Blog

automated attack groups

Quickly Protect Your Website with Automatically Updated WAF Policies

October 10, 2018 · by Hans Cathcart ·

Stopping Attacks, Not Just Chasing CVEs

For years, the traditional model for protecting a Web application was to find every common vulnerability and exposure (CVE) relevant to your platform’s applications and to enable hundreds of individual rules to protect for specific exploits. Most on-premise web application firewalls (WAFs) still operate like this. With today’s rapid application release cycles, that’s no longer a scalable approach for many websites.

In the 10 years that Akamai has been pioneering cloud-based security solutions and application firewalls, we’ve demonstrated that a much more scalable, not to mention high-performing, approach is to be smarter about detecting attack payloads.

The Kona Rule Set (KRS) started us down this path by combining risk-scoring and payload detection with traditional CVE-protecting rules. For your mission-critical applications, KRS is still the industry leading solution, and Akamai continues to invest heavily in its development and innovations. Manually updating individual firewall rules is not always scalable, however, particularly for organizations that can’t invest in continuous policy evaluations and security releases.

Automated Attack Groups focuses on a high rate of precision to ensure that the attack payloads which are detected, and subsequently blocked, are indeed malicious. By better identifying attack payloads, which we can do by evaluating changing attack patterns targeting Internet web sites, as well as quickly updating Automated Attack Groups, allows you to take a mostly hands-off approach to security policy management. Firewall policies configured with the Kona Rule Set, comparably allow security teams to push the envelope on detecting new or low probability threats that carry a higher risk of false positives.

The (use) Cases for a New Protection Paradigm

  • Your marketing director has just informed you that she’s launching a new website tomorrow. While your content team has quickly on-boarded the cloud origin and set up the Akamai delivery configuration to handle the anticipated traffic spike, your security team is busy responding to a change in bot behavior targeting your critical transactional site. Do you dare launch the new site without DDoS and application-layer protections?
     
  • A business acquisition is about to complete and your security team has been asked to provide web security to more than a hundred applications within 10 days, for a software architecture that you don’t yet fully understand. Your integration team says they can automate the Akamai performance and delivery components via the Akamai APIs, but your security team is skeptical they can conduct several dozen Web Application Firewall (WAF) tuning sessions in that time frame. Do you skip a Kona Site Defender integration?
     
  • The Bot Manager integration is providing immense value to your business and you’ve started integrating Kona’s rate-control protections to defend against DDoS attacks, but you don’t have any experience at managing WAF rules. Yet you’d like to protect your application from data theft. What do you do?

Kona Site Defender WAF Security Controls with Automated Attack Groups

For these, and numerous other use cases, we developed Automated Attack Groups, a quick-to-deploy WAF rule-set that is continuously updated and improved by Akamai’s threat researchers. You select the protection categories and response action you’d like to apply to your site from eight easy to understand attack groups, and Akamai automatically updates protections as new exploits are discovered.

Kona Site Defender

How to Safely Enable Automated Attack Groups

We’ve conducted extensive testing to ensure that nearly every application could have Automated Attack Groups enabled in Deny mode from the start without causing false-positive security triggers. If you want to be extra cautious, you can initially deploy the Automated Attack Groups in Alert mode, and our new Web Security Analytics tool makes it easy to quickly identify any issues, allowing you to switch the groups to Deny mode within a few hours.

Exception Handling

Perhaps your web site asks trusted users to submit sample SQLi or XSS attack payloads via a submission form. Yes, we’ve seen such applications. Automated Attack Groups will stop those “valid” requests. For this reason, Automated Attack Groups includes an extensive exception-handling system which you can customize for each Automated Attack Group.

Protected

 

Protected and selected.

What’s So Automated About It?

If you recall the numerous Struts vulnerabilities that were announced in the past 12 months,  Akamai customers who protected their sites with our new attack groups received timely protection.  They never had to enable a new WAF rule, deploy a new policy, or schedule an update to their firewall configuration – Akamai applied the changes to their policies automatically.  

In several cases, our teams had early knowledge of vulnerabilities and we were able to test and validate protections to ensure no false-positives were introduced across the customer base.  In addition, the default attack detection logic caught a number of the 0-Day command injection attacks.

Kona customers who had a KRS rule-set enabled were also provided with the appropriate Struts protection rules at the time of disclosure, but customers then had to schedule a time to update their security configurations, whereas attack group-protected sites were already done.

But You’re Updating a Security Policy Without My Change Management Process?

Automated Attack Groups enable you to have the latest protections without manual intervention, and when you opt in to using Automated Attack Groups, you are consenting to automatic updates. This approach to policy management does not intend to replace the flexibility, configurability and control available with Kona Rule Set policies, and we expect the majority of Kona customers to continue to use KRS policies for their most mission-critical sites, while also using Automated Attack Groups for sites where this policy approach is appropriate.

Is This Managed Kona?

No. When Akamai’s threat researchers update Automated Attack Groups, they do so across the entire Akamai customer-base, changes are tested, validated and deployed simultaneously across all accounts. Managed Kona provides access to security experts within our SOC and security services organization to help customers manage Kona policies and work to address and respond to individual attack events.

How Polished Are Automated Attack Groups, Can I Trust Them Now?

The technology in Automated Attack Groups evolved out of the Kona Rule Set that has been integral to Kona for many years, and Akamai successfully protected hundreds of web sites with this specific security policy approach in our Web Application Protector product. It has served these customers very well, providing comprehensive protection with minimal operational effort.  Now with additional improvements in configurability and API protection we are very happy to introduce Automated Attack Groups to Kona Site Defender.

How Do I Get My Hands On This?

Starting mid-October, we will be introducing Automated Attack Groups to interested Kona Site Defender customers. If you’d like to explore this functionality, please contact your Akamai account representative.

Is this the End for the Kona Rule Set?

Certainly not. The threat landscape is continuously changing and our security researchers are committed to curating both the Kona Rule Set and Automated Attack Groups to always provide the best cloud-based WAF protection capabilities possible for your web sites and APIs.