Monitoring firewall traffic is a fundamental part of cybersecurity. It is well known that ingress filtering is crucial to business operations, but what about egress filtering? Neglecting egress filtering can be compared to neglecting your company’s yearly budget. Just for a moment, imagine giving all your employees blank checks and hoping they do not bankrupt you. If your first thought when reading that sentence is “we would never do that,” then you are part of the majority. There are many things to consider when implementing a company’s budget: Who has the authority to spend? On what are employees authorized to spend money? Which employees have bigger budgets than others? How much can the company afford to spend? To avoid financial hardships, your company tracks all outgoing purchases. In this example, the blank checks are traffic leaving your firewall, and the employee’s purchases are connections to anything on the internet. Controlling the egress flow of information is just as important as managing the outflow of cash to your organization. Implementing host-based egress filtering, especially whitelisting with DNS verification, decreases risk across your entire enterprise.
What is Egress Filtering?
Egress filtering controls the outflow of traffic from the network. Meaning, if an administrator does not configure the network’s firewall correctly, outgoing traffic can connect to unknown and sometimes unwanted/malicious hosts. This could be harmful to your network because those connections could be a part of a cyberattack.
Implementing egress filtering has two policy options: default allow policy and default deny policy. Default allow policy is thought to be the most straightforward filter to apply and is commonly used in medium to smaller organizations.
The Risk Value
Let’s walk through a scenario that is all too familiar for too many companies. An employee at a company receives a phishing email that is claiming to come from Microsoft. The email states an urgent security update that must be applied to the employee’s computer immediately, or else their computer will be vulnerable to malicious exploits. The email goes on to provide instructions for the employee to follow. The employee follows the instructions and ventures to the website the email provided and downloads the “update” to their computer. Little does the employee know that when the “update” was installed, it was really a payload that connects to a server and installs malicious applications. Those applications give the attacker control of the employee’s system and allow the attacker to perform post-exploitation processes, gaining a foothold in your network and possibly exposing the user’s email content to the attacker.
Apart from security awareness training and teaching the employee how to spy a phishing email, this is a crucial instance where egress filtering would have prevented the attack from being. When the employee navigated to the foreign website to download the security “update,” egress filtering combined with website reputation or DNS resolution would have seen the site had a bad reputation and blocked the employee from accessing the website. If this had been done, the employee would have been prevented from downloading the “update” to their computer. This example is an excellent reminder that layered security is always beneficial to include in a network. Layered security is where an organization uses multiple segments to protect the organization on more than one level. Data resides in all different levels of an organization, including across multiple applications. Implementing layered security will ensure that data stays protected.
Later in the scenario, we read that the “update” installed continued to connect to a server and install malicious applications. Having egress filtering configured properly on the organization’s firewall would have prevented the malware from connecting to the command server on the internet. Preventing that outgoing connection would have then stopped the attacker’s ability to download the applications and would cease the attacker from gaining access to the employee’s computer.
Lastly, if the organization would have had egress filtering in place, they would have been aware of the network traffic leaving their environment. Any activity categorized as unauthorized would have been logged and alerted. The company would have been notified to review the logs, then advised to follow up and find the source of the unauthorized traffic activity.
Implementation
Implementing egress filtering has two policy options: default allow policy and default deny policy. Default allow policy is thought to be the most straightforward filter to apply and is commonly used in medium to smaller organizations. This filter allows all outbound traffic in the simplest of terms unless it is expressly not permitted to leave the network – this is called blacklisting. Usually, policies would be created to block traffic that uses unneeded protocols or exploited destination ports. Default deny policy can be thought of as the direct opposite. This means that all outbound traffic is prohibited unless it is specifically allowed – this is called whitelisting.
Another way to implement egress filtering is directly on each host. Implementing a DNS verification system provides a secure web gateway to help protect an organization’s network at the DNS layer. This can be especially useful for remote users because a cloud-based enterprise can be implemented. This can be further enhanced when used in conjunction with the host’s firewall to perform egress filtering. The network perimeter is disappearing in the modern computer world. Technology companies like your organization need to be prepared with the same data protection level for your internal network.
Egress filtering is often an overlooked cybersecurity control, and because most of the time it is not configured, many organizations never get to take advantage of its risk mitigation. However, seeing the benefits of stopping a malware attack paired with gaining a greater understanding of traffic leaving your network or hosts, the risk mitigation that egress filtering can provide is invaluable. Implementing host-based egress filtering, especially whitelisting with DNS verification, decreases risk across your entire enterprise.
SBS delivers unique, turnkey cybersecurity solutions tailored to each client’s needs, including risk management, consulting, auditing, network security and education. For more information, contact Reece Simpson at 605-270-3916 or reece.simpson@sbscyber.com. Learn more at sbscyber.com.
