cancel
Showing results for 
Search instead for 
Did you mean: 
Shubham_Mishra
F5 Employee
F5 Employee

Introduction

We have already discussed the advantages that the F5 Distributed cloud’s ‘AI/ML solution for malicious users’ brings to the table as well as how simple it is to configure and monitor those events using an interactive UI dashboard of F5 Distributed Cloud Console. 

Below are the links for parts 1 and 2 of this article: 

AI/ML detection of Malicious Users using F5 Distributed Cloud WAAP – Part I 

AI/ML detection of Malicious Users using F5 Distributed Cloud WAAP – Part II 

In this article, we will go over a few more test scenarios covering the detection and mitigation of malicious user events. 

 

Demonstration (using Multi Load Balancer ML config)

Scenario 1: 

In this scenario, we will monitor and mitigate detected malicious users for forbidden access attempts. 

Step1:

Enable malicious user detection using Multi Load Balancer ML config as mentioned in the document. 

Note: Make sure to select ‘Custom’ option in ‘API Discovery/DDoS Detection/Malicious User Detection’ drop-down while configuring the LB. 

Shubham_Mishra_0-1658843077071.png

Step2:

Configure a policy that prevents users from accessing a specific api endpoint. 

  • From the Console homepage, click Web App & API Protection. 
  • Click Manage -> Service Policies -> Service Policies. 
  • Click 'Add service policy,' give it a name, and set the rules as needed. Here, we are prohibiting access to the path '/delete,' as illustrated in the screenshot below. As a result, users will be unable to access the endpoint "https://<domain>/delete". 

Shubham_Mishra_0-1658846141738.png

  • Go to Home -> Web App & API Protection -> Manage -> Load Balancers -> HTTP Load Balancers, and add the created service policy to the LB 

Shubham_Mishra_1-1658846174928.png

Step3:

Configure app setting object to detect malicious user activity based on forbidden access requests 

  • Go to Home->WAAP->Manage->AI&ML->App Settings, click ‘Add app setting’. 
  • Enter a name and go to ‘AppType’ Settings section. Click ‘Add item’. 
  • Click on the ‘App Type’ drop-down and select the app type configured in the LB while executing Step1. 
  • Click ‘Configure’ in ‘Malicious User Detection’, tune the settings as per your need. Here, we have set the threshold limit for forbidden access requests to 10 beyond which the system will flag the user as malicious. 

Shubham_Mishra_3-1658843185115.png

  • Apply and add the configurations and then click ‘Save and Exit’ to create the app settings object. 

Step4:

Configure automatic mitigation of malicious users 

  • Go to your LB config and click ‘Edit Configuration’ 
  • Scroll down to ‘Security Configuration’ section, enable the ‘Show Advanced Fields’ option 
  • From the ‘Challenge Type’ drop-down menu, select ‘Policy Based Challenge’. 
  • Click Configure under the ‘Policy Based Challenge’ and let the ‘Malicious User Mitigation Settings’ as ‘Default’. Apply and click Save & Exit. 

Shubham_Mishra_4-1658843226225.png

Step5:

Generate requests (more than the configured threshold value in Step3) to forbidden path (https://<domain>/delete). 

Note: Here generating requests indicates attempts of an attacker to bypass 403 forbidden error response. For example, trying different HTTP request methods, manipulating endpoint by appending sequences to it like {%2e}, {%2f}, {%5c} or by applying some other technique manually or through script. 

Shubham_Mishra_5-1658843255812.png

Step6:

Go to Home->WAAP->Apps&APIs->Security, select your LB and switch to Malicious Users tab, monitor the activity. 

Shubham_Mishra_0-1658844180914.png

Note: You can also use manual configuration for mitigation if automatic mitigation is not applied by simply clicking on ‘Block User’ on the top right side and adding detected malicious user's IP address to the deny list.  

Scenario 2: 

In this scenario, we will set the configuration to detect malicious users based on requests from potentially High-Risk IPs and block them by configuring default automatic mitigation action. 

Step1:

Enable malicious user detection using Multi Load Balancer ML config as mentioned in the document. 

Step2:

In app settings object configuration, include IP Reputation choice (follow points in Step3 from Scenario1). Apply, Save & Exit. 

Step3:

Follow Step4 in Scenario 1 to enable default automatic malicious user mitigation action 

Step4:

Generate 20+ requests in a minute from Tor browser.  

Note: Tor is a free and open-source software developed to hide its user’s identity and activities over the Internet and make them anonymous. 

Shubham_Mishra_6-1658843392322.png

 

Conclusion

This brings us to the end of this article series. We have seen how F5 Distributed Cloud WAAP’s security solution for malicious users aids in the identification and mitigation of suspicious activities. Alert fatigue, long investigation times, missed attacks, and false positives are all common issues for security teams. However, by utilizing AI/ML-based malicious user detection, security teams can effectively filter out noise and identify actual risks and threats without the need for manual intervention. 

Suspicious actions such as Forbidden access attempts, login failures, and so on create a timeline of events that suggests the possibility of malicious user activity. Users who exhibit such behavior can be blocked manually or automatically based on their threat levels, and exceptions can be made using allow lists. 

Version history
Last update:
‎08-Aug-2022 09:02
Updated by:
Contributors