Proxy

Detection of Proxy Infrastructure Setup and Traffic Bridging

Filter Network Traffic: Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration. This mitigation can be implemented through the following measures:

Ingress Traffic Filtering:

• Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers.
• Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges.

Egress Traffic Filtering:

• Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications.
• Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected.

Protocol-Based Filtering:

• Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs.
• Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue.

Network Segmentation:

• Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized.
• Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems.

Application Layer Filtering:

• Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic.
• Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.

Network Intrusion Prevention: Use intrusion detection signatures to block traffic at network boundaries.

SSL/TLS Inspection: SSL/TLS inspection involves decrypting encrypted network traffic to examine its content for signs of malicious activity. This capability is crucial for detecting threats that use encryption to evade detection, such as phishing, malware, or data exfiltration. After inspection, the traffic is re-encrypted and forwarded to its destination. This mitigation can be implemented through the following measures:

Deploy SSL/TLS Inspection Appliances:

• Implement SSL/TLS inspection solutions to decrypt and inspect encrypted traffic.
• Ensure appliances are placed at critical network choke points for maximum coverage.

Configure Decryption Policies:

• Define rules to decrypt traffic for specific applications, ports, or domains.
• Avoid decrypting sensitive or privacy-related traffic, such as financial or healthcare websites, to comply with regulations.

Integrate Threat Intelligence:

• Use threat intelligence feeds to correlate inspected traffic with known indicators of compromise (IOCs).

Integrate with Security Tools:

• Combine SSL/TLS inspection with SIEM and NDR tools to analyze decrypted traffic and generate alerts for suspicious activity.
• Example Tools: Splunk, Darktrace

Implement Certificate Management:

• Use trusted internal or third-party certificates for traffic re-encryption after inspection.
• Regularly update certificate authorities (CAs) to ensure secure re-encryption.

Monitor and Tune:

• Continuously monitor SSL/TLS inspection logs for anomalies and fine-tune policies to reduce false positives.