Notes from the Field • 10 MIN READ
Enhancing Firewall & Proxy Perimeter Controls
There are numerous neglected controls that can be leveraged to escalate cyber security attacks within any organisation. To solve these issues, there are additional controls that can be implemented. This blog outlines these additional controls, that can be used alongside necessary standard controls to enhance security posture.
Block Uncategorized URLs by Default
Newly registered domains that fall under the uncategorized URL section can be used by bad actors to infiltrate systems. To ensure there is no green channel for any C2 call out, make sure to block all uncategorized URLs. It is always recommended to use a whitelisting method to allow the few genuine sites that might otherwise get blocked. This greatly reduces the chances of malware masquerading as C2 traffic under web traffic.
Block Unknown TLDs
Most attackers will buy cheap domains to launch an attack or host a C2. Some top-level-domains like. xyz, space, .tk etc. should be blocked by default. The list is extensive and can be reviewed periodically. In normal corporate setups we do not expect users to go to any such top TLDs. Youcan follow the whitelist method by allowing only the known TLD’s, with help of some historically captured stats.
The list is extensive. However, these are a couple of examples of devious TLDs. View these here.
Role Based Executable Download Policies
Although there are ways that attackers can encrypt and download payloads, as an extra layer of security blocking of known direct downloads of any executables, DLL script files on non-IT user profiles helps reduce the possibility of further attacks. Few legitimate applications may use these, but these can always be excluded.
Firewall Rules Must Only Allow Necessary Communication
No flat network whitelisting of any IP or port, even for trusted cloud hosting platforms, can be allowed. Allow only the required and necessary communication. Many application services demand a large range of ports, and it is easy for attackers to misuse this tunnel/ traffic. For such application traffic, apply some application inspection policies to allow only the intended application to communicate over these wide range of ports. All inbound and outbound communication must only be opened from known services, followed by application inspection.
Email and Exchange Controls
Recently, the largest attacks have started with initial compromise on exposed and unpatched exchange servers and weak email controls. We cannot completely control the social element of phishing attacks. However, we can limit them by employing some hardened controls.
Read this blog on Email Vulnerabilities for more information.
Restrict Inbound/Outbound Email Communication
It is important to map the email traffic flow and ensure only relevant ports and services are kept open. Ensure SMTP ports are not directly exposed to the internet unless it is your email gateway.
Disable Basic Authentication in Exchange Online
Legacy authentication should be carefully reviewed and should be disabled by default. Carefully review applications which might still need this support. But essentially, it must be disabled for the larger audience to avoid those brute-force and MFA bypass attacks. You can read more about switching off the legacy, here. And learn how to disable basic authentication, here.
Turn on SMTP Authentication
For newer exchange environments, turn on SMTP authentication (Authentications on port 25, 110, 993, 587, 465) for only known mailboxes on the email servers exposed to the internet.
Block Dubious Email Attachments
Most targeted phishing attacks can convince the user to click or download malicious attachments. Blocking at least the executables can help minimize obvious attacks.
Having conducted incident response investigations across a wide range of industries, SecurityHQ are best placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on these threats, speak to an expert here.
Or if you suspect a security incident, you can report an incident here.