Using AWS WAF for Exploit Attempt Alert and Action
Organizations can use AWS Web Application Firewall (WAF) for exploit attempt alert and action. Learn more on this use case from Cyware.
Category: Analytics and SIEM, Network Security
Cyware Products Used:
Orchestrate: Security Orchestration solution to manage the playbook and third-party integrations.
Intel Exchange: Threat Intelligence Platform (TIP) to enrich the identified malicious indicators.
Respond: Fusion and threat response solution to manage the ransomware triage, investigate, and, respond automatically using cyber fusion-powered collaboration between your internal security teams.
Third-Party Integrations Used:
Elastic Search SIEM: To retrieve exploit attempt alerts.
AWS Web Application Firewall (WAF): To manage web application traffic.
Problem Statement
Organizations receive alerts from trusted sources and internal tools and security teams need to take immediate action on the received threat intel. AWS Web Application Firewall (WAF) is a firewall that allows or denies traffic based on defined rules. The web access control list contains a collection of rules which determine whether a given request should be allowed or blocked and as soon as these alert triggers we need to take appropriate actions. Security teams manually analyze and respond to the threats with actions such as blocking IPs on cloud firewalls, thereby reducing analyst efficiency. Analysts spend time manually analyzing all the alerts rather than focusing on threats that directly impact the organization.
Solution
The solution is to automatically block malicious traffic to and from suspicious remote hosts, for example, IP addresses associated with malicious command and control servers. This also helps security teams to adapt to a proactive approach to protecting your Amazon Web Service (AWS) cloud implementations. This document explains the process to automatically action take action on AWS Web Application Firewall (WAF) exploit attempt alerts.
How do we solve this problem?
The solution uses the AWS WAF: Exploit Attempt Alert and Action playbook to automatically block the indicators identified in the AWS WAF alerts.
Retrieve AWS WAF Alerts from SIEM: The playbook starts by retrieving the latest exploit attempt alerts from the Elastic Search SIEM console.
Enrich Indicators: The indicators identified in the alerts are filtered and sent to the CTIX application for enrichment. CTIX enrichment provides details such as indicator score, internal enrichment, and external enrichment details.
Create Respond Incident: The playbook creates a new incident in Respond and updates the enrichment details along with the alert ID. If an incident already exists for the alert, then the details are updated to the existing Respond incident. The playbook also creates an action to block the malicious indicators on AWS WAF.
Update the Elastic Search Alert: The playbook updates the status of the elastic search alert to Closed by adding the _Created CFTR Incident _notes. This helps users to know that the alert is already forwarded to Respond for analyst investigation and action.
Benefits
Proactive Response
Security teams can automatically update the AWS cloud firewall to block malicious IPs as soon as they’re detected on the network.
Actionable Threat Intelligence
With the automated enrichment and scoring of indicators based on contextual factors, the playbook provides actionable intel for security analysts for further action.
Reduce Analyst Workflow
While security analysts are already burdened with processing a large volume of threat alerts, the use of security automation helps reduce the workload by accelerating the analysis of unstructured threat information.