Making Sense of Geographic Network and Travel Restrictions
There is a lot of confusion when it comes to cybersecurity "geo restrictions" on networks, and just as much when it comes to corporate travel protocol. While the topics are distinct, they are often conflated and share enough underpinning facts to discuss together.
First, let's talk about geographic network restrictions. We can organize that topic by ingress - or inbound restrictions, and egress - or outbound.
Ingress geographic network ("geo IP") restrictions apply to restricting what networks are allowed to contact your Internet-facing applications and services. At this point in time, commercial subscriptions services offer about 90% accuracy on the provenance of a given IP address at a relatively low cost, and such data is often integrated into products and services making it easy to create a country or region-based policy in a firewall, content distribution network (CDN), or cloud service. So how should you configure these settings, for what reasons, and when should you change them?
A common error in this area is to try and implement sanctions enforcement via geo IP restrictions. First, sanctions are almost always individual or entity based, and rarely conveniently paired with an actual country. Second, such restrictions are easily bypassed via anonymizer and VPN proxy services well within the reach of a motivated sanctioned target. Finally, sanctions must be enforced at the contractual and "KYC" (know your customer level) by business vetting processes that positively identify individuals, and dragging network engineering into that enforcement process is a recipe for disaster. Trying to mirror sanctions will create impactful false positive results with little hope of actually impacting sanctioned individuals. Think about the sub-Saharan warlord on holiday in Monaco, or your General Counsel on a mission trip to Venezuela. Leave sanctions enforcement to compliance - not networking.
So where can and should you leverage ingress restrictions? Inbound restrictions can be a useful method to just improve your signal-to-noise ratio by removing large swaths of Internet traffic that have a low to nill chance of producing revenue. If you serve a US market, you can safely use geo restrictions to not target specific countries, but rather eliminate all non-US sources. More highly targeted companies, however, may apply a more nuanced approach. Given that criminals will almost certainly never act from infrastructure that can be easily attributed to them, they will pick "exit nodes" that offer them some benefit. One such benefit will be performance - nobody would want to try and accomplish much of anything from an North Korean ISP even if there were zero sanctions - and the other major benefit would be not just anonymity but extradition proofing. A lack of extradition treaty between your country and a foreign nation not only means that identifying a perpetrator there will be highly unlikely to lead to prosecution, but it also means that tracing a network connection there will likely lead to a dead end since subpoena power will likely not apply. So while blocking a country with geo restrictions will do NOTHING to keep hostile actors actually in that nation from attacking you, it may force hostile actors of any provenance to use infrastructure that will be easier to investigate and prosecute. So choose your nations for geo blocking first from countries where you simply do not do business, and second from countries that do not have extradition treaties established with your country. See the end of this article for a convenient link on extradition status with the United States.
That brings us to egress - or outbound - network restrictions. This topic deals with what destinations you allow your employees to contact on the web. This technically also deals with the destinations you allow your server and cloud infrastructure to visit, but if you are serious about security you need to move that to a full exception-only egress filtering method where geography would be far too permissive in any form. So back to your employees - what sites should they be able to visit? This problem set has some unique technical considerations versus ingress. When it comes to egress traffic you generally can see and control DNS queries in addition to raw IP addresses. DNS adds a whole different level of geographic attributes. In this realm you have "top level domains" such as .com or .org, and many are meant to be associated with (and governed by) specific countries such as .uk, .ru, .cn, or .in (UK, Russia, China, and India respectively). You can easily filter outbound destinations by country codes to avoid web domains registered within the aegises of these nations. You can implement this via proxy servers or cloud-based Internet gateways or - more broadly and arguably more effectively - by blocklisting these TLDs entirely in your recursive DNS infrastructure. Blocking such "country code TLDs" (ccTLDs), however, is only the tip of the iceberg, since an adversary in any nation can register a domain in almost any TLD. Once you go down this path, you are far better off using the same controls to block most generic TLDs such as .online, .club, .biz and others while you are at it. In this case it isn't the country that correlates with malicious domains so much as the cost, ease, and anonymity of registration - and that varies by TLD for commercial reasons more than geopolitical.
DNS aside, you also enjoy the ability to block network traffic from your on-premise office networks (see how moot this is getting with remote work?) to IP addresses associated with specific countries. In that case, the same logic as ingress applies, with using extradition treaty status to identify nations more likely to host infrastructure used for malicious purposes. Block away.
