Skip to main content

General Documents

Block Malicious IP on AWS from Email

Abstract

Download PDF

Category: Network Security, Email Gateway

Cyware Products Used:

  • Orchestrate

Third-Party Integrations Used:

  • IMAP: To retrieve emails that contain malicious IPs from a dedicated inbox.

  • AWS: To block malicious IP addresses on the AWS cloud.

Problem Statement

Organizations receive advisories from trusted sources and internal tools and security teams need to take immediate actions on the received threat intel. However, security teams manually analyze and respond to the threats with actions such as blocking IPs on cloud firewall, thereby reducing analyst efficiency. Analysts spend time manually analyze all the alerts rather than focusing on threats that directly impact the organization.

Solution

The solution is to automatically block malicious traffic to and from suspicious remote hosts, for example, IP addresses associated with malicious command and control servers. This also helps security teams to adapt to a proactive approach to protecting your Amazon Web Service (AWS) cloud implementations.

Block_Malicious_IP_on_AWS_from_Email.svg

How do we solve this problem?

Security teams can redirect threat advisories, and report phishing emails to a specific inbox. The solution uses the Block Malicious IPs on AWS Cloud playbook to retrieve all the emails that contain malicious indicators at regular intervals.

  1. Retrieve Mclicious IPs: The playbook uses the IMAP integration to retrieve the malicious IPs available in the email and attachments for further processing.

  2. Block IPs on AWS: The identified malicious IP addresses are updated on AWS Web Application Firewall (WAF) and blocked on the network.

  3. Send Notification: The playbook creates a consolidated email that contains the malicious IPs that are blocked on the network. The email is sent to the security team to notify them about the action.

Benefits

Proactive Response

Security teams can automatically update the AWS cloud firewall to block malicious IPs as soon as they’re detected on the network.

Minimize Response Times

By automating the response against threats, playbooks prove to be effective at minimizing response time and reducing overall risk exposure.