As people embraced the Internet as a part of their daily lives, businesses all over the world discovered an easier way to reach a large customer base that is not restricted by geographical boundaries.
While that is important, it has also provided an open platform for malicious users to look for potential security loopholes in order to break into the system and cause severe damage.
As a result, safeguarding business applications from such malicious user events is extremely critical.
F5 Distributed Cloud WAAP (Web Application and API Security) offers an AI/ML-based solution for monitoring such security events as well as the means to mitigate them.
In this series of articles, we will demonstrate enabling, configuring, monitoring, and mitigating malicious users using F5 Distributed Cloud console.
There are two ways to enable malicious user detection:
Using Single Load Balancer ML Configuration:
In this mechanism, detection is enabled as part of the load balancer configuration and is only applicable to the load balancer on which it is configured.
Using Multi Load Balancer ML Configuration:
In this mechanism, detection is enabled as part of the app type configuration and is valid for all LBs configured with the same app type label.
In both of the mentioned ways, detection is dependent on the ML configuration derived from the app settings object, with the difference that in single load balancer ML config values are not configurable and are set to default, whereas in multi load balancer ML config values can be configured according to the need.
Once malicious user events have been identified, the next stage is to prioritize mitigation. The following are two ways of mitigating detected malicious user events:
Using Load Balancer Security Monitoring
This is a manual way of configuring mitigation in which malicious user IPs are added to the allow/deny list.
Using Load Balancer Advanced Security Configuration
This is an automatic way of enabling mitigation in which the platform will apply the corresponding configured mitigation action for the specific threat levels.
The default identifier configured for addressing malicious user events is the client IP address but in the ever-evolving world of attacks spoofing identity is not a difficult task to perform and to uniquely identify a user we should have a set of other identification mechanisms keeping that in mind F5 Distributed Cloud console also provides you with the option to configure other parameters of identification like cookie name, header name, query parameter, ASN, TLS Fingerprint and combination of IP-header name & IP-TLS Fingerprint.
In this demonstration, we will generate XSS attacks, configure a WAF rule with enforcement mode as monitoring, and configure mitigation actions for medium and high threat levels.
Step1: Enable malicious user detection using Single Load Balancer ML config as mentioned in the document.
Step2: Create an app firewall and add it to the Load Balancer.
Step3: Configure mitigation actions
Step4: Add the WAF policy and malicious user mitigation settings to the LB.
Step5: Generate XSS attack (20+ requests in a minute) e.g., https://<domain>?a=<script>
Step6: Monitor the security events.
In this scenario, Customers can block attackers in real-time with very low risk of False Positives, as actions are taken based on observed user behavior over time.
In this article, we discussed how to enable malicious user detection and mitigation and how you can block attackers with a very low risk of False Positives. In future articles, we will discuss other scenarios. So please stay tuned.