Effective threat intelligence is a tactical necessity to detect, respond, and mitigate these threats in real-time. This article presents a detailed case study of a recent engagement by OneFirewall that demonstrates the measurable impact of actionable threat intelligence.

​

Background: Scaling Business, Scaling Attack Surface

A new member of OneFirewall (referred to as Member X) operates a B2B SaaS platform serving clients globally through three cloud providers: Azure, DigitalOcean, and GCP. Their infrastructure includes:

• Two instances in Europe.

• One instance in the US.

As their business expanded, so did their exposure to attacks:

• 22% of traffic was performing unauthorized operations (attacks).

• An average of 35,000 attacks per day targeted web services and management consoles.

• Security limitations identified:

  • Cloudflare (free plan) for CDN without advanced security features.

  • Direct access to management consoles without VPN.

  • Insufficient detection capabilities for advanced threats.

Requirements: Member X needed an immediate solution to stop the ongoing attacks without compromising flexibility in their technology stack or adopting complex security solutions.

​

OneFirewall’s Approach: A Tactical Action Plan

Objective: Secure Member X’s infrastructure within 24 hours using threat intelligence and targeted defensive measures.

​

Step 1: Threat Analysis

• Conducted a comprehensive assessment of attack patterns:

  • High-frequency automated bot traffic.

  • Brute-force attempts targeting SSH access.

  • Application-layer attacks on web services.

• Mapped threat vectors to identify critical vulnerabilities.

​

Step 2: Threat Intelligence Integration

• Integrated OneFirewall’s distributed threat intelligence:

  • Assessed threat sources using a Crime Score metric.

  • Prioritized blocking sources with a Crime Score above 120.

• Analyzed attack signatures in real-time to refine blocking rules.

​

Step 3: Implementation of Preventive Controls

• Deployed ACLs (Access Control Lists) to block IPs scoring above 120.

• Whitelisted remote access to approved IP ranges.

• Optimized traffic routing and CDN configurations to reduce attack surface.

• Hardened web ingress points using threat intelligence to prevent application-layer attacks.

​

Results: Concrete Security and Performance Gains

1. Blocked Unauthorized Traffic:

   • Prevented all traffic from IPs with a Crime Score >120.

   • Eliminated the 35.000 daily unauthorized traffic effectively.

2. Reduced Latency by 28%:

   • Blocking malicious traffic at the edge reduced processing overhead.

   • Improved response times for legitimate users.

3. Mitigated All Web and SSH Attacks:

   • Implemented automated blocking for SSH brute-force attempts.

   • Prevented all identified web application attacks without manual intervention.

4. Enhanced Threat Intelligence Network:

   • Member X’s integration added over 12,000 new threat feeds per day.

   • Identified 0.49% unique threats previously undetected by other members.

​

Key Observations

1. Perimeter Security is Critical:

   • Immediate blocking of malicious traffic at the edge is essential for both security and performance.

2. Threat Intelligence as a Force Multiplier:

   • Real-time intelligence enabled accurate blocking without affecting legitimate traffic.

3. Continuous Intelligence Sharing:

   • Member X’s contribution strengthened the entire OneFirewall community by expanding the threat intelligence dataset.

​

Conclusion

This case study demonstrates the tactical value of actionable threat intelligence. By rapidly deploying intelligence-driven defenses, OneFirewall secured Member X’s infrastructure against a high volume of attacks without compromising performance or flexibility. This approach underlines the importance of integrating real-time threat intelligence for any online service facing continuous threats.