10 Critical Steps to Survive a Ransomware Attack, Step 4: Configure Your Firewall to Filter OUTbound Traffic.

A firewall is a type of security device that blocks network traffic to and from unauthorized sites, and allows traffic to authorized sites. Firewalls range from high end devices designed to protect the likes of Amazon and Facebook, down to SOHO (Small Office/Home Office) devices from Linksys. While there is a tremendous range of features and capabilities across these devices, at their core, they boil down to the same set of basic functions: allowing or denying traffic based on their configuration.
The most common ways we see firewalls configured are to allow little or no traffic in to the network, and to allow any traffic out of the network.
Work with your IT staff to ensure that your firewall allows only legitimate traffic both in AND out. A lot of the problems stem from compromised systems inside your network which are allowed to send traffic out to the bad guys. If this communication is blocked, you have a better chance of recovering your system before it’s too late.  You have to work with a competent firewall technician to make sure this is done properly. Again, start with the principle of least privilege – lock down traffic so that only what is needed – not anything that is wanted – is allowed in or out through the firewall.
 sample firewall diagramIn the above diagram, we have an example where a PC in the HR department wants to get to a job search website. As this is likely the sort of thing we’d want the HR department to do, we allow it.
We also see that a server on the network is trying to access the same job search website. This sounds like one of our server admins is trying to get on to Monster.com to find his next gig. Not allowed!
Third, we see a PC with a virus on our network, attempting to access EvilBadGuy.com. This sounds really fishy, so we block it.
Finally, EvilBadGuy.com is trying to send some traffic in to our network, to which we say “no way,” and block the attempt.
The “lazy configuration” is to just allow all outbound traffic, and deny inbound traffic. We call this this “lazy” because it takes a lot less effort. The problem is that is means things are less secure. Often, if a computer system gets hacked, as in the PC with a virus in the diagram above, it will attempt to contact the site that wants to control it out on the Internet. A properly configured firewall will recognize this attempt for what it is, and shut it down. Failure to do so can result in the infected PC becoming part of an army of “zombie” computers, also known as a “botnet,” or an army of systems infected with viruses which do whatever they’re directed to do by the person in charge of the network. We’ve seen botnets with literally millions of infected systems under their control. When directed at a single target, these botnets have the ability to completely disable even the largest of websites, and are frequently used as part of extortion rackets.
In addition to having these firewall rules in place, it is important that the devices be monitored so that when inappropriate access attempts are made, they are not only stopped, but reported and responded to by the appropriate party. Too often we see firewall alerts going nowhere at all, or going to someone’s mailbox at the end of the week (or month). This means that a virus or hacker could be running around inside the network for a month before anyone even notices! This is one reason why, according to reports from security firms Mandiant and Verizon Enterprise, when attackers gain access to a network, they usually go undetected for over 200 days. Imagine that – someone gains access to your computer network and can do whatever they want, on whatever system they want, recording every keystroke, mouse click, password, etc., for over six months.
For these reasons, be sure to be monitoring and blocking unauthorized traffic through your firewall, inbound and out.
If you’d like to listen to this article discussed in audio format, it was featured as an episode of the Blurring the Lines Podcast. Or, you can continue reading part five.

Peter Nikolaidis is an information security professional based in Cambridge, MA. He holds several information security certifications, including the CISSP. In his spare time, he enjoys practicing martial arts and yoga, mountain biking, and thinking about ways to protect the innocent… often from themselves. Connect with Peter on LinkedIn.