Leveraging Intelligence to Protect against Real-World Attacks (with Zero Effort)

Joel Cohen Miniatura
Joel Cohen
Published December 14, 2022

Attacks on web applications vary significantly in methods and goals. Some attacks vary from opportunistic scan-based attacks to targeted and sophisticated campaigns and script kiddies to well-backed hacker organizations. A wide spectrum of attacks such as these requires a comprehensive set of security tools that can be layered to provide solid security, not entirely dissimilar to how a hut roof protects against rain. The now standard WAF-staple protections, signatures, and rules do a great job of stopping a big part of the “rain.” However, they are at a disadvantage against sophisticated—and even targeted—attack campaigns. According to F5 Labs research, approximately three critical vulnerabilities are released each day, which makes it impossible for organizations to catch up.

Attack campaigns are coordinated and planned threat activities and exploits with defined objectives over a period of time, usually against specific targets. Targets are not only named organizations but could be web infrastructure types too.

Campaigns are hard to detect and mitigate. Two main reasons for this are that campaigns are either cleverly designed to evade the usual WAF rules and signatures, or detecting them requires configuring comprehensive and coarse security policies that might generate false positives, overwhelming the security team and risking not noticing the attack in the haystack.

Maybe this is not news to many of you, and it might be why you are reading this post, looking for a solution. F5’s Threat Campaigns is one such solution, and we’ll explain how it works here.

F5 Threat Campaigns is an intelligence service that accurately detects and blocks current and ongoing attack campaigns with virtually zero false positives. It leverages a team of security experts dedicated to finding, analyzing, and dissecting real ongoing attacks in the wild, with a tool arsenal that includes, among others, a worldwide network of honeypots constantly attacked and targeted by threat actors.

F5 Threat Campaigns provides you fast and preemptive protection against current ongoing attack campaigns before they reach your enterprise. Using F5 Threat Campaigns is easy and requires only turning it on without additional configuration. The intelligence service provides rich context about the nature and purpose of the threat campaign. It will automatically be updated with the latest campaigns released by F5.​

F5 Threat Campaigns is a subscription add-on to F5 BIG-IP Advanced WAF and is included with F5 Distributed Cloud WAF and F5 NGINX App Protect WAF. 

Each provision of F5 Threat Campaigns is explicitly created for an attack campaign detected in the wild as done by a cyber adversary. This is different than a broad signature approach that might, for example, try to detect multiple vulnerabilities and exploits in a generic way.

This focus on specific campaigns eliminates the likelihood of false positive detections while providing low-maintenance protection against real ongoing attacks. Additionally, thanks to the low risk associated with false positives and the accuracy of the campaign, F5’s release cycle for new campaign entries is quick, leading to a short time between detection in the wild until customers are protected against the attack.

F5 Threat Campaigns provides additional insights about the nature of the attack campaign, what it tries to do, the risk it poses to applications, and the attacking actor’s intent. This helps security operators better understand what might attack them, how and by whom, and assess risks.

It is essential to understand that F5 Threat Campaigns is not intended to detect a single or random attack. Instead, it is focused on real-world attacks that are usually detected in volumes, which means more widespread risks to users. An example of a single or random attack could be when a single attacker executes an injection on one site or when a pen-tester tries a CVE that could be exploited in theory but has never been used in a real attack.

That’s why an intelligent service like F5 Threat Campaigns is complementary to other WAF protections, like signatures, and not a replacement. It is an additional layer providing specific protection against real-world attacks without false positives and without any tuning needed. By layering security solutions like Threat Campaigns, F5 can provide solid security for your application that covers the gaps that attackers could otherwise get through.

Earlier this year, F5 Threat Campaigns world map was released to help enterprises provide greater visibility into cyberattack campaigns with insight and telemetry presented together. In a blog post, Navpreet Gill discusses that “F5 Threat Campaigns world map…helps provide greater visibility into cyberattack campaigns with insight and telemetry presented together.”

Please reach out to your Channel Partner or F5 Account Manager for more info on how to add a subscription for F5 Threat Campaigns to your BIG-IP Advanced WAF or to begin using F5 Threat Campaigns on your F5 Distributed Cloud WAF or NGINX App Protect WAF solution today.