Security Manager's Journal: Suddenly, our firewall audit can't wait

After a DDoS attack is discovered by chance, the audit can no longer wait until later in the year.

A comprehensive audit of our firewalls just moved up on my list of priorities. The urgency arises from a recent incident that, fortunately, wasn't as bad as it could have been.

Trouble Ticket

The network team stumbles upon evidence of a DDoS attack.Action plan: Find the problem resource on the network, and then audit all of the firewalls in the company to prevent any similar incidents.

Around the world, we have over 60 individual firewalls. We use a centralized platform for managing the rules and baseline configuration, but it's still important to audit every firewall to track down the inevitable inconsistencies. We had scheduled that audit for later this year, but now we're planning to do it much sooner.

Last week, while troubleshooting a problem with network performance at a large overseas office, our network team decided to monitor the traffic leaving the office. Bad news: The firewall and router logs showed a massive amount of traffic destined for a single host in Vietnam.

The traffic originated from hundreds of externally addressable IP addresses on our internal network. This was highly suspicious, since we use internal private IP addresses for our protected network.

I assembled our crisis action team, since it looked as if we had been hit by a distributed denial-of-service ( DDoS) attack. Of course, we immediately modified the firewall rules to block access to the destination IP address. Next, we enabled antispoofing rules on the affected firewall interface to block traffic originating from public IP addresses on our internal network. Then, we enabled anti-DDoS profiles for the firewall, allowing us to control traffic floods and set a maximum number of concurrent sessions. These last two configurations, by the way, should have already been enabled -- but more on that later.

We tracked down the affected device by locating the switch port it was connected to. It turned out to be an enterprise-class server that an R&D engineer had attached to the Ethernet port at his desk -- which is a no-no. We used administrative access to install EnCase, a forensic examination tool, on that server and found something consistent with malware that was previously identified as opening connections to a server in Vietnam from multiple spoofed IP addresses. That sure fit the facts of our case!

We disabled the malicious service at once, and what do you know -- the malicious traffic went away. That done, we moved on to a more thorough forensic examination. By sniffing the network traffic that had originated from the infected server, we found that there had been no data loss or unauthorized access. Those had been my real worries.

Running a companywide inventory, we found that same malware on some other overseas machines, and on some in our corporate office. Luckily, none of those resources had been as completely compromised as the first machine.

Preventing Future Incidents

With the damage contained, I drew up a list of action items. For one thing, it's apparent that we need to review our firewalls to ensure that basic configuration settings such as antispoofing and anti-DDoS are enabled. But I also want to look into why our security incident event monitoring (SIEM) tool didn't alert us that a server was communicating with a known malicious host. The incident also makes clear that we need to address some inconsistencies in our endpoint protection compliance, since the infected servers were not up to date with the latest pattern files. Finally, we recently enabled some advanced malware detection capabilities that are supposed to evaluate all downloaded executable files and run them in a sandbox environment to determine whether they are malicious in nature. I'd like to find out where the breakdown in that technology occurred.

But my No. 1 priority is that firewall audit. I'm sure that in addition to some basic interface configurations, there are gaps in the firewall rules base.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join in the discussions about security!

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityendpoint security

More about Topic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place