Akamai Diversity

The Akamai Blog

WAF: Visibility into attacks and adaptability to changing threats

In previous posts WAF: False Positives vs. False Negatives and WAF: trade-off between false positives and false negatives, we talked about the importance of WAF accuracy and the strategy that Akamai follows when developing the system of proprietary rules (Kona Rule Set or KRS) that govern the WAF. 

The size of the Akamai Intelligent Platform is a key element when it comes to obtaining a global perspective of Internet. In general, discrete pieces of information and isolated events tend to give a limited vision that is insufficient to effectively protect against security threats. Akamai holds a privileged position, delivering between 15% and 30% of global web traffic. It allows observing and analyzing data with a very broad spectrum, obtaining therefore an excellent visibility of the behavior of malicious activity in the Internet, in contrast to the legitimate activities also observed. To put it simple, if something is happening anywhere in the world, it is likely that Akamai is watching it.

One mechanism we use at Akamai to make sure that this great visibility leads to accurate traffic inspection is putting this accuracy into test. Akamai uses a test environment that is constantly re-evaluating the accuracy of the WAF rules. The test is comprised by 95% legitimate requests and 5% malicious request: The requests are compiled from the following sources:

• All companies in the Alexa Top 100 
• Web sites of different industries
• Websites from Akamai customers whose traffic pattern generate an above-average of false negatives and false positives.

In addition to all of this information cultivated by Akamai's Cloud Security Intelligence, we add public tools and databases such as web scanners, common attack tools and known vulnerabilities described in https://www.exploit-db.com.

Like I said before, the distributed cloud-based security architecture is the only way to achieve this broad perspective.

Leveraging this visibility into customer traffic is the next challenge that a WAF system must address. Traditional WAF approaches usually offer a system of alerts that are triggered whenever each of the many specific rules is compromised (I recommend reading the "Combination of broader and more flexible rules" section in WAF: False Positives vs. False Negatives.
Given the high number of alerts triggered at any time, for a customer to manage such information may become practically impossible, typically due to lack of enough resources or experience in interpreting this information.

In contrast, Akamai proposes a user interface monitoring system, Security Monitor, which can be also accessed by APIs, which offers contextualized information about attacks.

In addition, the Akamai SOC (see video below) has a team of Internet security experts that are constantly attending and analyzing anomalies, hints or specific alerts. The Akamai SOC  starts the defense and mitigation process in an unmatched time frame, and provide attack mitigation SLA (something unique in the security industry) notifying the client about when, where and how an attack was performed as well as all relevant information on the attack, including defense strategies based on the extensive experience gained by defending thousands of the most important (and therefore of the most endangered) companies worldwide. This also allows organizations to focus on responding to a threat, instead of spending time to determine whether or not the situation is a real attack.

A great example of this strategy in action is shown in this Akamai customer's case study. In 2014, the customer reported abnormal behavior and asked for help in the investigation of a potential attack. By analyzing the logs of the client, the Security Incident Response Team observed an attempt to exploit a vulnerability in RFI (Remote File Inclusion). The result of research yielded the following data:

• The attacker had launched not one but 2,122 attack attempts against this first target.
• The same attacker had launched attacks to another 34 websites with a total of 24,301 attempts to exploit the vulnerability RFI.
• The attacker was part of a botnet network of 272 bots that had threatened 1,696 websites, for a total of 1,358,980 attempts to exploit the vulnerability RFI.

Just to illustrate the dimension of the whole campaign evidenced by the research, let's imagine for a second that each attack is described by one single page document. What we found out over the course of following days leading to first attack is shown in the figure below:

Visibility into attacks and adaptability to changing threats IMG1-thumb-500x242-4747.png

Thanks to the research work and the rule update process in the KRS, Akamai was able to offer protection in an extremely short time, to thousands of different websites, belonging of hundreds of companies, vast majority of whom were not even aware of being attacked.

Again, the distributed architecture of a cloud-based WAF allows that a unique visibility of the whole Internet context is combined with a response protocol managed by security experts working in security incidents management.

Next blog post will continue to identify characteristics that help us evaluate the quality of a WAF solution. In the meantime, like I did in my previous entry, I recommend the reading of this white paper for further details on why the Akamai approach to WAF is more accurate, efficient, and reliable than the approach of our competitors.