Any Reason Not To Block Malicious IPs?

We were in review of SOC playbooks a co-worker noted on one of the steps "No need to block malicious IPs. The attacker will just get a different IP address and keep attacking". Beats me, as at all the previous SOCs I worked at we always blocked the bad reputation IPs to execute containment.
Ok, I wanted to be really, really, really objective about this so this is my casting the "?" ball out there. Based on security best practices any reason not to block 'em as he mentioned? I'm sure to get some good tips from the gurus, or maybe confirmation of what my mind is defaulting to. If you cite some best-practices or reference material you got this from that's a plus.
Ok, I wanted to be really, really, really objective about this so this is my casting the "?" ball out there. Based on security best practices any reason not to block 'em as he mentioned? I'm sure to get some good tips from the gurus, or maybe confirmation of what my mind is defaulting to. If you cite some best-practices or reference material you got this from that's a plus.
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
Tagged:
Comments
Security+, eJPT, CySA+, PenTest+,
Cisco CyberOps, GCIH, VHL,
In progress: OSCP
Also why give a chance to an attacker... make it harder and harder so they will find it easier to attack elsewhere
Who owns the IP?
Who really manages the IP?
How many computers and humans are using that IP to access the Internet?
What is the maximum capacity of our Internet gateway devices for holding DENY ACL rules?
What does (and doesn't) the latest OSINT threat intelligence say about the IP?
What's the worse that could happen if I block the IP anyway?
Here is a TL;DR executive summary:
Don't block the IP; just detect and block the badness
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
Very awesomely crafted point of view as well @[email protected] . Key takeaways (1.) No issue turning on blocks for known-bad IPs and (2.) To block/not block depends on what the IP is soing.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?