on 24-Nov-2021 09:28
In this article you will learn how to configure and use Leaked Credential Check (LCC). LCC provides access to a database of compromised credentials, which can be used to detect and prevent a Credential Stuffing Attack. LCC is a subscription-based service which can be added to BIG-IP Advanced WAF.
Leaked Credential Check stops leaked or stolen credentials from being used to access personal or business applications. It automatically detects and mitigates compromised credential use. If compromised credentials are detected during an attempted login, Leaked Credential Check enables several mitigation options for SecOps teams to enact, individually or collectively, including:
This article assumes you have Advanced WAF configured and deployed for one or more Virtual Servers and you have purchased the add-on subscription for LCC.
From the BIG-IP Configuration Utility select Security > Application Security > Security Policies > Policies List.
Notice the Policy name in this example is Leaked-Credential-Check. There are 2 Virtual Servers attached to this policy, vs_arcadia.emea.f5se.com_II and vs_Hackazon_IV.
LCC is configured from Security > Cloud Services > Cloud Security Services Applications.
Click the name of the Cloud Security Application, f5-credential-stuffing-cloud-app in this example.
Note: if the application has not been created yet click the Create button on the right.
Give it a name if creating a new app. Set the Service Type to Blackfish Credential Stuffing Service. Enter your API Key ID and Secret. Specify the Endpoint, f5-credential-stuffing-blackfishin this example.
Click Save when done
LCC is enabled in Security > Application Security > Brute Force Attack Prevention.
Check the box to Enable Detection
Under Action you can choose different mitigation Actions.
Alarm: report the Leaked Credentials Detection violation in the Event Log
Alarm and Blocking Page: report the Leaked Credentials Detection violation in Event Log and send the Blocking Response Page
Alarm and Honeypot Page: report the Leaked Credentials Detection violation in Event Log and send the Honeypot Response Page
Alarm and Leaked Credentials Page: report the Leaked Credentials Detection violation in Event Log and send the Leaked Credentials Page
Select Learning and Blocking Settings to configure them.
For Sessions and Logins set Leaked Credentials Detection to Alarm and Block.
The Honeypot Page and Leaked Credentials Page can be configured from Security > Application Security > Security Policies > Policies List
Select the Leaked-Credential-Check Policy
Select Response and Blocking Pages on the left.
Scroll down and the Failed Login Honeypot response and Leaked Credentials response can be configured here.
Attempt to login to your web application using known leaked credentials. In this example we’ll use “HACKAZON”. Click the Sign In link near the top on the right.
Attempt to login using the following:
Username: demo33@fidnet.com Password: mountainman01
The login should fail.
Try to login with the following credentials:
Username: admin Password: 12345678
Check the BIG-IP Event Log
From the Configuration Utility go to Security > Event Logs > Application > Requests.
There are two requests at the top that look important.
Select the first one. Here we can see details about the request. As suspected, the violation was due to the Leaked Credentials Detection policy.
Scroll down under Request and you can see the username and password that triggered the violation.
Now select the second one. As you can see, this violation was triggered by the login attempt with the username “demo33@fidnet.com”.
Congratulations! You have successfully configured and test Leak Credential Checking.