What is URL Filtering?

URL filtering is a type of web filtering, which automatically blocks access to specific online resources, including websites and file downloads. Web filtering is used to prevent users from accessing suspicious or malicious websites and downloading malware, limiting the potential for cybercriminals to compromise individual systems as well as the network at large.

There are several different types of web filtering. Some of the more common implementations include URL filtering — which blocks individual pages, and DNS filtering – which blocks entire domains.  URL filtering blocks access to known malicious websites including:

• Phishing websites that try to steal credentials
• Websites that operate as command-and-control servers (C&C) sending instructions to — or receiving data from — systems compromised by malware
• Websites that download malware
• Fake e-commerce shops that may steal money or cardholder data

In strictly regulated or high-risk environments, it is a good practice to also block URLs that are not explicitly malicious but do pose a potential threat, such as fake news websites or social media platforms.  

Uniform resource locators (URL) is a web address for a given resource, which is used by browsers to retrieve published web resources. The URL is made up of four parts:

• Protocol is either http:// or https://, which tells the web browser that a web address will follow. HTTPS is more secure than HTTP. HTTPS sites have an SSL certificate, which encrypts information to ensure that the connections are secure, and TLS (Transport Layer Security) protocol. Modern web browsers do not require you to type the protocol as it will fill that in on its own.
• Domain is the highest-level part of a URL — the website's name.
• Path is the folder structure of the website, so a browser knows which subfolder to find the webpage in.
• Webpage is the last part of the URL and is the specific page you are requesting. It is the actual filename of the page as it is stored on the domain computer.

Traditional URL filtering solutions use a URL reputation database that checks the URL against a database of known malicious ones. It does so by sending navigation requests to a protection agent, which checks them against lists of trusted and blocked addresses, and either approves or denies the request accordingly. URL reputation databases are periodically updated with malicious URLs and information seen in the wild. More advanced solutions use a combination of such databases.

Because URL reputation is based on known malicious URLs, you cannot rely on this feature for unknown URLs that appear in the wild each day. Instead, unknown URLs are identified via real-time analysis of the URL and page content to determine the threat and maliciousness of the URL. More advanced solutions also use URL image recognition and lexical analysis of the URL.

There are several disadvantages to URL filtering, which include:

• Blocking the wrong sites because a website contains an unsuitable keyword
• Not blocking sites that should be blocked
• Over blocking sites that are useful for some employees to do their jobs but can be a productivity drain for other employees. For example, LinkedIn is a valuable resource for salespeople to use for prospecting but can be a productivity drain for other employees who use it to look and apply for other jobs.

Organizations use URL filtering to ensure a secure network and stop cyberattacks, block inappropriate content (e.g., pornography, COVID-19 scams) and block access to websites that are productivity drains (e.g., gaming and social media sites). URL filtering is a crucial step when creating and maintaining a secure network. With URL filtering, an organizations can:

• Control employee browsing habits and ensure employees do not access harmful sites
• Avoid malware by blocking access to known malware and phishing sites
• Customize policies to include setting permanent allow and block lists and customizing what sites can/cannot be accessed by user, time of day, etc.
• Define allowlists, which control the sites that users can access

It is not always easy to tell whether a web site is safe, especially from a distance. By the time a user has navigated to an infected site or downloaded a malicious file, the damage is often already done. As companies have transitioned to remote work, the threat landscape has ballooned. Tools like teleconferencing services and online learning platforms present a large attack surface for cybercriminals — especially as many users are connecting with unsecured devices, running unsecured applications, on unsecured networks. New social engineering and malware threats are emerging every day.

Training end users to be aware of malware and social engineering techniques is important, as is learning how to detect these threats. What’s more, being perpetually on guard and suspicious is emotionally and mentally draining, and even cybersecurity experts have been known to fall victim to scams and malware on occasion. Nobody is immune to cyberattacks. 

By blocking malicious resources from ever loading, automated solutions like URL filtering provide an invaluable layer of protection to any organization. Remember that even legitimate, trusted websites can be infected and used to spread malware. While URL filtering alone cannot entirely remove the risk of system compromise or infection, it acts as the first layer of protection in a strong multilayered defense approach.

While URL filtering prevents employees from visiting malicious sites, URL filtering can also stop employees from loading malicious email links or visiting phishing sites.

Email security is important as a Verizon report cited that 94% of attacks come thru this vector. Attackers include a malicious link in these emails to trick a user into clicking on it and loading a malicious webpage. URL filtering can block this type of attack.

And with phishing attacks on the rise, organizations require a multi-layered approach to ensuring the security of their network and systems. Phishing attacks trick a user into giving away sensitive credentials by using fake websites that appear legitimate. URL filtering can stop these attacks by ensuring the malicious websites are not loaded.  

Specifically designed for MSPs, Acronis Cyber Protect Cloud integrates best-of-breed backup, machine intelligence (MI)-based antimalware, and protection management in one solution. Included at no cost or on a pay-as-you-go basis, Acronis Cyber Protect Cloud lets you build services to protect your clients’ systems, applications and data.

You can expand your service portfolio to further meet your client requirements with advanced protection packs that extend their capabilities. For example, Acronis Advanced Security is an add-on to Acronis Cyber Protect Cloud. It enhances inefficient, standalone antivirus software with integrated cyber protection. It provides full-stack, real-time anti-malware protection covering numerous attack vectors with multiple defense layers, including URL filtering to block malicious URLs, web-based attacks and COVID-19 scams. 

The Advanced Email Security pack – which is based on Perception Point’s unmatched technology – extends Acronis Cyber Protect Cloud’s capabilities to block email-borne threats – including spam, phishing, business email compromise (BEC), advanced persistent threats (APTs) and zero-day attacks – in seconds – before they reach end users. The Advanced Email Security pack minimizes email risks for clients with powerful threat intelligence, signature-based detection, URL reputation checks, unique image recognition algorithms, machine learning with DMARC (Domain-Based Message Authentication Reporting and Conformance) record checks and lexical analysis. 

The image recognition-based engine identifies brand impersonation and phishing attacks. It is a unique and proprietary engine that uses several advanced algorithms to validate if the URL is a legitimate site. The engine also scans attempts to phish assets of the company. It is just one of the techniques that is used for anti-phishing, along with recursive unpacking, URL reputation, threat intelligence, advanced page scanning and more.

SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC record are three tools that provide proof that an email message is genuine and that the sender of the email is legitimate and not impersonating someone else. 

Lexical analysis examines the structure of the URL to determine if it contains suspicious words, how many parameters are passed inside the URL, what encoding is used to encode those parameters, if the URL contains email addresses or suspicious domain names, and more.

Acronis’ URL filtering is enhanced with payload analysis and a machine learning model that analyze the link itself as well as the page’s structure. This allows the web filter to:

• Stop silent drive-by downloads and intercept HTTP/HTTPS requests
• Protect against known and unknown phishing sites and block sites that distribute malware
• Identify scams and infections using themes that leverage actual threats, such as COVID-19
• Integrate intelligence from industry partners into Acronis’ signature- and MI-based detection

URL filtering and analysis functionality are delivered from our cloud reputation base, ensuring protection against the latest threats. Detection rules are also stored locally to provide security – even in the event of connectivity disruptions.

Now through December 31, 2021, MSPs that are not already licensing Advanced Email Security can receive a three-month rebate on all client mailboxes they protect with this cloud-based email security service. 

Additional references

Business Insider. (2021) What is a URL?

HTTP vs HTTPS: The Difference and Everything You Need to Know

SPF, DKIM, DMARC: The 3 Pillars of Email Authentication