Time after time users are getting bit by not implementing a simple, but elusive concept; egress filtering and segmentation. With all the recent news about new variants of the Backoff POS malware, what is more concerning is the consistent lack and disregard to only allow what is necessary to cross your trusted networks.
Understanding how an Egress Engineering Solution can help
Start thinking in terms of risk reduction and program building. Take a look at the following write-up on a recent Backoff malware variant; where would you begin to reduce your risk if you had one option? There are many strong answers someone could provide; logical and needed. For example, maybe you said you need a HIPS, or a registry monitor, or file monitor, or maybe a network audit, user audit, or a scanning tool. How many people said they need segmentation and egress filtering? Take a look at the write up again, US-CERT has some very good recommendations and actions (controls) you can implement to reduce your risk; personally, I would have put the “Network Security” section at the beginning of the alert advisory with a statement like “Implement this NOW, then continue reading”. The reason I would recommend this is simple; doing what is outlined in the Network Security section is fundamental within any security program and process, and is independent of what risk is currently trending.
Segmentation and Egress Engineering are fundamental to Security Programs
- Stop allowing everything to communicate outbound
- Stop letting your data be sent outbound
- Stop letting people have C2 across your network
- Locate where your sensitive data is and segment access to it
- Log and audit all attempts to enter or leave sensitive networks
Let us now introduce how segmentation and egress engineering fit into a couple key security programs that should be implemented within an organization, Data Protection and Access Management. Notice the sub components of those security programs are built upon each other, with each successive component indicating an increase in the maturity of the organization’s security.
What is involved in a Segmentation and Egress Engineering Solution?
Segmentation and Egress Engineering is the process of separating networks, data, and roles and responsibilities that interact with sensitive information and applying the security focus on those critical areas. Additionally, labor intensive or costly hardening will be limited to those networks and devices that store, transmit or process sensitive data.
Reducing Risk with this Solution involves several critical steps:
- Integrate Business Impact and Critical Processes
- Define business requirements for access outside trusted networks
- Determine trust relationships and authentication sharing
- Perform Data Discovery and determine likely attack vector points
- Create data storage, access, protection and destruction controls
- Implement segmentation at application, network, user and data levels
- Implement logging and auditing for any access to/from sensitive locations
How can I achieve a reduction in risk?
Below is a recent example of how SecureState reduced an organization’s risk by implementing segmentation and egress engineering. You are not alone if you are just now realizing how strategic this solution is, however you can still begin to integrate this now and have a large and positive affect across the enterprise and within several security program components. In this example, we have identified the ultimate risk in the organization, “Data Loss”. The security programs we have listed are intended to provide protection for sensitive data, but have deficiencies as indicated. Much like the new variants of the Backoff malware, threat actors and similar tools take advantage of missing controls and gaps within these programs to exploit your sensitive data – specifically they gain entrance, gain persistence, and steal your data through and across your network. By correlating missing security components and identifying risk and attack vector points, a solution such as segmentation and egress engineering can provide an aggregated decrease to risk across all program areas. Specifically, we want a significant reduction in risk to your data being stolen.
Begin to identify your data, its locations, its access controls and its logging. Then do not let it out of your sight. Begin to implement and move forward with a security solution that incorporates segmentation (at the data, network and user levels) with an egress engineering solution (data discovery, data impact, data controls, roles and responsibilities and strict filtering). Start to think in terms of overall risk and let go of being so granular with your approach to attacks and malware such as Backoff and its variants – identify within your own organization a key element or component or process that can decrease risk across the enterprise for your most important asset. In my opinion, not letting your data leave your trusted network is a significant and powerful countermeasure against the persistent threat actors that want to steal your data. Please reference several other SecureState blog posts for more details on how to achieve data security and how to integrate it into incident response:
Data Classification & Response
Data Discovery Part 1
Data Discovery Part 2
Data Discovery Part 3
APT and Data Controls