Block China and other simple DLP/APT remedies

Blocking foreign countries is one of the simplest and most effective ways to stop data loss and other hack attacks. If your computers/servers/users ... have no reason to communicate with devices in certain countries then a geographic block on the firewall to stop all traffic to/from them is a great way to reduce the threat of infection or data loss. What may be the most serious data breach ever - the loss of some 35 million records of personal data from the Korean company SK Comunications - would have been stopped if the SK Comunications computers had been blocked from communicating with China:

The National Police Agency found that the unidentified hacker extracted the information from SK Communications’ user database to an internet protocol address registered in China.

...

The leaked personal information includes user IDs, passwords, resident registration numbers, user names, dates of year and birth, gender, email addresses, telephone numbers and home addresses.

Passwords and personal ID numbers are encoded, but experts said, judging from the hacker’s level of skills, they may have been decoded already.

ThreatSTOP has been offering geographic blocklists for some time and earlier this year we greatly expanded the number of countries available to our subscribers. The reason why is fairly simple: certain countries do seem to provide an overwhelming amount of hack attacks. This is a fact and it remains true whether or not certain organizations are correct about their allegations of government sponsored hacking in other countries. To put it bluntly IP addresses in China (PRC), Ukraine and Latvia are extremely common as both the sources of attack and the destination of "call homes" from infected machines. As in the case noted above, simply blocking access to China would have avoided the loss of ID data for about 60% of all South Koreans.

Now is a geographic block the only simple remedy for data exfiltration? no of course not. Blocking without subsequently checking firewall logs for attempts is merely going to lead to a second attack where the exfiltration goes via a server somewhere else. However if outbound communication attempts to foreign countries are logged as well as blocked and the logs scanned regularly (ThreatSTOP subscribers typically upload log files at least once a day for analysis) then IT staff can identify the infected machines and clean them up before data is lost.

A third simple but often effective measure is to block and log outbound communications on IRC and the like. While this is less effective than the geographic block - many bots, as I noted last week, use HTTP or HTTPS precisely to avoid firewall blocks - it will still catch some sorts of data exfiltration and again if the blocks are logged then it will help identify computers that are infected and/or users who persist in attempting unsafe computing practice.

Share this: