When malware sneaks inside your network, it needs to communicate back to the internet whether to exfiltrate sensitive datasets it found, accept commands of its evil masters or even simply let them know it has successfully infiltrated your infrastructure (with ransomware being one of the rare exceptions that doesn’t need such connection).
Somehow, the focus of security in the past few years has shifted way too much to only “detect” and away from the more valuable principle of “detect and protect.” If you focus mostly on detection, you will be too late. Research shows that exfiltration usually starts 20-30 minutes after an attacker gets on your network.
Is your organization capable of reacting in this short amount of time? We haven’t heard of such a company yet. (Unfortunately, it’s oftentimes the case that the bigger the company, the slower their reaction.)
Regardless of who is the malicious actor and what their motivation is, they rely in most cases on automated hacking tools (HackDevOps, anyone?) to either transfer sensitive information from your network out to their internet lairs or to command and control their malware.
But what if it the malware, operating on your systems, could not connect to the internet at all?
A lot of enterprises are not practicing fundamental, yet simple and effective security controls: disable direct outbound access to the internet.
An application, running on your server, should have outbound access only to those other components it needs to connect in order to perform its business function. So why does that internal database server have outbound access to the web?
Do you have an outbound proxy through which all systems on your network access the internet? It’s good if you do! That’s because automated malware is not capable of finding your proxy settings. Most of the hacking tools are too dumb for that: they try blindly to connect to the internet. And if they cannot, you have just saved your data.
A production server that does not make functionality-driven, required-by-design connections to the internet should never be allowed to get out to the world wide web. Ever.
Oh, you need to update its OS or other software on that box? First, don’t do it directly to a production environment. When you do, allow access only via temporary proxy settings. When the update is completed, remove these settings.
But what if the malware positions itself on a workstation of a user who needs internet access, and from there, the evil software can get to your sensitive data?
You can still prevent the exfiltration or command-and-control connection by setting proxy configuration script for the browsers–not simply outbound proxy server settings. The attack scripts and out-of-the-box tools, widely used on workstations by malware to reach the internet, have no way to process such proxy script and will, therefore, fail to connect.
Of course, a protection like this won’t be complete without disabling direct access to the internet on all other ports and protocols internet, apart from HTTP and HTTPS. For SFTP, another very popular and handy method of legitimately transferring data, it’s useful to implement a gateway.
Yes, it all sounds like common sense and self-evident security practice. But you would be surprised how many prominent enterprises are not following this simple security controls.
Of course, these security measures won’t work against interactive human attackers. But even those will still need to find the proxy settings or use an actual browser (e.g. in “headless” mode, to process the proxy script) in order to exfiltrate data out.
Still, these simple controls will slow the malicious actors down; they would need to penetrate more systems to find the necessary proxy configuration. It’s then when you can seize your chance to detect them and react effectively.
About the Author: Krassimir Gadjokov has been an aficionado of technology since early school years when he built a telescope for a science fair. Later he got fascinated by personal computer revolution and especially software development, mastering several programming languages, operating systems, and network.
As a developer and later system analyst in his early career, he was always fascinated by security: he automated anti-malware distribution at large, enterprise-scale long before the vendors provided tools for.
In his more than a decade long dedicated Information Security career in a major telecom, he has specialized in application and infrastructure Security Architecture, DevSecOps, and Cyber Threat Intelligence. He has also mentored university student teams on application architecture and security at the 2017 and 2018 Steacie Library Hackfest at Toronto’s York University.
Krassimir holds engineering degree of Masters in Computer Technologies from the Technical University of Sofia, Bulgaria, as well as certifications in CISSP, CPT, and CEH.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.