Thwart Attacks and Pay it Forward: F5’s Security Incident Response is on the House

Most attackers aren’t after you. At least, not at first. They generally employ an extremely broad approach before targeting organizations that demonstrate the specific vulnerability they’re trying to exploit. Unless you’re a particularly high value target (think financial, large retail, or government), it’s not about you. You probably just happen to have the sought-after weakness—which admittedly isn’t much comfort when under attack.

Zooming out then, attackers are typically looking for the same kinds of things across the board, making knowledge-sharing highly beneficial in theory. However, this usually falls apart in practice as most organizations don’t have a mechanism in place to either a) incorporate lessons from the industry’s previous security events or b) flag their experiences in an anonymous way so that others might avoid the same missteps. Accordingly, information about current attack campaigns exploiting new (or known) vulnerabilities in the wild doesn’t reach as far as it should, and we consistently see breach-related headlines that stem from the same underlying vulnerabilities and exploits. As an example, in 2017 how many WannaCry victims were running EOL / unsupported software that was widely documented as problematic? The answer: a lot.

To be fair, much of this is understandable in context. Providing information for the larger community is not the first thing on a security professional’s mind while under attack, possibly breached, and dealing with the pressure of emergency incident response—and simultaneously under the microscope of a legal department doing its best to contain information regarding the incident until facts are determined. Assuming you’re not experiencing a crushing amount of stress and are still feeling sufficiently altruistic, hypothetically what could you even do that might help the surrounding industry? Sharing discovered files with VirusTotal could be an option, but you likely wouldn’t be able to do much more than leave it there before going back to the more urgent task of protecting your organization (and perhaps more acutely, your job). Ideally, you’d like a team of skilled reinforcements ready and able to rapidly assist you in responding to the crisis. Dedicated professionals who can analyze the information, provide immediate mitigation guidance, and then help you (and your fellow netizens) better prepare the network to fend off any future attacks.

Back to Business

Enter F5. If you’re a customer, complimentary (yes, FREE) emergency incident response assistance comes with your support contract. This not only sets you up to get the help you need at the most crucial moments, but also provides a path to analyze, aggregate, and abstract the experiences of multiple organizations to the betterment of the larger group. If facing an imminent threat, a simple phone call to F5 technical support explaining that you are experiencing a security event will route you directly to the F5 Security Incident Response Team (SIRT). This global team comprises security engineers (supporting over a dozen languages) with extensive incident response experience, available 24x7x365. And while they will certainly circle back to the relevant broader security topics to better prepare for future events, the main goal of the F5 SIRT is help you stop the bleeding and give you time to develop a longer-term mitigation solution for your business.

F5 SIRT global personnel can also draw from an extensive selection of mitigation options made possible by F5 products or offerings in customer environments such as Advanced WAF (including Proactive Bot Defense, CAPTCHA, and more), AFM, IP Intelligence (IPI), GeoIP, various brute force protection options, and several other options; they can also engage F5’s Silverline team or recommend added cloud-based DDoS or WAF protection when appropriate. In applicable cases, these and other solutions are available through F5 Sales.

The SIRT team is particularly skilled with F5’s programmable iRules, which are developed and deployed quickly to modify traffic flows. How quickly? While the complexity of the issue will always come into play, customizable iRules can be prepared within minutes and deployed by the customer within hours (following proper emergency change control procedures, of course).

Let’s walk through a quick example: An F5 customer was experiencing a brute force attack against RDP servers fronted by an F5 device. The servers were open to the Internet and needed to be accessible to support their business, but only for a specific set of network ranges. To mitigate the attack, an iRule was developed with F5 SIRT that used a data group as a means to check the client IP against a set of “known and trusted” external networks, and to drop any traffic not originating from one of those. This cleanly mitigated the attack and improved the customer’s security posture. Moreover, this approach maintained the ability to add or remove networks from the trusted list—with the customer able to configure specific data groups in the GUI—to ward off similar attacks in the future.

Back to the Community

If, during the course of an incident investigation, pertinent details are discovered such as a new exploit, campaign, malware, or vulnerability that hasn’t been seen in the wild before or isn’t particularly well understood, the F5 SIRT can access a network of teams across the company for additional perspective. This approach effectively pools the knowledge of F5’s threat researchers, security product developers, and other experts to analyze the findings and offer enhanced remediation going forward. If a particular element is suitable to publish in benefitting the broader industry, no details are released regarding specific customers or particular incidents. Details are limited to discovery and behavior of a particular threat—as we did with PyCryptoMiner—along with general guidance as applicable. 

You can better protect and manage your infrastructure knowing that teams of F5 experts are waiting to assist—and that there’s not going to be a mountain of red tape and paperwork between you and the help you need if under attack. Beyond this, there is also the benefit of knowing that other customers won’t have to suffer the same fate, and indeed, that your organization too will be safer over time due to this approach of sharing invaluable knowledge.

So, what’s in it for F5? Obviously, we want companies up and running, successfully and securely conducting business; customer success fuels F5’s success. Furthermore, we recognize that security events don’t just impact the targeted entity, there is often a ripple effect for their customers and partners, and sometimes far beyond. (To illustrate, users often use the same or similar passwords for multiple sites, greatly increasing the scope of a security incident – e.g., Sony and Yahoo’s users were found to use the same passwords for both accounts 59% of the time.) Without dipping too much into hyperbole, this ripple effect can impact everyone doing business on the Internet. (Another aside: Research indicates that there are an average of three compromised records for each user online today.)

We—as in, the industry—can get better at dealing with the underlying issues that are making systems vulnerable by creating opportunities to share pertinent attack details and key learnings. With the F5 SIRT, that starts by positioning customers to advantageously contribute to the greater good while improving their own standing as well.

For more information and to contact the F5 Security Incident Response Team (SIRT), please visit their webpage.