So what actions should you consider in reaction to a geopolitical crisis? Probably none. If a non-extradition nation invades another non-extradition nation, you likely should have had both geo-blocked long ago, and thinking that you are protecting yourself from "little green cyber troopers" rushing onto the keyboards of victims is nonsensical. If a friendly nation has a voluntary or involuntary change in extradition policy or ruling government, however, it may be time to review.
Now we get to travel restrictions. Should you ban your employees from visiting certain nations? Or ban them from taking a corporate laptop? Or issue them a "burner phone" like those supposedly given to some athletes visiting the Beijing Olympics? Corporate policies are all over the map on this one too.
The first order of business here should be to identify the scenarios of concern. First, an employee abroad may theoretically have their phone or laptop taken from them and all the data therein stolen. Second, such a device may have an extraordinarily sophisticated piece of malware physically planted on the device for continued malicious access after they return home. Finally, the employee may have the letters they type into the keyboard or data they transmit over the network while abroad stolen during transmission. Just spelling out those 3 specific attack scenarios goes far beyond most of the rational behind corporate travel policy today - but it's critical to acting with intention. So let's talk about the likelihood and attenuating circumstance of each scenario to determine what actions you should take - if any - before and after travel.
First, all three of these actions require either physical access and tampering with your device or unfettered access to the Internet connection you use. So we are talking about a nation that is complicit in enabling this malicious activity, which gets us back to a high correlation with extradition status. Adversaries are only going to take these extraordinary extra risks of exposure if they do not have to worry about consequences. That said, the risk of physically accessing a device is still extreme given how easily such an event could be filmed these days, so it is highly unlikely unless the target is of extremely high value. If you are a dissident journalist, it's certainly game-on. But your CIO working on an outsourcing agreement? Probably not. As for the network interception, it is certainly possible, though common TLS protocols would require a degree of unusual web site error message popups and acceptance even for the most sophisticated threat actor. In the right environment such error messages can easily be made commonplace, though, desensitizing users to ignoring them.
Stepping through these again, you can mitigate the risk of data being stolen from the actual storage of a laptop or phone by simply a) not having anything very valuable there; or b) having devices in the sight of staff at all times during travel. Second, implanting malware for later usage is extreme edge-case material. Not only is there not a lot of malware that enjoys any deployment advantage from physical access, but the "stab risk" of getting caught in that activity is off the charts. Most importantly, though, "persistent backdoors" run the risk of exposing the adversary tradecraft for months down the line as their cutting edge technology gets taken back home with the victim to their intelligence community. When a corporate network detects unusual beaconing or command & control activity from a device in the future, it will not be long until an investigation reveals it was implanted during travel - resulting in a quick political imbroglio and reverse-engineering. Notice how that just doesn't happen too much? Now let's get back to the network vector. I had an awesome red teamer once say "if you are granted only one wish, what should you wish for? Unlimited wishes!" This applies to network interception where an adversary will only get ephemeral glances at communication. What's the analog of wishing for more wishes? Capturing credentials and using them to log in at your leisure. If you look at just a few emails during a randomly-selected window from anyone, you are likely to bore yourself to tears. But if you later can log into their email account remotely and analyze thousands of messages, you might gain some value. So what's the mitigation here? Remember one-time passwords? You probably heard them called "multifactor authentication". Make any passwords typed in from anywhere - but certainly abroad - useless if captured. Easy win. And if you want to be extra paranoid, have users change passwords on return and monitor for failed usage attempts.
Put this all together, and a logical travel policy looks like this:
- Here is a list of countries our country doesn't have an extradition treaty with. We call those "high risk".
- Please don't travel to high-risk countries.
- If you must, take time off and don't work, and don't carry a laptop or access corporate applications from your mobile.
- If you really must work from a high-risk location, stick to a mobile device you can keep with you easily.
- Change your PIN and any passwords used during travel on return.
This advice isn't going to fit everyone. I'll undoubtedly run into people citing laboratory proofs of concept that James Bond might be able to pull off on a perfect day. And if you are protecting state diplomats or targets of high value, you likely have a stronger set of policies already in place. But for the other 99.9% of us who aren't sure where to turn when it's time to draft policy, I hope this realism is helpful.
A list of "Law Enforcement" extradition treaties with the US by country: