Many are concerned about security postures and readiness for a cyberattack in the current geopolitical climate. Imperva customers have access to our top-of-the-line network, application, data, and security products. Imperva Threat Research closely monitors the attack landscape for new threats, vulnerabilities and attacks. We will be discussing proactive measures that can help improve the effectiveness and efficiency of Imperva Web Application Firewall deployments (WAF).
Imperva Threat Research recently witnessed a spike (10x) in infrastructure-related DDoS activity designed to disrupt critical business services and applications. We also monitor a sharp rise in API and application attacks to inject malware and carry out lateral movement for data extirpation. Attackers are targeting all industries, with a focus on banking, telecommunications providers and government.
These recommendations are intended to help customers navigate this uncertain time.
Use Attack Analytics for Security Monitoring and Response
It can be difficult for you to keep up with the fast-changing attack landscape and hunt down emerging threats. Imperva Attack Analytics can be used to aggregate incidents and understand attack narratives. It allows security analysts and researchers to analyze incidents more closely, understand attack tools used, and CVEs that were targeted. Customers can also assess the security posture of WAFs configurations and rules in real time.
Complete DNS Onboarding
Incorrect or incomplete DNS configurations can prevent access to the destination destination. For specific web applications or APIs, ensure that DNS settings are correctly configured (A Records and CNAMES). This information can be found in the security console.
Configure Web Application & API to the DDoS Thresholds
Imperva protects web applications and APIs from DDoS attacks. Any customer can set a threshold via the security console. Imperva also generates a DDoS threshold recommendation using traffic from the last 30 days. This is due to the increased threat of cyberattacks worldwide and the frequent change in traffic, so it is important that you check this regularly.
Detect and Prevent the Most Common Attack Types
Customers can configure Imperva WAF in order to block large types of attacks such as SQL injection, Cross-Site Scripting(XSS), Remote File Inclusions (RFI), Illegal Resource Access (IRC) and many more. Unless there are compatibility issues with the business logic of an application or API, we recommend that customers turn all of these capabilities on — not just to alert mode, but to block mode.
Access to the Constrain Origin Server
Imperva recommends that all customers change their ingress rules to allow traffic only from Imperva IP addresses. If they wish to attack the underlying infrastructure, or an app, attackers will need to go through Imperva WAF. This is an easy way for customers to prevent malicious users from accessing and disrupting a website. You can find the latest IP address ranges in the Imperva Documentation Portal.
Implement Geo-Blocking and Use Threat Intelligence Ruleets
It is recommended that customers examine end-user traffic origination trends and patterns when there is high activity. Customers are advised to block traffic from countries that they do not expect visitors or transact business in.
Customers can create geo-blocks using policies or rules
- Policies:Customers of Imperva have the option to use high-level policy to block URLs, countries, and IP addresses. These policies can be applied at the customers’ discretion to specific web applications or API assets.
- Rules:Customers of Imperva can create more advanced geo-blocking policies. This includes access to more response actions such as honeypotting, session blocking and data center forwarding. Imperva Threat Research also created IP-reputation lists to target specific geo-targeted attacks. These lists can be used for security rules. Contact Imperva Customer Support for details.
API Schemas to Enforce
Imperva API Security allows customers to implement a positive security plan. This approach ensures that all communications with the API endpoint are in compliance with the schema (URL and method, parameters, etc.).).
Customers can upload an Open API Specification (e.g. Customers can either upload an Open API Specification (e.g. Swagger) or create one based upon API activity. Schemas can be visualized as a table view. You can also configure specific controls for each endpoint.
Attackers are now specifically targeting APIs that are not configured correctly, as APIs are directly in front of data storage. An attacker will likely fail to probe an API that has a positive security model, if they try to fuzz it.
Prevent Online Fraud
Imperva Threat Research is watching a rise in large-scale credential stuffing. To avoid any potential fraud online, Imperva Account Takeover should be enabled.
The product monitors repeated login attempts, successes and failures to specific applications. Imperva Threat Research also maintains a database of leaked credentials that is used to correlate attacks on web applications with the metadata.
Summary
Imperva is available to assist customers around the clock. If you are a customer, and need assistance with any actions mentioned above, please reach the Imperva Customer Success Team. Existing Imperva customers may create support tickets via the Imperva Support Portal.
Imperva, like many others around the world, hopes for a peaceful solution soon. We appreciate your trust and are here to help you through these difficult times.
The post Prepare for Increased Attacks in the Current Geopolitical EnvironmentThe first to appear on Blog.
*** This is a Security Bloggers Network syndicated blog from BlogKunal Anand wrote the original post. The original post can be viewed at: https://www.imperva.com/blog/preparing-for-heightened-attacks-in-the-current-geopolitical-environment/