Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Leaked Credential Check with Advanced WAF

KevinGallaugher
F5 Employee
F5 Employee

on ‎24-Nov-2021 09:28

Description

In this article you will learn how to configure and use Leaked Credential Check (LCC). LCC provides access to a database of compromised credentials, which can be used to detect and prevent a Credential Stuffing Attack.  LCC is a subscription-based service which can be added to BIG-IP Advanced WAF.

Summary

Leaked Credential Check stops leaked or stolen credentials from being used to access personal or business applications. It automatically detects and mitigates compromised credential use. If compromised credentials are detected during an attempted login, Leaked Credential Check enables several mitigation options for SecOps teams to enact, individually or collectively, including:

  • Requiring the user to employ multi-factor authentication (MFA) before granting access.
  • Redirecting the user to another application page; for example, a customer support web page.
  • Responding to the suspicious login with a preset page requesting further action by the user, such as contacting customer support.
  • Blocking the user and their login from accessing the application.
  • Sending an alert to the SecOps team to take additional action

This article assumes you have Advanced WAF configured and deployed for one or more Virtual Servers and you have purchased the add-on subscription for LCC. 

Typical Steps Involved in a Credential Stuffing Attack

0EM1T000003Kxi9.png


High Level Network Topology

0EM1T000003Kxp5.png


Configuration Steps

From the BIG-IP Configuration Utility select Security > Application Security > Security Policies > Policies List.

0EM1T000003Kxr1.png


Notice the Policy name in this example is Leaked-Credential-Check. There are 2 Virtual Servers attached to this policy, vs_arcadia.emea.f5se.com_II and vs_Hackazon_IV.

0EM1T000003Kxr2.png


LCC is configured from Security > Cloud Services > Cloud Security Services Applications.

0EM1T000003Kxr3.png

Click the name of the Cloud Security Application, f5-credential-stuffing-cloud-app in this example.

Note: if the application has not been created yet click the Create button on the right.

0EM1T000003Kxr4.png

Give it a name if creating a new app. Set the Service Type to Blackfish Credential Stuffing Service. Enter your API Key ID and Secret. Specify the Endpoint, f5-credential-stuffing-blackfishin this example.

0EM1T000003Kxr5.png

Click Save when done

0EM1T000003Kxr6.png

LCC is enabled in Security > Application Security > Brute Force Attack Prevention.

0EM1T000003Kxr7.png

Check the box to Enable Detection

0EM1T000003Kxr8.png

Under Action you can choose different mitigation Actions.

0EM1T000003Kxr9.png

Alarm: report the Leaked Credentials Detection violation in the Event Log

Alarm and Blocking Page: report the Leaked Credentials Detection violation in Event Log and send the Blocking Response Page

Alarm and Honeypot Page: report the Leaked Credentials Detection violation in Event Log and send the Honeypot Response Page

Alarm and Leaked Credentials Page: report the Leaked Credentials Detection violation in Event Log and send the Leaked Credentials Page

Select Learning and Blocking Settings to configure them.

0EM1T000003KxrA.png

For Sessions and Logins set Leaked Credentials Detection to Alarm and Block.

0EM1T000003KxrB.png

The Honeypot Page and Leaked Credentials Page can be configured from Security > Application Security > Security Policies > Policies List

0EM1T000003KxrC.png

Select the Leaked-Credential-Check Policy

0EM1T000003KxrD.png

Select Response and Blocking Pages on the left.

0EM1T000003KxrE.png

Scroll down and the Failed Login Honeypot response and Leaked Credentials response can be configured here.

0EM1T000003KxrF.png


Test Leak Credentials Detection

Attempt to login to your web application using known leaked credentials. In this example we’ll use “HACKAZON”. Click the Sign In link near the top on the right.

0EM1T000003KxrG.png

Attempt to login using the following:

Username: demo33@fidnet.com
Password: mountainman01

0EM1T000003KxrH.png

The login should fail.

0EM1T000003KxrI.png

Try to login with the following credentials:

Username: admin
Password: 12345678

Check the BIG-IP Event Log

From the Configuration Utility go to Security > Event Logs > Application > Requests.

0EM1T000003KxrJ.png

There are two requests at the top that look important.

0EM1T000003KxrK.png


Select the first one. Here we can see details about the request. As suspected, the violation was due to the Leaked Credentials Detection policy.

0EM1T000003KxrL.png


Scroll down under Request and you can see the username and password that triggered the violation.

0EM1T000003KxrM.png


Now select the second one. As you can see, this violation was triggered by the login attempt with the username “demo33@fidnet.com”.

0EM1T000003KxrN.png

Conclusion

Congratulations! You have successfully configured and test Leak Credential Checking.

Version history
Last update:
‎24-Nov-2021 09:28
Updated by:
F5 Employee
Contributors
Copyright © 2023 Khoros, LLC