The Importance of Outbound Traffic Blocking


Every network has both inbound and outbound traffic. However, when considering how to protect a network, too many cybersecurity professionals can focus too heavily on inbound network traffic and neglect the outbound. Unfortunately, as we’ve seen in every news cycle, this has created ample opportunities for threat actors to successfully breach networks, steal data, ransom access to systems, install malware, or any other number of misdeeds.  

Because cyberattacks are coming not just from the internet but from any number of “side doors”, outbound traffic is often an organization’s cybersecurity Achilles’ heel. Organizations often let this traffic pass with very little monitoring, if it isn’t left completely open. Threat actors know this and are taking full advantage of this cybersecurity blind spot. 

So, short of just giving up, what’s a sensible network security administrator or IT manager supposed to do? The answer is to refocus your attention on outbound traffic blocking.

What are the Differences Between Inbound and Outbound Traffic? 

Inbound or outbound traffic are not necessarily malicious in and of themselves. Understanding their importance and function in our modern business environment is key to learning how to protect your network.  

Inbound traffic refers to any traffic coming to your network, regardless of source or method. If the incoming request originates from any outside organization or user, it’s considered inbound traffic.

Outbound traffic refers to traffic that originates from inside your own network. It represents requests that are seeking services either on the internet or outside your own network. Outbound blocking is often complex and dependent on the talent of the organization’s security engineers. 

Why is Outbound Traffic so Often Overlooked? 

Currently, almost all traffic-blocking technologies are focused on blocking inbound traffic. And years ago, this was the correct course of action because network administrators and cybersecurity specialists wanted to make sure external threat actors can’t penetrate their systems.

However, as threat actors have evolved, inbound blocking is no longer enough due to the limited amount of threat intelligence even sophisticated firewalls can process. There are many different ways that threat actors can get past inbound traffic defenses, such as:

Once they’ve gotten into a network, threat actors will need to send an outbound alert that the network has been successfully breached. This may take the form of sending data back out, as is the case with data exfiltration and many ransomware strains. Protecting your network from this malicious outbound traffic is what stops many breaches from becoming unmitigated financial and reputational disasters. 

Of the most newsworthy breaches of the last few years that have been carried out by known threat actors, many have been nation-state-sponsored attacks. This means these threat actors have the increased resources to encrypt packets to elude firewalls on the inbound traffic that regular firewalls can’t do much to protect against. Because many of these threat actors are sponsored by nation-states such as Russia, North Korea, China, and Cuba, their abilities and resources in these encryptions often tie up firewalls and network resources as the decryption and deep packet inspections run. 

6 Issues Active Outbound Traffic Blocking Prevents

From financial businesses like Travelex to the breach of the Colonial Pipeline’s cybersecurity, no company is safe from malicious actors. As the world becomes more connected through the internet and other forms of technology, hackers find new and increasingly sophisticated ways to target organizations. Companies must invest in security measures to protect themselves from these threats.

Threater’s approach to blocking outbound traffic helps move your defensive cybersecurity approaches from reactive to active. Threater is both the first layer of defense against traffic coming in from known threat actors, as well as the last line of defense, so they can’t send your valuable digital assets out. This defense-in-depth approach to security can help prevent many situations that traditional firewalls do not address.

Here are some other issues that focusing on active outbound traffic blocking can help prevent.

1. Ransomware

Ransomware is one of the biggest threats to organizations today. Usually, these attacks involve data exfiltration as well, so they come with the increased risk that threat actors will release the data on the dark web. Organizations that do pay these ransoms do so often because they cannot lose this time, as in the case of attacks in the healthcare industry. Lost access to healthcare systems can result in literal life-or-death situations, where organizations cannot simply “take the high road” and opt not to pay these ransoms. 

Once installed, ransomware software holds a network hostage until the threat actors are paid — often in untraceable cryptocurrency. However, this is becoming more problematic as many cyber insurance policies prohibit payments from being used to pay ransomware bounties. 

While backup and disaster recovery (BDR) technologies such as EDRs, MDRs, XDRs, etc. might be able to mitigate the size of the disaster with these attacks, the best solution is to block these attacks from occurring in the first place by preventing the “phone home” that lets ransomware do its thing. Threater is the best solution on the market today for this. Threater automatically blocks these calls to the known threat actors from ever happening, effectively stopping these ransomware attacks. 

