team or other similar departments.
Screenshot of example form below.
If you need this form in a different format please ask and I will try to accommodate for Open Office.
Please add to the form and comment. My list is Europe and North American centric, we would love other regional lists. Any other associated information is welcome.