Full Report
Insufficient egress filtering is a commonly identified vulnerability found during BHIS penetration tests. The insufficient egress filtering finding indicates that network traffic leaving the organization’s environment is not properly restricted. The post Insufficient Egress Filtering: How Weak Outbound Controls Enable Attacks appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Best Practices: Egress Filtering
## Overview
These practices address the vulnerability of **Insufficient Egress Filtering**, where unrestricted outbound network traffic allows attackers to establish Command and Control (C2) channels, exfiltrate data, and perform credential theft or relay attacks. Proper egress filtering reduces the attack surface and minimizes the "noise" defenders must monitor.
## Key Recommendations
### Immediate Actions
1. **Block Outbound SMB:** Immediately restrict outbound TCP port 445 to prevent credential theft (LLMNR/NBT-NS poisoning) and SMB relay attacks to external attacker-controlled IP addresses.
2. **Test ICMP Egress:** Execute a simple `ping 1.1.1.1` or `ping letmeoutofyour.net`. If successful, document the risk of ICMP tunneling and prepare to restrict it to specific troubleshooting hosts.
3. **Run an Outbound TCP Scan:** Use the provided PowerShell script to scan `letmeoutofyour.net` (a host listening on all ports) to identify which outbound TCP ports are currently open.
### Short-term Improvements (1-3 months)
1. **Traffic Profiling:** Analyze firewall logs or NetFlow data to identify necessary outbound connections (source IP, destination IP, and port).
2. **Establish a Cleanup Process:** Categorize connections as "Authorized," "Unauthorized," or "Ambiguous." Investigate ambiguous connections to determine their legitimacy.
3. **Restrict Common C2 Protocols:** Specifically tighten controls on protocols frequently targeted for covert communication: DNS, DNS over HTTPS (DoH), and general IP traffic.
### Long-term Strategy (3+ months)
1. **Implement Default Deny:** Transition to a "Default Deny" egress posture where only pre-approved ports and destinations are permitted.
2. **Infrastructure Specificity:** Move away from "All-to-Any" rules. Replace them with specific rules (e.g., "Web Server A to Update Server B" rather than "Internal Network to Internet").
3. **Unified Cloud/On-Prem Controls:** Ensure egress policies are applied consistently across on-premises environments and cloud provider instances (AWS/Azure/GCP).
## Implementation Guidance
### For Small Organizations
- Focus on blocking high-risk ports first (SMB 445, Telnet 23, FTP 21).
- Use built-in firewall logging to manually review outbound traffic once a week.
### For Medium Organizations
- Utilize NetFlow or SIEM tools to automate the profiling of outbound connections.
- Implement a web proxy for user traffic to consolidate outbound HTTP/S into a single monitored path.
### For Large Enterprises
- Enforce strict micro-segmentation.
- Automate the decommissioning of firewall rules that have not seen hits within a 90-day period.
- Implement SSL/TLS inspection on egress to identify C2 traffic hidden in encrypted sessions.
## Configuration Examples
### PowerShell Outbound TCP Scan
Use this to identify which ports your firewall allows out to the internet:
powershell
1..65535 | % {
$test = new-object system.Net.Sockets.TcpClient;
$wait = $test.beginConnect("letmeoutofyour.net", $_, $null, $null);
($wait.asyncwaithandle.waitone(250, $false));
if($test.Connected){echo "$_ open"} else {echo "$_ closed"}
} | select-string "open" | Out-File -Encoding ascii tcp-port-status.txt
### Probing for Open Ports (Windows cmd)
cmd
type tcp-port-status.txt | findstr "open"
## Compliance Alignment
- **NIST SP 800-53:** AC-4 (Information Flow Enforcement).
- **CIS Controls:** Control 9 (Network Infrastructure Management) - specifically 9.2: Ensure only authorized ports/protocols are open.
- **PCI DSS:** Requirement 1.2.1 (Restrict outbound traffic to that which is necessary for the cardholder data environment).
## Common Pitfalls to Avoid
- **Ignoring Cloud Egress:** Forgetting that cloud workloads often have wide-open outbound rules by default.
- **Over-reliance on Common Ports:** Assuming that because port 443 (HTTPS) is open, it is safe. Attackers frequently use 443 for C2 tunnels.
- **Lack of Specificity:** Using "Any" as a destination for legitimate services (e.g., allowing port 80 to the whole internet when only Microsoft Update IPs are needed).
## Resources
- **Host for Testing:** `letmeoutofyour[.]net` (Listens on all 65,535 TCP ports).
- **Tools:**
- `GoSpoof` - hxxps://github[.]com/blackhillsinfosec/GoSpoof (For custom VPS testing).
- `Responder` - hxxps://github[.]com/lgandx/Responder (To simulate/test credential theft).