Effective threat intelligence is a tactical necessity to detect, respond, and mitigate these threats in real-time. This article presents a detailed case study of a recent engagement by OneFirewall that demonstrates the measurable impact of actionable threat intelligence.

Background: Scaling Business, Scaling Attack Surface

A new member of OneFirewall (referred to as Member X) operates a B2B SaaS platform serving clients globally through three cloud providers: Azure, DigitalOcean, and GCP. Their infrastructure includes:

  • Two instances in Europe.

  • One instance in the US.

As their business expanded, so did their exposure to attacks:

  • 22% of traffic was performing unauthorized operations (attacks).

  • An average of 35,000 attacks per day targeted web services and management consoles.

  • Security limitations identified:

    • Cloudflare (free plan) for CDN without advanced security features.

    • Direct access to management consoles without VPN.

    • Insufficient detection capabilities for advanced threats.

Requirements: Member X needed an immediate solution to stop the ongoing attacks without compromising flexibility in their technology stack or adopting complex security solutions.

OneFirewall’s Approach: A Tactical Action Plan

Objective: Secure Member X’s infrastructure within 24 hours using threat intelligence and targeted defensive measures.

Step 1: Threat Analysis

  • Conducted a comprehensive assessment of attack patterns:

    • High-frequency automated bot traffic.

    • Brute-force attempts targeting SSH access.

    • Application-layer attacks on web services.

  • Mapped threat vectors to identify critical vulnerabilities.

Step 2: Threat Intelligence Integration

  • Integrated OneFirewall’s distributed threat intelligence:

    • Assessed threat sources using a Crime Score metric.

    • Prioritized blocking sources with a Crime Score above 120.

  • Analyzed attack signatures in real-time to refine blocking rules.

Step 3: Implementation of Preventive Controls

  • Deployed ACLs (Access Control Lists) to block IPs scoring above 120.

  • Whitelisted remote access to approved IP ranges.

  • Optimized traffic routing and CDN configurations to reduce attack surface.

  • Hardened web ingress points using threat intelligence to prevent application-layer attacks.

Results: Concrete Security and Performance Gains

  1. Blocked Unauthorized Traffic:

    • Prevented all traffic from IPs with a Crime Score >120.

    • Eliminated the 35.000 daily unauthorized traffic effectively.

  2. Reduced Latency by 28%:

    • Blocking malicious traffic at the edge reduced processing overhead.

    • Improved response times for legitimate users.

  3. Mitigated All Web and SSH Attacks:

    • Implemented automated blocking for SSH brute-force attempts.

    • Prevented all identified web application attacks without manual intervention.

  4. Enhanced Threat Intelligence Network:

    • Member X’s integration added over 12,000 new threat feeds per day.

    • Identified 0.49% unique threats previously undetected by other members.

Key Observations

  1. Perimeter Security is Critical:

    • Immediate blocking of malicious traffic at the edge is essential for both security and performance.

  2. Threat Intelligence as a Force Multiplier:

    • Real-time intelligence enabled accurate blocking without affecting legitimate traffic.

  3. Continuous Intelligence Sharing:

    • Member X’s contribution strengthened the entire OneFirewall community by expanding the threat intelligence dataset.

Conclusion

This case study demonstrates the tactical value of actionable threat intelligence. By rapidly deploying intelligence-driven defenses, OneFirewall secured Member X’s infrastructure against a high volume of attacks without compromising performance or flexibility. This approach underlines the importance of integrating real-time threat intelligence for any online service facing continuous threats.

High Level DesignCheckpoint Secure XL