07-Aug-2022 18:00 - edited 22-May-2023 08:32
We have already discussed the advantages that the F5 Distributed cloud’s ‘AI/ML solution for malicious users’ brings to the table as well as how simple it is to configure and monitor those events using an interactive UI dashboard of F5 Distributed Cloud Console.
Below are the links for parts 1 and 2 of this article:
AI/ML detection of Malicious Users using F5 Distributed Cloud WAAP – Part I
AI/ML detection of Malicious Users using F5 Distributed Cloud WAAP – Part II
In this article, we will go over a few more test scenarios covering the detection and mitigation of malicious user events.
In this scenario, we will monitor and mitigate detected malicious users for forbidden access attempts.
Step1:
Enable malicious user detection using Multi Load Balancer ML config as mentioned in the document.
Step2:
Configure a policy that prevents users from accessing a specific path.
Step3:
Configure app setting object to detect malicious user activity based on forbidden access requests
Step4:
Configure automatic mitigation for malicious users
Step5:
Generate requests (more than the configured threshold value in Step3) to forbidden path (https://<domain>/delete).
Note: Here generating requests indicates attempts of an attacker to bypass 403 forbidden error response. For example, trying different HTTP request methods, manipulating endpoint by appending sequences to it like {%2e}, {%2f}, {%5c} or by applying some other technique manually or through script.
Step6:
Go to Home->Web App & API Protection->Overview->Dashboards->Security Dashboard, select your LB and switch to Malicious Users tab, monitor the activity.
Note: You can also use manual configuration for mitigation if automatic mitigation is not applied by simply clicking on ‘Block User’ on the top right side and adding detected malicious user's IP address to the deny list.
In this scenario, we will set the configuration to detect malicious users based on requests from potentially High-Risk IPs and block them by configuring default automatic mitigation action.
Step1:
Enable malicious user detection using Multi Load Balancer ML config as mentioned in the document.
Step2:
In app settings object configuration, make sure 'IP Reputation' is enabled (follow points in Step3 from Scenario1). Apply, Save & Exit.
Step3:
Follow Step4 in Scenario 1 to enable default automatic malicious user mitigation action .
Step4:
Generate 20+ requests in a minute from Tor browser. At the end follow Step6 from Scenario1 to monitor the malicious user activity
Note: Tor is a free and open-source software developed to hide its user’s identity and activities over the Internet and make them anonymous.
This brings us to the end of this article series. We have seen how F5 Distributed Cloud WAAP’s security solution for malicious users aids in the identification and mitigation of suspicious activities. Alert fatigue, long investigation times, missed attacks, and false positives are all common issues for security teams. However, by utilizing AI/ML-based malicious user detection, security teams can effectively filter out noise and identify actual risks and threats without the need for manual intervention.
Suspicious actions such as Forbidden access attempts, login failures, and so on create a timeline of events that suggests the possibility of malicious user activity. Users who exhibit such behavior can be blocked manually or automatically based on their threat levels, and exceptions can be made using allow lists.