Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation
In The Matrix Reloaded (2003), the Merovingian controls access to critical pathways inside the Matrix. He doesn’t stop everyone—he decides who and what is allowed to pass. Information still flows, but only through channels he permits. That selective control is what gives him power.
CIS Safeguard 9.3 is built on the same principle. Network-based URL filtering isn’t about blocking the internet—it’s about controlling exposure to known risk while allowing the business to function.
What Is CIS Safeguard 9.3?
CIS Safeguard 9.3: Maintain and Enforce Network-Based URL Filters is part of CIS Critical Security Control 9 – Email and Web Browser Protections. The safeguard calls for organizations to:
- Implement URL filtering at the network level
- Block access to known malicious, risky, or inappropriate categories
- Regularly maintain, update, and enforce those filters across the environment
The intent is to reduce the likelihood that users or systems can reach destinations that are commonly used for malware delivery, phishing, and command-and-control.
Why Network-Based URL Filtering Still Matters
With widespread HTTPS adoption, some assume URL filtering is outdated. In reality, it’s more relevant than ever.
URL filtering works before content is executed and before credentials are entered. It doesn’t rely on users recognizing danger—it removes the opportunity entirely.
Network-based URL filtering provides:
- Preventive control, not just detection
- Consistent enforcement across devices and users
- Reduced attack surface for common web-based threats
In Jaws (1975), the beach isn’t closed because every swimmer is in danger—it’s closed because the risk is known and unacceptable. URL filtering applies the same logic to web destinations.
Threats Directly Reduced by URL Filtering
Safeguard 9.3 targets some of the most common and successful attack vectors.
- Phishing and Credential Harvesting
Many phishing attacks rely on:
- Newly registered domains
- Lookalike login pages
- Hosting platforms abused for short periods
URL filters can block:
- Known phishing domains
- Categories associated with credential theft
- High-risk or newly observed sites
This reduces reliance on user judgment alone.
- Malware Delivery
Drive-by downloads and staged payloads often originate from:
- Compromised websites
- File-sharing services
- Malicious ad networks
URL filtering can prevent access to categories and domains commonly abused for malware hosting—cutting off delivery before endpoint defenses engage.
- Command-and-Control (C2) Traffic
Even when malware runs successfully, it often depends on outbound web access. URL filters can:
- Block known C2 infrastructure
- Restrict access to anonymization or tunneling services
- Disrupt attacker control channels
This containment can limit impact even after compromise.
Why “Maintain” Is as Important as “Enforce”
Safeguard 9.3 explicitly includes maintenance, not just deployment.
Threat infrastructure changes constantly:
- Domains are rotated
- Hosting providers are abused and abandoned
- New categories emerge
URL filtering that isn’t updated becomes ceremonial security.
What Should URL Filters Cover?
Effective network-based URL filtering typically includes:
- Known malware and phishing domains
- Newly registered or low-reputation domains
- Categories such as:
- Malicious or suspicious sites
- Command-and-control
- Unauthorized file sharing
- Anonymizers and proxies (as appropriate)
Policies should be risk-based, not arbitrary.
Enforcement Across the Environment
To meet the intent of Safeguard 9.3, URL filtering should apply to:
- On-premises networks
- Remote users (via VPN or cloud-based filtering)
- Servers and non-user systems, where feasible
- Guest or unmanaged networks, at appropriate levels
If controls disappear when users leave the office, attackers will notice.
Balancing Security and Business Needs
URL filtering is most effective when:
- Exceptions are documented and reviewed
- Policies are aligned to job roles
- Blocks generate visibility, not frustration
The goal is not to stop work—it’s to stop unnecessary risk.
Measuring Effectiveness
URL filtering should be treated as an active control, not a static configuration. Indicators of success include:
- Reduced phishing click-throughs
- Fewer malware infections originating from web traffic
- Clear logging and reporting of blocked requests
- Regular review of allowed and denied categories
Blocked traffic is telemetry, not failure.
How Safeguard 9.3 Complements Other Controls
URL filtering works best alongside:
- DNS logging and filtering (Controls 8.6, 9.2)
- Email protections (Control 9.1)
- Endpoint protections (Control 10)
- Audit log reviews (Control 8.11)
Practical Implementation Tips
To operationalize CIS Safeguard 9.3:
- Use Threat-Informed Categories
Focus on domains and services attackers actually abuse.
- Review Policies Regularly
Business needs and threat patterns change.
- Log and Analyze Blocks
Blocked requests can reveal compromised systems or risky behavior.
- Test From User and System Perspectives
Servers generate web traffic too—and attackers know it.
Final Thoughts
CIS Safeguard 9.3 recognizes a fundamental truth of cybersecurity: most attacks require access before they require execution. Network-based URL filtering reduces risk by denying access to places attackers depend on.
Security isn’t about stopping movement—it’s about deciding what is allowed to move freely and what is not. Organizations that maintain and enforce strong URL filtering don’t just respond to threats—they quietly prevent many of them from ever starting.
Resources
Here’s a link to the Policy Templates provided free of charge from the fine folks at the Center for Internet Security:
Looking for even more details? Here you go. If this still doesn’t satisfy your curiosity, DM me.
CIS Control 9 – Email and Web Browser Protections
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.
CIS Safeguard 9.3: Maintain and Enforce Network-Based URL Filters
Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
Shameless Marketing Information
Gotham Technology Group offers professional and managed services to protect your organization with technologies such as Secure Email Gateway (SEG), Secure Web Gateway (SWG), Network Security (NGFW, Route, Switch, WAP), Secure Services Edge (SSE) and Secure Access Services Edge (SASE).