Monitoring firewall traffic is a fundamental part of cybersecurity. It is well known that ingress filtering is crucial to business operations, but what about egress filtering? Neglecting egress filtering can be compared to neglecting your company’s yearly budget. Just for a moment, imagine giving all your employees blank checks and hoping they do not bankrupt you. If your first thought when reading that sentence is “we would never do that,” then you are part of the majority. There are many things to consider when implementing a company’s budget: Who has the authority to spend? What are employees authorized to spend money on? Which employees have bigger budgets than others? How much can the company afford to spend? To avoid financial hardships, your company tracks all outgoing purchases. In this example, the blank checks are traffic leaving your firewall, and the employee’s purchases are connections to anything on the Internet. Controlling the egress flow of information is just as important as controlling the outflow of cash to your organization. Implementing host-based egress filtering, especially whitelisting with DNS verification, decreases risk across your entire enterprise.
What is Egress Filtering?
Egress filtering controls the outflow of traffic from the network. Meaning, if an administrator does not configure the network’s firewall correctly, outgoing traffic can connect to unknown and sometimes unwanted/malicious hosts. This could be harmful to your network because those connections could be a part of a cyberattack.
The Risk Value
Let’s walk through a scenario that is all too familiar for too many companies. An employee at a company receives a phishing email that is claiming to come from Microsoft. The email states that there is an urgent security update that must be applied to the employee’s computer immediately, or else their computer will be vulnerable to malicious exploits. The email goes on to provide instructions for the employee to follow. The employee proceeds to follow the instructions and ventures to the website the email provided and downloads the “update” to their computer. Little does the employee know that when the “update” was installed it was really a payload that connects to a server and installs malicious applications. Those applications give the attacker control of the employee’s system and allow the attacker to perform post-exploitation processes, gaining a foothold in your network and possibly exposing the user’s email content to the attacker.
Apart from security awareness training and teaching the employee how to spy a phishing email in the first place, there is another key instance where egress filtering would have prevented the attack from being successful in this scenario. When the employee navigated to the foreign website to download the security “update,” egress filtering combined with website reputation or DNS resolution would have seen the site had a bad reputation and would have blocked the employee from being able to access the website in the first place. If this had been done, the employee would have been prevented from downloading the “update” to their computer. This example is a great reminder that layered security is always beneficial to include in a network. Layered security is where an organization uses multiple segments to protect the organization on more than one level. Data resides in all different levels of an organization, including across multiple applications. Implementing layered security will ensure that data stays protected.
Later in the scenario, we read that the “update” that was installed continued to connect to a server and install malicious applications. Having egress filtering properly configured on the organization’s firewall would have prevented the malware from connecting to the command server on the Internet. Preventing that outgoing connection would have then stopped the attacker’s ability to download the applications and would cease the attacker from gaining access to the employee’s computer.
Lastly, if the organization would have had egress filtering in place, they would have been aware of the network traffic that was leaving their environment. Any activity that would have been categorized as unauthorized would have been logged and alerted. The company would have been notified to review the logs and would have been advised to follow-up and find the source of the unauthorized traffic activity.
Implementing egress filtering has two policy options: default allow policy and default deny policy. Default allow policy is thought to be the most straightforward filter to apply and is commonly used in medium to smaller organizations. In the simplest of terms, this filter allows all outbound traffic unless it is specifically not permitted to leave the network – this is called blacklisting. Usually, policies would be created to block traffic that is using unneeded protocols or exploited destination ports. Default deny policy can be thought of as the direct opposite of default allow policy. This means that all outbound traffic is denied unless it is specifically allowed – this is called whitelisting.
Another way to implement egress filtering is directly on each host. Implementing a DNS verification system, such as the Cisco Umbrella, provides a secure web gateway that helps to protect an organization’s network at the DNS layer. This can be especially useful for remote users because a cloud-based enterprise can be implemented. This can be further enhanced when used in conjunction with the host’s own firewall to perform egress filtering. The network perimeter is disappearing in the modern computer world and technology companies like your organization need to be prepared with the same level of data protection you have for your internal network.
Egress filtering is often an overlooked cybersecurity control and because most of the time it is not configured by organizations, many organizations never get to take advantage of its risk mitigation. However, seeing the benefits of stopping a malware attack paired with gaining a greater understanding of what traffic is leaving your network or hosts, the risk mitigation that egress filtering can provide is invaluable. Implementing host-based egress filtering, especially whitelisting with DNS verification, decreases risk across your entire enterprise.
Written by: Kelley Hesse, Information Security Consultant, DFIR Analyst
SBS CyberSecurity has been helping organizations identify and understand cybersecurity risks to make more informed business decisions since 2004. If your organization is looking to better understand your cyber risk; build, maintain, or test your cybersecurity program; and make smarter, more informed cybersecurity business decisions, SBS can help.
Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.