Threat categories

By default, each policy is configured with threat categories. Threat categories classify domains and IP addresses that Akamai confirmed or suspects are malicious or risky. The domains and IP addresses that are included in these categories are updated automatically as new threats are identified. If ETP determines that a suspected threat for a category is malicious, the threat is added to the list of known threats in that category.

Risky domains are newly registered, discovered, and used for potentially malicious activity.

For known and suspected threats, ETP includes these threat categories:
  • Malware. Domains and IP addresses used to host malicious software.
  • Phishing. Domains and IP addresses used to host phishing websites that gather user credential information.
  • Command and Control (C&C). Domains and IP addresses used by malicious command and control servers.
  • DNS Exfiltration. Domains that serve as a communication channel over DNS. This channel may be used to steal sensitive data or circumvent traditional access restrictions by allowing malware to communicate outside the network over the DNS protocol.
For risky domains, ETP includes these threat categories:
  • Adware. Domains that display malicious content in advertisements.
  • Coin Mining. Domains that are used for mining cryptocurrency.
  • Newly Registered. Domains that were recently registered.
  • Newly Seen. Domains that were recently visited by users.
  • Potentially Harmful. Domains that appear to be harmful to an enterprise network.
  • DNS Tunneling. Domains that are used to hide and transmit malicious data in a DNS tunnel.

The default actions and alert settings that are assigned to these threat categories are recommended. For more information on policy actions, see Policy actions.

When defining policy actions for the DNS exfiltration category, consider this configuration:
  • Assign the monitor policy action to suspected DNS exfiltration threats. The monitor action allows ETP to analyze suspected domains and subdomains. If ETP determines that a domain or subdomain is a threat, it’s added to the list associated with the known DNS exfiltration category.
  • Configure known DNS exfiltration threats with the block policy action to ensure these known threats are not accessible. By default, the strict policy template assigns this action to known DNS exfiltration threats.

If there are domains and IP addresses that you don’t want ETP to analyze, add them to an exception list. After you add an exception list to a policy, the list is configured with the bypass policy action. For more information, see Exception lists.