How we stopped 35.000 attacks daily
The Tactical Advantage of Threat Intelligence: A Case Study with OneFirewall
Effective threat intelligence is a tactical necessity to detect, respond, and mitigate these threats in real-time. This article presents a detailed case study of a recent engagement by OneFirewall that demonstrates the measurable impact of actionable threat intelligence.
Background: Scaling Business, Scaling Attack Surface
A new member of OneFirewall (referred to as Member X) operates a B2B SaaS platform serving clients globally through three cloud providers: Azure, DigitalOcean, and GCP. Their infrastructure includes:
-
Two instances in Europe.
-
One instance in the US.
As their business expanded, so did their exposure to attacks:
-
22% of traffic was performing unauthorized operations (attacks).
-
An average of 35,000 attacks per day targeted web services and management consoles.
-
Security limitations identified:
-
Cloudflare (free plan) for CDN without advanced security features.
-
Direct access to management consoles without VPN.
-
Insufficient detection capabilities for advanced threats.
-
Requirements: Member X needed an immediate solution to stop the ongoing attacks without compromising flexibility in their technology stack or adopting complex security solutions.
OneFirewall’s Approach: A Tactical Action Plan
Objective: Secure Member X’s infrastructure within 24 hours using threat intelligence and targeted defensive measures.
Step 1: Threat Analysis
-
Conducted a comprehensive assessment of attack patterns:
-
High-frequency automated bot traffic.
-
Brute-force attempts targeting SSH access.
-
Application-layer attacks on web services.
-
-
Mapped threat vectors to identify critical vulnerabilities.
Step 2: Threat Intelligence Integration
-
Integrated OneFirewall’s distributed threat intelligence:
-
Assessed threat sources using a Crime Score metric.
-
Prioritized blocking sources with a Crime Score above 120.
-
-
Analyzed attack signatures in real-time to refine blocking rules.
Step 3: Implementation of Preventive Controls
-
Deployed ACLs (Access Control Lists) to block IPs scoring above 120.
-
Whitelisted remote access to approved IP ranges.
-
Optimized traffic routing and CDN configurations to reduce attack surface.
-
Hardened web ingress points using threat intelligence to prevent application-layer attacks.
Results: Concrete Security and Performance Gains
-
Blocked Unauthorized Traffic:
-
Prevented all traffic from IPs with a Crime Score >120.
-
Eliminated the 35.000 daily unauthorized traffic effectively.
-
-
Reduced Latency by 28%:
-
Blocking malicious traffic at the edge reduced processing overhead.
-
Improved response times for legitimate users.
-
-
Mitigated All Web and SSH Attacks:
-
Implemented automated blocking for SSH brute-force attempts.
-
Prevented all identified web application attacks without manual intervention.
-
-
Enhanced Threat Intelligence Network:
-
Member X’s integration added over 12,000 new threat feeds per day.
-
Identified 0.49% unique threats previously undetected by other members.
-
Key Observations
-
Perimeter Security is Critical:
- Immediate blocking of malicious traffic at the edge is essential for both security and performance.
-
Threat Intelligence as a Force Multiplier:
- Real-time intelligence enabled accurate blocking without affecting legitimate traffic.
-
Continuous Intelligence Sharing:
- Member X’s contribution strengthened the entire OneFirewall community by expanding the threat intelligence dataset.
Conclusion
This case study demonstrates the tactical value of actionable threat intelligence. By rapidly deploying intelligence-driven defenses, OneFirewall secured Member X’s infrastructure against a high volume of attacks without compromising performance or flexibility. This approach underlines the importance of integrating real-time threat intelligence for any online service facing continuous threats.