Background: Scaling Business, Scaling Attack Surface
A new member of OneFirewall (referred to as Member X) operates a B2B SaaS platform serving clients globally through three cloud providers: Azure, DigitalOcean, and GCP. Their infrastructure includes:- Two instances in Europe.
- One instance in the US.
- 22% of traffic was performing unauthorized operations (attacks).
- An average of 35,000 attacks per day targeted web services and management consoles.
-
Security limitations identified:
- Cloudflare (free plan) for CDN without advanced security features.
- Direct access to management consoles without VPN.
- Insufficient detection capabilities for advanced threats.
OneFirewall’s Approach: A Tactical Action Plan
Objective: Secure Member X’s infrastructure within 24 hours using threat intelligence and targeted defensive measures.Step 1: Threat Analysis
-
Conducted a comprehensive assessment of attack patterns:
- High-frequency automated bot traffic.
- Brute-force attempts targeting SSH access.
- Application-layer attacks on web services.
- Mapped threat vectors to identify critical vulnerabilities.
Step 2: Threat Intelligence Integration
-
Integrated OneFirewall’s distributed threat intelligence:
- Assessed threat sources using a Crime Score metric.
- Prioritized blocking sources with a Crime Score above 120.
- Analyzed attack signatures in real-time to refine blocking rules.
Step 3: Implementation of Preventive Controls
- Deployed ACLs (Access Control Lists) to block IPs scoring above 120.
- Whitelisted remote access to approved IP ranges.
- Optimized traffic routing and CDN configurations to reduce attack surface.
- Hardened web ingress points using threat intelligence to prevent application-layer attacks.
Results: Concrete Security and Performance Gains
-
Blocked Unauthorized Traffic:
- Prevented all traffic from IPs with a Crime Score >120.
- Eliminated the 35.000 daily unauthorized traffic effectively.
-
Reduced Latency by 28%:
- Blocking malicious traffic at the edge reduced processing overhead.
- Improved response times for legitimate users.
-
Mitigated All Web and SSH Attacks:
- Implemented automated blocking for SSH brute-force attempts.
- Prevented all identified web application attacks without manual intervention.
-
Enhanced Threat Intelligence Network:
- Member X’s integration added over 12,000 new threat feeds per day.
- Identified 0.49% unique threats previously undetected by other members.
Key Observations
-
Perimeter Security is Critical:
- Immediate blocking of malicious traffic at the edge is essential for both security and performance.
-
Threat Intelligence as a Force Multiplier:
- Real-time intelligence enabled accurate blocking without affecting legitimate traffic.
-
Continuous Intelligence Sharing:
- Member X’s contribution strengthened the entire OneFirewall community by expanding the threat intelligence dataset.