SOP MS-ISAC Firewall Block
Document Details
Document Name: MS-ISAC Firewall Block.001
Document Type: SOP
Effective Date: 12/09/2020
Document Number: SOP.MS-ISAC Firewall Block.001
Purpose and Scope
This SOP defines the procedures for utilizing weekly intelligence from MS-ISAC to block known malicious IP Addresses, URL's and Domains on Firewalls.
Revision: 00
Responsibility
Several Team Members are on distribution of the Weekly Email. The Security Analyst or designated backup and Tier 3 have the responsibility of following the prescribed procedure.
References
The following documents were referenced in creating this SOP:
MS-ISAC IP's of Interest ____-____.xlsx
Health and Safety
There are no health and safety requirements associated with this policy/procedure.
Procedure
- Each Monday MS-ISAC distributes an email with the Subject Line Message from the MS-ISAC: Malware IPs and Domains observed by MS-ISAC - ##/##/## - ##/##/## - TLP: GREEN
-
This Email has an attached spreadsheet that contains IP Addresses and URL's known to be malicious .
- The Name of the Sheet is IP's of Interest ##/##/## to ##/##/##.xlsx
- The Spreadsheet has four Tabs of Interest. Malware IP, Malware Domains, Member Summited Domains and Clean-Unblock List
- The Security Analyst or, when acting as backup the Network Analyst shall review the file and open a Standard Change Request using Template MS-ISAC Weekly IP & Domain Block on Firewalls
- This Standard Change Request does not require approval and is automatically assigned to T3.
T3 shall complete the following updates:
- Block Domains and IP Addresses on Malware IP, Malware Domain, and Member Submitted Domain Tabs on the FortiGate Firewall as both Source and Destination
- Block the Domains and IP Addresses on Member Submitted Domain Tabs on the Palo Alto Firewall. Data on Malware IP and Malware Domain Tabs are included on Dynamic List.
- Unblock on all firewalls any entry on the Clean - Unblock Tab if it is blocked.
T3 shall update the Change Request as Complete.