Even as companies around the world address the Log4j vulnerability, it continues making headlines.
The reason? Attackers keep discovering new ways to exploit it.
Although the Cybersecurity and Infrastructure Security Agency (CISA) now offers a scanning tool to detect vulnerable web applications, updating your systems before attackers strike remains a challenge.
Fortunately, there’s an easy way to block attacks like these: egress traffic filtering.
So, while your team works on resolving Log4j vulnerabilities and Active Directory flaws with November patches, consider how egress filtering might work for you.
But how, exactly, does it work?
What is Egress Filtering?
Sure, you know that firewalls help keep malicious traffic out of your networks. But, did you know they can prevent threats from leaving your networks, as well?
When threats find their way into your systems, they need to find their way back out again. It’s how they spread from network to network and transfer stolen data back to cybercriminals.
Preventing this unauthorized outbound traffic is known as egress filtering, and it’s a great way to strengthen your cybersecurity.
Egress filtering protects connected networks by preventing malware-generated traffic (with spoofed IP addresses) from leaving a compromised network.
The idea is that if malware can’t leave, then it can’t spread or withdraw stolen data.
Even though the most common application may be your perimeter firewall, large parts of your network can be customized. Individual system firewalls, routers, and cloud firewalls can be established with their own egress filtering security rules.
The trick is to check your firewall’s default settings. Often, they allow any and all traffic to leave your system, without regards to what information is being sent.
Implementing Egress Filtering
Egress filtering takes time and expertise to implement correctly.
First, you’ll need to come up with a whitelist of needed services, to ensure normal processes aren’t blocked.
For example, some organizations handle Domain Name Services (DNS) internally and can be blocked. But, if you outsource DNS, you’ll need to allow it through your external firewall.
Carefully filter your external traffic, such as blocking IP address spoofing, and constraining “known-host” queries to trusted providers.
Known-hosts provide key services, such as DNS or email, and you’ll need keep your egress filtering to the IP range your vendors and internal services use.
When deciding the basic rules for egress filtering, consider two broad tradeoffs:
- Usability vs. Security
- Default Permit vs. Default Deny
If your default settings are to deny permission, your systems are more secure. Unknown traffic won’t be allowed.
But the tighter you lock down your security and the more you deny, the more often you’ll run into a service or software that ends up blocked.
If it was software you weren’t aware of, it won’t be long before your employees start running into problems with crippled applications.
The more secure you want to remain, the more you need to know about the specific processes your business uses. If you err on the side of loose and free firewall rules, then attackers are sure to use it against you.
It’s a delicate balancing act for sure, but the more you know about your specific needs, the easier it becomes.
How Egress Filtering Blocks Malware
Egress filtering can’t stop all malware, but specific types use known methods to spread or function. For these, blocking specific ports or types of traffic works wonders.
For example:
- 2016 Dyn Attack sent DNS traffic inquiries over port 53 (for DNS queries).
- 2017 Wannacry Attack spread through SMB port 445.
- 2021 Log4j depends on sending LDAP and HTTP(S) requests using Java.
To stop all three of these examples, egress filtering needs to block outbound traffic on ports 53 and 445, and block all internet connections initiated by Java application servers.
Unfortunately, this isn’t a simple task for every organization. Fortunately, there may still be workarounds.
With Log4j, for example, if Java application servers must initiate connections, you might be able to block LDAP and RMI protocols. Or, if you can’t block those, you can limit the IP addresses for requests to trusted servers.
Putting Theory Into Practice
When it comes to cybersecurity, egress filtering often slides under the radar.
Most people view firewalls as a way to stop inbound traffic, yet neglect seeing outbound traffic as a security issue. However, that’s clearly not the case.
Limiting outbound traffic with egress filtering is a great way to stop the spread of an attack and protect your data.
When under the pressure of addressing active attacks such as those directed at the Log4j vulnerability, act quickly and decisively. The longer a flaw remains exposed, the more likely you are to suffer a security breach.
If your own team lacks the time or the expertise, outsourcing can provide the help you need to make it through an emergency.
Contact Ideal Integrations at 412-349-6680 or fill out the form below, and our experts will be sure to get you the customized assistance you need.