User blocking
The topic gives an overview of how to implement user blocking in Traceable platform. You can use predefined rules or you can create your custom rules to block a threat actor.
You can block threats using predefined rules or by creating custom rules to block an IP or a range of IP addresses. When you use automatic blocking using detection rules, the threat-actor does not get a window of opportunity to cause damage to your systems. You also save time in manually reviewing threats that have been detected with a high level of confidence.
Traceable proactively protects applications by blocking malicious traffic. The decision to block a user may follow different paths. For example, the Traceable platform can decide to block a user based on its previous behavior patterns. Alternatively, an individual request may originate from a known suspicious IP, or the request may contain a well-known vulnerability attack pattern. Traceable takes into consideration all such scenarios to block a user.
Traceable may also block suspicious requests immediately, regardless of the previous behavior of the user. This type of blocking is called signature-based blocking. Since signature-based blocking is immediate, you should use it with caution.
You can choose the signature-based rules by selecting them from the predefined rules. You can also use simple blocking rules by creating custom rules to block an IP or a range of IP addresses. The custom blocking rules use regex logic; however, in certain conditions using signature-based blocking is advantageous.
The real-time automatic blocking of threat actors using signature-based blocking rules is an advantage. Signature-based rule blocking removes any time delay where the threat-actor might exploit a vulnerability. When you choose a predefined signature-based attack definition, it saves your time because you do not need to review the identified threats.
When Traceable blocks a user request, the user receives a "403 - Forbidden" error code. The agent or module deployed in your infrastructure sends the blocked user request metadata to the Traceable platform for further analysis to generate a blocked security event.
You can enable local blocking for some particular set of threat types. Each threat type has a set of sub-rules that you can individually enable or disable for fine-tuning enabling and disabling. For example, the following screenshot shows sub-rules for Cross-site scripting.

Enable blocking

You can enable or disable the predefined rule-set globally by choosing Enabled or Disabled from the drop-down list as shown in the screenshot above. By default all the predefined rule-sets are disabled.

Enabling disabling individual rule-set

When you enable blocking, these rules and sub-rules apply globally (for all the endpoints) by propagating them to Traceable's agents deployed in your environment. The Traceable agent then matches all the user requests against these sub-rules and denies the request if there is a match.
In the absence of blocking, all the traffic reaches Traceable, it then processes the data and generates threats. Based on your actions on specific threat actors, for example, allow or deny, the decisions are communicated to Traceable modules using the OPA policy.
When you disable the main rule, for example, Cross Site Scripting (XSS), all the sub-rules are also disabled. However, when you enable the main rule, you can choose to individuall enable or disable the sub-rules.
Last modified 1mo ago