Blu3_Team

Right now your enterprise network with all its users and systems is a live production lab for any malware or attacker that comes along. If you have an EDR you have an advantageous view of the the endpoints. How about installing that same EDR on your malware analysis system so you can review signatures and TTPs from malware in a controlled environment? You'll be surprised the difference it makes in finding new TTPs. I have always felt it would be nice to be able to allow some traffic out of a dynamic malware analysis lab without letting it all out. As a rule I don't allow malware to talk directly to the Internet without a very good reason to do so. Now with EDR technology available it became crucial to allow the EDR to be able to connect to the mothership while restricting all other traffic to the host only malware network. But once this is setup we can expand things a bit and allow api.ipify.org and other benign traffic. Here is how I did it. If you have a different way I