For the better part of the 90s and early aughts, the sysadmin handbook said, "Filter your incoming traffic, not everyone is nice out there" (later coined by Gandalf as "You shall not pass"). So CIOs started to supercharge their network fences with every appliance they could get to protect against inbound (aka INGRESS) traffic.
In the wake of the first mass phishing campaigns in the early 2010s, it became increasingly obvious that someone had to deal with the employees and, more and specifically, their stunning capacity to click on every link they'd receive. Outbound traffic filtering (aka EGRESS) became an obsession. Browser security, proxies, and other glorified antiviruses became the must-have every consulting firm would advise their clients to get their hands on ASAP.
The risk was real, and the response was fairly adapted, but it also contributed to the famous "super soldier" stance. I'm alone against an army? So be it, I'll dig a trench, bury my assets inside, behind heaps of software and become a super soldier to hold my ground.
But the "ground" was a moving target. SaaS, shadow IT, Public Cloud, temporary workloads, and work-from-home broke those walls. The once very clear perimeter became increasingly blurry. The concepts of "inside" and "outside" became blurry. The super soldier couldn't defend all areas simultaneously. He was also facing a growing army of well-trained & heavily funded cyber criminals. Superman couldn't just be everywhere at the same time any longer.
And then, in the late 2010s and early 2020s came the ransomware. A terribly clever way of monetizing the technical debt at the highest possible price. The same old hacking technics, thanks to the rise of cryptocurrency, now were worth platinum. Our super soldier was, all of a sudden, very alone and … quite useless.
Egress filters post-compromise, where Ingress filters pre-compromise
Ingress traffic handling was by then less trendy, it was supposed to be a done deal. With a firewall and some decent monitoring, we should be good to go. But compromising a business or government institution could be done mostly using one of the three main strategies:
- Lure users, and bet on weak Egress filtering
- Use mass exploitation, like a 0day, a logic vulnerability, weak passwords, etc., and bet Ingress filtering wasn't so smart (who whitelists access to their ports 53, 80, 443, 465, etc.)
- Use targeted attacks, very similar to the above, but aiming only at one specific entity, on its entire surface. Instead of phishing widely with a gatling gun, hoping for 123456 "protected" RDP. Here again, a matter of Ingress handling.
According to IBM X-force reports, roughly 47% of initial compromises are related to vulnerability exploitations whereas phishing accounts for 40%. Add 3% of stolen credentials and 3% of brute force, and your Ingress aggressions are weighting 53% in terms of probability to get breached from the outside in. (I'm not counting the 7% of removable media because, honestly, if your users are dumb enough to plug in an unknown USB and your policy allows it, then it's a different matter that I'd call Digital Darwinism.)
Once a user is infected with malware, the game is to avoid their workstations becoming an operation base for cybercriminals. Now this is where Egress filtering kicks in. Ok, it's too late, you've been compromised, but let's mitigate the fallouts and prevent the station from 1/ further being exploited within the walls but also 2/connecting back to the Command and Control center of the criminals.
Now Ingress traffic protection is necessary because not only it accounts for more initial compromises but also because the perimeter is bigger and more heterogeneous than ever. A corporate "perimeter" often now comprises HQ LAN & DMZ, some hosted machines in data centers, and eventually several offices with VPNs, remote workers, Cloud workloads, supply chain providers, and SaaS tools. Monitoring it all is a feat, especially when the SIEM vendors want to monetize for every log you store. Thinking only Egress CTI or tool will protect you isn't realistic.
From reactive to proactive
Nowadays, Ingress traffic handling is less trendy because it was supposed to be dealt with in the 90s. But if you crowdsource your information about ingress attacks and make them curated enough to leverage this CTI data into your appliances, then it's a net win for your overall security posture. And guess who's doing crowdsource security based on an open-source DevSecops tool?
Note: This article has been written by Philippe Humeau, CEO of CrowdSec, with expertise and care.