For the better part of the 90s and early, the sysadmin handbook says, “Filter your incoming traffic, it’s not all good out there” (later created by Gandalf as “You can’t pass“). So CIOs started upgrading their network fences with every tool they could get their hands on to protect against incoming traffic (aka INGRESS).
After the first mass phishing campaigns in the early 2010s, it became increasingly clear that someone had to deal with employees and, more specifically, their uncanny capacity to click on every link they received. Outgoing traffic filtering (aka EGRESS) has become an obsession. Browser security, proxies, and other well-known antiviruses are a must-have for any consulting firm that will advise their clients to take care of them immediately.
The risk is real, and the response is quite tailored, but it also contributes to the “super soldierattitude. Me alone against soldiers? So, I will dig trenches, bury my assets inside, behind piles of software and become a super soldier to defend my land.
But “ground” is a moving target. SaaS, shadow IT, Public Cloud, temporary workloads, and working from home are breaking those walls. The previously perfectly clear perimeter became increasingly hazy. The concepts of “inside” and “outside” are blurred. Super soldiers cannot defend all areas at the same time. He also takes on a well-trained & funded army of cyber criminals. Superman can no longer be everywhere at the same time.
And then, in the late 2010s and early 2020s came ransomware. A very clever way to monetize technical debt at the highest possible price. The same old hacking techniques, thanks to the rise of cryptocurrencies, are now worth platinum. Our super soldier is, suddenly, utterly alone and… utterly useless.
Egress filters post-compromise, where Ingress filters pre-compromise
Handling inbound traffic when it’s less trendy, it should be a done deal. With a firewall and some decent monitoring, we should be good to go. But a business or government agency compromise can be made in large part using one of three main strategies:
- Attract users, and bet on weak Way Out filtering
- Use mass exploits, like 0day, logic vulnerabilities, weak passwords, etc., and bet Ingress’s filtering isn’t that smart (which whitelists access to their ports 53, 80, 443, 465, etc.)
- Use a targeted attack, very similar to the one above, but only target one specific entity, all over its surface. Instead of phishing widely with a gatling gun, expect 123456 RDP to be “protected”. Here again, about the handling of Ingress.
Based on IBM X-force report, about 47% of the initial compromise was related to exploiting vulnerabilities while phishing accounted for 40%. Add 3% of stolen credentials and 3% of brute force, and your Ingress aggression weighs in at 53% in terms of likelihood to be broken from outside in. (I didn’t count the 7% of removable media because, frankly, if your users are stupid enough to plug in an unknown USB and your policies allow it, then that’s another problem I call Digital Darwinism.)
Once a user is infected with malware, the game is to avoid their workstation becoming a base of operations for cybercriminals. Now this is where the Way Out filtering starts. OK, it’s too late, you’ve been compromised, but let’s mitigate the impact and prevent the station from being 1/ exploited further within the walls but also 2/ connecting back to the villain’s Command and Control center.
Now Ingress traffic protection is necessary because it not only accounts for more initial compromise but also because perimeters are bigger and more heterogeneous than before. A company “perimeter” now often consists of HQ LAN & DMZ, multiple machines hosted in a data center, and finally multiple offices with VPNs, remote workers, Cloud workloads, supply chain providers, and SaaS tools. Keeping track of everything is a feat, especially when the SIEM vendor wants to make money for every log you keep. Thinking only Egress CTI or tools will protect you is unrealistic.
From reactive to proactive
Today, Ingress’s handling of traffic is less trendy than it should have been in the 90’s. But if you aggregate your information about incoming attacks and get it curated enough to leverage this CTI data into your equipment then it’s a net win for your overall security posture. And guess who does crowdsource security based on the open-source DevSecops tool?
Notes: This article was written by Philippe Humeau, CEO of CrowdSec, with expertise and care.