Detect and stop exfiltration attempts with F5 Distributed Cloud App Infrastructure Protection
Introduction
"Assume breach" is one of the main tenets of Zero Trust security framework and perhaps one of the more counterintuitive as the more investment is put in ring-fencing critical business infrastructure, the more protected an organisation feels and assumes the security risks to diminish. While tall fences and sophisticated locks certainly deter most attackers, there will always be some determined to break in, with enough resources to "invest" in their malicious activities to bypass the barriers put in their path. Zero-day vulnerabilities and insider threats are other dangers lurking around which can defeat even the most complex perimeter defences.
There will always be a need to proactively monitor your infrastructure for any signs of anomalous activity that could be a sign of a security breach. These monitoring measures should of course complement traditional security measures, such as WAAP and access controls, rather than replace them as they address different stages of an attack.
F5 Distributed Cloud App Infrastructure Protection (AIP) is build on the Threat Stacks' Cloud Security Platform, now part of F5. It is designed from the beginning to protect cloud-native applications, providing full-stack visibility, ML-enabled threat detection and easy integration with customer's SIEM/SOAR platforms for threat response. Leveraging supervised learning, F5 Distributed Cloud AIP detects intrusion activity on cloud workloads and protects your cloud-native applications and infrastructure by performing complex behaviour analysis. It can collect telemetry from anywhere your workloads are deployed: on-prem, public cloud or in a hybrid mode.
Distributed Cloud AIP is complementing F5 Distributed Cloud Web Application and API Protection (WAAP) in providing a 360 degrees protection for modern applications. For more information on the power of combining these two technologies, you can start with the Secure Your Modern Apps with Threat Stack and F5 brief.
For this demo, we will use Distributed Cloud AIP integrated with TheHive, one of the most widely used Open-Source security case management systems. TheHive enables security teams to import security alerts and track the analysis process by creating security cases.
We will demonstrate how Distributed Cloud AIP can send alerts to TheHive for further analysis. For threat response automation, we will use Node-RED, an Open-Source automation tool originally created by IBM and contributed to the OpenJS Foundation project.
We will show how Node-RED can automatically create cases based on alerts received by TheHive from Distributed Cloud AIP as well as how it can automatically block threats on F5 Distributed Cloud platform.
To assist with their deployment, TheHive and Node-RED have been bundled in a Helm chart, as part of an F5 innovation project named STIR, along with Cortex (for observables analysis) and MISP (for threat intelligence sharing), and supported by the ELK stack as the data repository. STIR is aimed to be an Open-Source SIEM/SOAR platform, allowing security teams to experiment in a very cost effective way and providing organisations with an easy ramp into the security incident management space. We will describe STIR in more depth in future articles but for the current article the relevant components are TheHive and Node-RED.
Architecture
We will focus on the case of a workload (Web server) deployed in a Public Cloud (AWS) and exposed to the Internet through F5 Distributed Cloud platform, as part of a multi-cloud or hybrid deployment (not represented on the diagram above, to keep it focused on essential elements of the demo).
The workload is monitored by Distributed Cloud AIP through an agent that collects full stack telemetry and aggregates threat detection on a cloud dashboard.
We will assume a breach of the existing security measures due to an insider action that resulted in a malicious php script being dropped on the Web server. The script is periodically collecting sensitive information and exfiltrates it to an external server controlled by the attacker.
You will see how Distributed Cloud AIP detects the anomalous exfiltration connection and generates a security alert which is then immediately exported to TheHive. Node-RED will detect the creation of the security alert on TheHive, start a flow that will check for the alert source and automatically create a case based on that specific alert as well as the AIP events that contributed to it.
At this stage everything is in place for the security analyst to perform additional tasks to confirm this outbound connection is indeed the exfiltration stage of an attack and mark the case as a true positive.
The analyst has the opportunity to specify the automated threat response actions to be taken on the F5 Distributed Cloud platform to block further exfiltration attempts, while the SecOps team works to address the root cause.
When the TheHive case is closed as a true positive event and has automated threat response actions specified by the analyst, Node-RED is triggering another flow that will execute those response actions, blocking the outgoing connection on the F5 Distributed Cloud platform.
Demo
Conclusion
In this article we show one way we can use F5 Distributed Cloud App Infrastructure Protection to implement the "assume breach" principle of the Zero Trust framework and automate a number of actions, including the threat response, by integrating it with an Open-Source SIEM/SOAR platform.
We demonstrate how an exfiltration attempt can be detected by Distributed Cloud AIP, how the generated alert is automatically imported into TheHive and converted to a case by Node-RED. Once the security analyst resolves the case as a true positive event, we see how automated actions are taken by Node-RED to block the outgoing connection on the Distributed Cloud platform.
For further information or to get started:
