mjhjmtu

If you spoke to the FI on a separate channel, you actually spoke to the FI, and they know about this, then by definition, it is not a phish.

What strikes me as odd is "but they can't (won't) provide any more information", and "refusing isn't really an option". These 2 facts cannot co-exist if you are a separate entity from the FI.

Your push-back is simple: your firewall policy requires a legitimate reason along with an end-date for the rule to be reviewed/removed. You don't just add firewall rules because someone outside of the organisation told you to. The FI has no idea if blocking those IPs may impact your operations.

• what effect is this rule supposed to have?


• how long does the rule need to exist?


• who (named individual) owns this rule on the FI side?


• what remedies are expected if the rule has a negative effect on operations?


• what effect will there be between your companies if the rule is not implemented exactly as requested?

You will not add the firewall rule without knowing what the impact is, either positively or negatively. If they want greater control over your firewalls, then they can supply and manage your firewalls for you.

On the other hand, if they own you and the risks, then they take on the risks of this change, so then just add the rules.

As for a Director sending this request, it's not so strange. When you need someone to do something, you have the person with the most clout make the request. The Director may have no idea what a firewall is, but the request is being made in that person's name. I am also curious why so much clout is needed, though. It seems like they want to pressure you into doing it while not having to explain themselves. Don't let them dictate your policy and how you best protect your company.

I would lean away from this being a social engineering attempt and more towards a peer FI being uber-cautious regarding information disclosure - they may have had some kind of incident involving these IPs and are not at the stage where they want to disclose anything further.

Look at it this way: what would an apparent threat actor really have to gain from this?

You mention that many of the IPs are related to technology companies.

• Do these companies provide any web hosting which could be used as malicious infrastructure?


• Do these companies provide any proxy services which could be abused?


• Do these companies provide any security testing software which could be used maliciously?

While the organizations themselves may be legitimate, they could be taken advantage of, however without further information from this FI, I would not take action: the burden of proof rests with the sender of this list.

This is effectively low-quality threat intelligence - it provides no evidence that the indicators are worthwhile actioning.

As an aside, is there any way you can set up monitoring on these IPs in the meantime? Some investigation on your end may yield the information you need to determine why these are allegedly worthy of blocking (some OSINT digging might be fruitful, also).

My CFO received an email from a director at a financial institution advising that all traffic (inbound and outbound) from certain IP addresses should be blocked at the firewall. The director at the financial institution was advised by his IT department to send this mail. The list of addresses (about 40) was in an attached, password-protected PDF. The password was sent to my CFO by text message.

The only part about this that I find strange is that the CFO is involved at all in this. CTOs (or subordinates) routinely deal with cyberintelligence and information sharing amongst institutions and national intelligence agencies (FBI, CERT, etc.).

I initially thought this was a malicious attempt to get our CFO to open an infected PDF, or a phishing/whaling attempt, but it seems legit. We have spoken to the IT department at the FI and they say it's genuine, but they can't (won't) provide any more information. Due to the nature of the relationship between my company and the FI, refusing isn't really an option. From what I can see most of the IP addresses appear to belong to tech companies.

Your diligence is worth applause; that is a plausible vector.

You don't specify what these "tech companies" are, but if they are things like AWS, DigitalOcean, Linode, Vultr, Choopa, Hetzner, OVH, Velia, et al. then you should know that these tech companies (and many other smaller ones, including torrent seedboxes) are routinely implicated in botnets, malware and financial fraud. Anything offering shared hosting or VPS services is a possible platform for launching attacks. I can tell you from direct experience that many of the HSA, W2, tax return fraud and other scams journalists like Krebs reports on are launched from cheap VPS services like these.

Does this approach strike you as suspicious? Is there some social engineering going on here?

Information about current incidents can get shared formally (through publication to US-CERT mailing lists, amongst institutions on DIBNET, FS-ISAC, etc.) or via weird PDF-sharing schemes between executives that originated from what was supposed to be a non-disclosable, non-attributable FBI tip. It happens.

When the FBI is the originating source, they generally provide little to no detail or context and so shaking the tree and refusing to take action without further information may not be received well by your superiors. Keep holding out and you'll end up like the shmuck at Equifax who delayed patching Struts prior to the breach; he was the first person to get thrown under the bus. You apparently have a business agreement obligating you to implement some IP blocks based on threat intelligence received. Just do it.

Again, the only fishy part to me is that the CFO was the recipient. But that could just be due to the nature of an existing relationship between him and that director.

It is entirely possible someone is trying to cause chaos by having you block IPs of companies you do business with, but that seems farfetched-- it requires a lot of inside knowledge and effort to accomplish a small interruption at worst.

What could the nature of the threat be?

Director at financial institution X was made aware of an incident. They were likely compromised by one or more of those 40 IPs, or made aware of a threat from an external source. They may or may not have observed evidence that your company may also be a potential target, either through credentials they saw attempted, endpoints requested, or data exfiltrated. They saw fit to share this information with your company so you could take proactive measures.

Between you and me, I'm not fazed by this scenario. This is the sort of thing I come in to find in my mailbox every Monday (and especially in the days following national holidays-- foreign attackers love waiting until they know nobody's going to be in the office for a few days. Labor Day was last week...).

What I personally do with these lists before implementing blocks is run them through our own logs and see what activity the same actors may have been up to with our own systems. Look for activity by any IPs within the same subnets; the IPs supplied may not have been the same ones that might have targeted you already. Sometimes it uncovers evidence of compromise that wasn't within the scope of the supplied intelligence.

The fact that the IT department does not know the reasons for blocking the IPs and the fact that the FI execs are liaising with the CFO, as opposed to CTO, suggests this is a compliance issue.

You may be facing implementation of sanctions, AML, or antiterrorism blacklists. Possibly PCI audit.

I have worked in banks, and compliance procedures can be quite bizarre, and challenging to implement. You could ask Compliance for approval on the measure itself.

Does this approach strike you as suspicious?

You said, "Due to the nature of the relationship between my company and the FI, refusing isn't really an option."

That is a very interesting statement. Ultimately, without being forthcoming on the details of that relationship I don't think anyone can say whether this approach is suspicious or not. It certainly sounds like the contractual arrangements between the two companies covered this scenario. If that's true, then no this is not suspicious.

Is there some social engineering going on here?

Doesn't sound like it. If you have verbally confirmed that the other company's IT department has in fact sent this request/order then no, this is not a social engineering problem.

What could the nature of the threat be?

Maybe the other company has proof that those tech companies have been infiltrated. Maybe the other company is simply concerned that their IP might be stolen by those companies. Without knowing who is involved it is impossible to guess.