Think of it like art thieves in a museum (at least in the movies). Once they lift a piece of art off the wall, the doors seal, police are called, and they’re trapped inside like a mouse in a trap. While inconvenienced and now aware of a flaw in their existing security, the museum doesn’t have to deal with a stolen piece of art. Threater acts as that locked door. By sealing in threat actors and raising the alarm, your data stays where it is AND you learn how to improve your existing security. 

2. Data exfiltration 

Many of the latest cybercrime events involve data exfiltration, but data exfiltration can be the end goal for threat actors as well. Any time an organization stores valuable data (such as personal identifying information (PII), financial data, passwords, emails, etc.) it can be sold on the dark web and be used for identity theft, financial fraud, and other malicious activities. Some cybercriminals may also use the stolen information to launch even more attacks on the organization or its customers, such as spear-phishing campaigns or social engineering attacks. 

They may also use the information to gain access to other sensitive systems and potentially compromise the entire network. In the Sony Pictures breach, movies that hadn’t been released yet were the end goal of the attack. Overall, the end goal of data exfiltration attacks is to monetize the stolen information and/or to use it for additional malicious activities. 

By preventing the data from leaving your network, Threater prevents these types of attacks from causing trouble. If the bad guys can’t steal your data, they get stuck, caught, and dealt with. 

3. Remote users entering the network 

Protecting remote users entering your network is of the utmost importance, especially since so many organizations have staff working remotely. If your network does not have a way of quickly evaluating this traffic to separate legitimate users from malicious ones, it will slow down network performance and make it hard for your staff to be productive.

4. Insider threats 

Another way threat actors can bypass detection to enter a network is through insider threats. These attacks come from current employees who by their nature have access to an organization’s systems and data. Sometimes the employees are acting with bad intentions and are aware they are abetting a threat actor. However, more often than not, these attacks come from user errors such as clicking on a malicious link in a phishing campaign. No matter the intent, however, this is yet another way threat actors can bypass detection by most security stack technologies.

By blocking outbound traffic calling back to known threat actors, insider threats can be significantly curbed as the calls back out to them are halted in their tracks.  

5. USB-based attacks 

Another type of attack popular with threat actors is a USB-based attack. This occurs when an innocuous-looking USB key is loaded with an infected file and is either given to someone or installed on an unattended device that has access to the network.

After being plugged into a system, the file on the USB is installed, bypassing any firewall protection since it did not come through the network via inbound traffic

Even if the malicious file enters the system in a way that looks legitimate, if you’re monitoring outbound traffic signals, the “phone home” can be caught and addressed as quickly as possible.

6. Supply chain attacks 

Despite your best efforts, it’s easy for a modern, interconnected business to fall victim to security failures not because of their own actions but because a supplier, subsidiary, or interconnected client is breached. Attacking such organizations like MSPs or MSSPs gives threat actors access to all the organizations they serve, making these attacks a goldmine for them.

The most significant cyberattack of 2020 took advantage of this vulnerability. The SolarWinds attack was perpetrated against many private and public businesses in the United States due to their use of SolarWinds’ Orion network monitoring tool. By inserting malicious code into the software, the bad actors were able to gain backdoor access to companies across the United States who were customers of SolarWinds.    

Protecting your business from potential breaches requires tight security measures across your entire supply chain. This includes regularly reviewing and updating security protocols, implementing strict vendor management policies, and conducting regular security assessments. 

Outbound Traffic Attack Example

Several well-publicized cybersecurity incidents have been exacerbated by poorly blocked outbound traffic. One is the recent hack of Suffolk County, which occurred in the fall of 2022. In this case, hackers penetrated the county’s computer system and were deep in the network for six months exploiting sensitive data before they were discovered. This would not have happened if the county had been blocking outbound traffic to known threat actors.

Breaches have become so prevalent because many CISOs now simply assume one will occur under their watch. Under most current systems, inspection happens as traffic travels inbound, and once it’s in, there are few to no mechanisms implemented for stopping threats from leaving. This leaves threat actors free to exploit sensitive data and transfer it out of your network unencumbered. 

Monitor outgoing network traffic with Threater

Malicious actors need to enter your network to begin a breach, but to make it successful, they need to call out to make a connection before using or removing your data. Blocking this outbound traffic can be the difference between safety and paying a ransom worth millions.

Blocking malicious outbound traffic is incredibly difficult without Threater. Outbound blocking configurations of firewalls are very dependent on the talent of the security engineers performing them. Threater takes that guesswork out of the outbound threat-blocking equation.

Want to see how Threater can impact your network? Get in touch today for your own dedicated risk assessment.