Why You Need to Monitor and Control Outbound Traffic

Jeff Hershberger
Jan 25, 2023

Traditional cybersecurity strategies usually operate under the assumption that threats originate from outside the corporate firewall. That’s why when we set firewall rules, we normally focus on restricting inbound traffic. This approach leaves out a wide range of threats that might already be inside your network but have to perform outbound communications before they can compromise your systems.

In this post, we’ll discuss:

  • The importance of monitoring and controlling outbound traffic;
  • Threat activity that rely on outbound communications;
  • Insecure practices that result in vulnerable outbound connections;
  • Compliance implications of monitoring and controlling outbound traffic;
  • Challenges of restricting outbound traffic; and
  • An effective solution for carrying out those restrictions.

Importance of Monitoring and Controlling Outbound Traffic

There is one simple reason why you need to monitor and control outbound traffic. Whenever you have outbound traffic that has the potential to cause harm to your organization, it means the threat is already inside. It’s probably just a step away from inflicting harm.

So, unless you’re able to block that malicious outbound traffic, your IT infrastructure, digital assets, and perhaps your entire business operations could already be in imminent danger. If that threat manages to establish that outbound connection, your organization could be at risk of suffering a data breach, a ransomware outbreak, getting ensnared in a botnet, and so on.

Before we talk about how you can mitigate these threats, let’s first familiarize ourselves with some of the most common threats that perform outbound communications. 

Malware Calling Home 

In many cyber attacks, a malware infection is just one of the initial stages of a larger operation. Some of these malware still have to communicate with a Command and Control (C&C) server in what are known as call-home activities. Call-home activities are carried out to accomplish various tasks such as:

  • Establishing a connection with the C&C server. It’s also one way of informing malware operators that it (the malware) has successfully established a beachhead in the target system;
  • Obtaining updates from the C&C;
  • Requesting commands from the C&C; and
  • Exfiltrating stolen data to the C&C.

In Verizon’s 2022 Data Breach Investigations Report, the use of a C&C (a.k.a. C2) server by malware is currently the second most widely used threat action variety in cyber incidents and breaches.

calling home to C2 server

Certain types of ransomware, botnets, and cryptomining/cryptojacking malware are some of the cyber threats that perform call-home activities.

Not all harmful outbound connections come from malware though. Some of them are initiated by unwitting users.

Insecure User Practices That Expose Them to Malicious Sites

Many users find it hard to identify malicious content. It’s the reason why some easily fall for social engineering attacks like phishing. According to the 2022 Cost of a Data Breach Report, phishing is currently the second most common initial attack vector, with 16% of breaches starting with a phish. When a user clicks a link on a phishing email, that outbound request ends up in a server that then delivers malicious content.

The same thing happens when users browse the web and then unwittingly click on a link that leads to a site serving malware. Since all these user-initiated actions are outbound connections, they’re not blocked by firewalls using default inbound-restricting rules even if the connections lead to malicious sites.

Data protection authorities are aware of these threats. Some of them have even incorporated risk mitigating measures into regulatory mandates. 

Compliance Requirements Involving Outbound Traffic

Requirement 1.3.2 of the Payment Card Industry Data Security Standard (PCI DSS) v 4.0, for example, calls for restrictions on outbound traffic originating from the cardholder data environment (CDE). As per Requirement 1.3.2, only outbound traffic that is deemed necessary should be allowed. All other outbound traffic must be blocked.

Corresponding guidance in the PCI DSS Requirements and Testing Procedures document offers the following reason for this requirement:

Requirement 1.3.2 “aims to prevent malicious individuals and compromised system components within the entity’s network from communicating with an untrusted external host.

That explanation corroborates with our earlier discussion.

malware call home blocked

Challenges in Restricting Outbound Traffic

While you’re already aware of the threats involving outbound traffic, imposing restrictions on these types of traffic isn’t exactly easy. For one, many legitimate applications have to initiate connections to external services. File transfer clients, email clients, web browsers, remote desktop clients, update tools, and many others, need to make outbound connections to perform business-related functions.

To avoid detection, some malware varieties use well known protocols like FTP, HTTP, HTTPS, and SMTP, which are normally employed in legitimate business processes, to communicate with their C&Cs. Some botnet-infected machines, for instance, retrieve commands from their C&C using HTTP requests.

If you’re unfamiliar with network protocols, HTTP is a protocol web browsers use to connect to a web site. For this reason, firewalls are usually configured to allow HTTP to pass through. This essentially means you can’t just block all outbound traffic nor can you block based on protocol. There has to be a better way.

A More Effective Solution To Restricting Outbound Traffic

Although it can be extremely difficult to distinguish outbound traffic caused by malware from those coming from legitimate applications and processes, there are a couple of tactics that still work.

One way is to analyze the manner by which outbound communications are carried out. You can look for certain patterns and behavior associated with malware and other threat actors. Another way is to determine the reputation of the destination IP address of the outbound traffic. More often than not, threat actors connect to IP addresses with bad reputations.

Of course, traditional firewalls have no way of employing these methods. You need an advanced security solution that has these capabilities. Intrusion Shield combines pattern and behavior-based techniques with reputation-based threat detection. 

Intrusion is equipped with one of the largest threat intelligence databases with decades of historical data on billions of IPs, hostnames, and domains. If a malware, or potentially even a zero-day threat attempts to connect to its C&C, Intrusion blocks the malicious connection attempt. 

Have questions? Let’s chat.

Resources that might interest you.

Get the insights cybercriminals don’t want you to know.