Effective threat intelligence is a tactical necessity to detect, respond, and mitigate these threats in real-time. This article presents a detailed case study of a recent engagement by OneFirewall that demonstrates the measurable impact of actionable threat intelligence.

Background: Scaling Business, Scaling Attack Surface

A new member of OneFirewall (referred to as Member X) operates a B2B SaaS platform serving clients globally through three cloud providers: Azure, DigitalOcean, and GCP. Their infrastructure includes:
  • Two instances in Europe.
  • One instance in the US.
As their business expanded, so did their exposure to attacks:
  • 22% of traffic was performing unauthorized operations (attacks).
  • An average of 35,000 attacks per day targeted web services and management consoles.
  • Security limitations identified:
    • Cloudflare (free plan) for CDN without advanced security features.
    • Direct access to management consoles without VPN.
    • Insufficient detection capabilities for advanced threats.
Requirements: Member X needed an immediate solution to stop the ongoing attacks without compromising flexibility in their technology stack or adopting complex security solutions.

OneFirewall’s Approach: A Tactical Action Plan

Objective: Secure Member X’s infrastructure within 24 hours using threat intelligence and targeted defensive measures.

Step 1: Threat Analysis

  • Conducted a comprehensive assessment of attack patterns:
    • High-frequency automated bot traffic.
    • Brute-force attempts targeting SSH access.
    • Application-layer attacks on web services.
  • Mapped threat vectors to identify critical vulnerabilities.

Step 2: Threat Intelligence Integration

  • Integrated OneFirewall’s distributed threat intelligence:
    • Assessed threat sources using a Crime Score metric.
    • Prioritized blocking sources with a Crime Score above 120.
  • Analyzed attack signatures in real-time to refine blocking rules.

Step 3: Implementation of Preventive Controls

  • Deployed ACLs (Access Control Lists) to block IPs scoring above 120.
  • Whitelisted remote access to approved IP ranges.
  • Optimized traffic routing and CDN configurations to reduce attack surface.
  • Hardened web ingress points using threat intelligence to prevent application-layer attacks.

Results: Concrete Security and Performance Gains

  1. Blocked Unauthorized Traffic:
    • Prevented all traffic from IPs with a Crime Score >120.
    • Eliminated the 35.000 daily unauthorized traffic effectively.
  2. Reduced Latency by 28%:
    • Blocking malicious traffic at the edge reduced processing overhead.
    • Improved response times for legitimate users.
  3. Mitigated All Web and SSH Attacks:
    • Implemented automated blocking for SSH brute-force attempts.
    • Prevented all identified web application attacks without manual intervention.
  4. Enhanced Threat Intelligence Network:
    • Member X’s integration added over 12,000 new threat feeds per day.
    • Identified 0.49% unique threats previously undetected by other members.

Key Observations

  1. Perimeter Security is Critical:
    • Immediate blocking of malicious traffic at the edge is essential for both security and performance.
  2. Threat Intelligence as a Force Multiplier:
    • Real-time intelligence enabled accurate blocking without affecting legitimate traffic.
  3. Continuous Intelligence Sharing:
    • Member X’s contribution strengthened the entire OneFirewall community by expanding the threat intelligence dataset.

Conclusion

This case study demonstrates the tactical value of actionable threat intelligence. By rapidly deploying intelligence-driven defenses, OneFirewall secured Member X’s infrastructure against a high volume of attacks without compromising performance or flexibility. This approach underlines the importance of integrating real-time threat intelligence for any online service facing continuous threats.