NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-7(9) — Restrict Threatening Outgoing Communications Traffic
Detect and deny outgoing communications traffic posing a threat to external systems; and Audit the identity of internal users associated with denied communications.
Supplemental Guidance
Detecting outgoing communications traffic from internal actions that may pose threats to external systems is known as extrusion detection. Extrusion detection is carried out within the system at managed interfaces. Extrusion detection includes the analysis of incoming and outgoing communications traffic while searching for indications of internal threats to the security of external systems. Internal threats to external systems include traffic indicative of denial-of-service attacks, traffic with spoofed source addresses, and traffic that contains malicious code. Organizations have criteria to determine, update, and manage identified threats related to extrusion detection.
Practitioner Notes
Your network boundary devices should detect and block outgoing traffic that looks threatening — like connections to known command-and-control servers, data exfiltration attempts, or outbound scanning.
Example 1: Enable threat intelligence feeds on your firewall (Palo Alto WildFire, Fortinet FortiGuard) that automatically block outbound connections to known malicious IP addresses and domains. Update these feeds automatically at least daily.
Example 2: Configure your IDS/IPS (Snort, Suricata) to monitor outbound traffic for indicators of compromise — DNS queries to dynamic DNS providers, large outbound data transfers to foreign IP addresses, or encoded data in HTTP headers that suggest command-and-control traffic.