Default deny

Earlier this week Mandiant released a report about an advanced persistent threat APT1  , where they reveal evidence of cyber espionage targeting a variety of organisations around the world.

While there is a lot of quality information in the report, there is an underlying topic I want to draw your attention to: sometimes it is more important to stop data from leaving your network than it is trying to stop attackers from getting in.

In the case report, the attackers stole the information by packaging sensitive data into a compressed file (.zip or .tar), and then sending it via FTP (File Transfer Protocol) or the command-and-control (C2) backdoor back to the attackers’ server.

What is surprising is that this particular situation could have been avoided by applying the concept ‘deny by default’. This means block everything, and only allow the things you want. By blocking all unknown outgoing network traffic the risk of sensitive information being exported outside of the network starts to be reduced. Then it’s just a matter of identifying the essential ‘must have’ services to enable the effective operation of the business.

There are numerous standards and frameworks that support this configuration too, including: NZISM 18.1 Configuration of Gateways, PCI-DSS Requirement 1.3.5, and NIST 800-41 Firewall Policy.

By blocking all outgoing connections you mitigate the impact when a system is compromised. You can stop malware from connecting to command and control servers, or even transferring stolen data. Whilst the system may be compromised, at least your sensitive information will not be exposed to any spying eyes.