Episode 26 — Resist Intrusion by Design: Egress Control, Chokepoints, and Lateral Movement Barriers
This episode explains why many defenses fail after the first compromise and how to design networks so attackers cannot move freely or exfiltrate quietly, a frequent GSEC scenario pattern. You’ll define egress control as limiting outbound destinations and protocols, then connect it to controlling command-and-control, preventing malware downloads, and making data theft harder. We’ll discuss chokepoints as enforced inspection paths, such as proxies, secure web gateways, and firewall-controlled routes, and we’ll show how they support consistent logging and policy enforcement. Real-world scenarios include a workstation compromise attempting to reach unknown IPs, a server trying to beacon over unusual ports, and an attacker using legitimate cloud services to blend in. Best practices include default-deny outbound for sensitive zones, allowlists for admin networks, segmentation that limits east-west reach, and monitoring that flags new destinations and abnormal volumes. Troubleshooting includes handling legitimate business exceptions without opening broad access and validating that “blocked” really means blocked across all paths, including VPN and alternate gateways. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
