Battle of the Week - Malicious IP Addresses
A federal government contractor working in the defense sector.
If an external malicious IP that is trying to establish a connection to an internal host the firewall is responsible for stopping the connection.
One of the members of the NSOC was doing some threat hunting and found a known reported malicious external IP connecting to an internal host.
After conducting a more thorough search the NSOC found that 158 different IPs were trying to log into an FTP server as admin over a time span of a couple of hours.
Since InfusionPoints is contracted to manage the customers FTP server and Firewall, a member of the NSOC was able to login into the FTP and is able the admin account and log into the firewall and block the addresses.
Disable admin access externally to prevent potential breaches and have geo-filtering enabled.