Ysera
Assistant Engineer
Assistant Engineer
  • UID634
  • Fans0
  • Follows0
  • Posts44
Reads:1899Replies:0

WAF data risk control – a general business security solution

Created#
More Posted time:Jan 18, 2017 13:27 PM
“You security teams do not hinder business development”, “This security policy impairs user experience and conversion rate” - the security department of Party A enterprise often heard such complaints from their cooperation teams. But the original intention of security practitioners for joining the enterprise is never to “hinder business development”. So can security solutions become “business facilitators” instead? The answer is yes.
Security products that are coupled with the business and transparent to the customers, such as firewalls, IDS, and WAF seldom receive such complaints.  
But back to the internet business security scenarios, currently common business security prevention and control scenarios are usually as follows:
Scenario 1:
Security: “The alarm for login traffic goes off, indicating someone is hacking into the database.”  
Business: “Let me check it. This is the login entry. Which business is it open to? It has not been maintained for a long time.”
Boss: “Is there any ways to quickly stop the bleeding?”  
Security and business: “This small entry has never been connected into the risk control system before and we now can only claw back the accounts for post-event treatment.”
Boss: ...
Scenario 2:  
Security: “This security policy requires you to send the user login IP address to me.” The business went online after N days of development and transformation.  
Security: “A part of the IP address here seems incorrect. Is the intranet IP address of the gateway used?”
Business development: ...
Scenario 3:  
Business development: “Security asked us to record the user-agent, and browsing records, and now a big part of the business response time is used for logging. Do these jobs have business value?”
Security: ...
The core of these scenarios lies in that business security solutions are usually embedded in the business logic. So does the internet business security have a general solution like the firewall? To answer this question, we should first probe into the “general security risks” of business security.

0X01 General security risks for business security
To locate the general risks for business security, we should first define the state of business “security”. When the security engineer is asked by a customer “whether this product is secure?”, he would usually consider various security details, such as whether the business is prone to credential stuffing attacks or information leakage, whether the system is prone to injection, and horizontal authorization control issues. But these security details are usually not the answer to the question of “secure or not”.
The “security” that the customer wants is a balance. There are no absolutely secure systems. A robust system may also suffer financial loss because of security problems, while improving system security is not at zero costs. So the “security” that the customer wants is a balance between the security cost and the financial loss caused by security issues. Configuring a dedicated security engineer for a DMZ blog server is not the “security” that the customer wants. The conservation of security costs which leads to a large scale of credential stuffing is also not the “security” that the customer wants.
You will find a shared feature back to the business security scenarios. Only by achieving a certain scale and batch-size utilization will the business security loopholes cause an impact on the business. A web attack may write the webshell and lead to machine failure. But a limited number of credential stuffing, spam registration, spam messages and scalps are within the tolerable range of enterprises. While attackers have to resort to automated attacks by machines to launch large-scale and batch-size attacks. We can draw to the conclusion that large-scale and batch-size machine-initiated risks are the general risks faced by the business security field.

0X02 Analysis of general solutions demand
In the previous section, we have come to a conclusion that large-scale and batch-size machine-initiated risks are the biggest pain point faced by the business security field. What are the demands for achieving a general “solution to solve machine-initiated risks”? The defense means against machine-initiated risks in the industry have been quite mature - such as targeting the human knowledge (verification code), targeting the inherent characteristics of the human (behavior recognition), and consumption of machine costs (POW). But the industry fails to integrate these defense means to provide a general and all-applicable business security solution. The problem mainly focuses on two points: failure to achieve business transparency and fast deployment.
Business transparency:
In the existing human-machine identification solution, the customer needs to transform their front-end and back-end facilities for the access, or even adjust the business logic to adapt to the security solution. Security invades into the main business logic and sometimes security may even become a burden on the business.
Fast deployment:
The machine risk defense means are too complicated and fast deployment is not feasible, which may further lead to failure to achieve full-site deployment as well as prevention and control through simple configuration of the business system. The business system usually has numerous small traffic entries which, if not deployed in the security system, may become vulnerabilities.

0X03 Specific implementations of general solutions
How can we achieve general machine risk solutions for “business transparency” and “fast deployment”? The core is to intervene in between the browser and business servers as the intermediary to realize the following requirements:
1. Inject corresponding JavaScript scripts on the page;
2. JavaScript scripts collect the data, hook all the user's events that trigger the submit operation and inject the data into the requests when the user initiates the requests;
3. The requests of the browser and business servers can be forwarded and the request content can be parsed;
Now the intermediary attacking tool (MITMf) has been quite mature, while a reverse application of the intermediary attacking tool’s idea seems to be able to meet these needs. You can deploy the WAF service between the business servers and the browser so that the WAF will inject the front-end JS requiring data collection when the user is browsing the website. At the same time, the JS hooks the user’s request events on the front-end. When the user initiates a request, it injects the collected risk recognition data. When the request arrives at the reverse proxy again, the reverse proxy extracts corresponding risk recognition data and submits it to the risk control brain for comprehensive decision making - whether to block the user request or to challenge a secondary verification.
The interaction procedure of WAF data risk control service between the business servers and the browser is shown in the figure below:


The key business risk prevention and control adopts three-level funnel models for filtering requests level by level to block business risks transparently. The three levels of funnel models are: block the machine so as to eliminate batch-size risks by attackers, exceptional traffic analysis identifies some machine behavior that slips through the previous check and non-performing users with abnormal behavior traces. The credit investigation model denies non-performing users based on the credit scoring for the user to push the service to target users.
 
Block the machine:
1. Machines are identified based on the inherent features of human, and trustable front-end implemented based on JS is used to collect user's behavior data so as to detect and block machine behavior through the on-line real-time models;
2. The cost for machine-initiated attacks is consumed to make the attacks to lose more than gain. Based on the POW (proof of work) principle, the front-end computing volume is consumed through issuing problems on the service end. A small amount of computing by general users with sufficient idle CPU resources does not consume the cost, while the attackers have to occupy a large amount of computing resources to achieve batch-size attacks, making the attacks lose more than they gain.
Traffic analysis:
Through identifying abnormal traffic in the network by machine learning, some non-performing users with abnormal behavior traces can be intercepted. The common ideas are as follows:
1. Browsing history. In the internet financial scenario for example, normal users will register and compare a variety of financial products before they place the final order, while econnoisseurs will rush straight to the activity page upon their hearing the news;
2. URL clustering. In the online shopping scenario, normal users will generally make a selection among goods of the same category before they purchase a product;
3. Browsing frequency. On the UGC website, user views and comments usually have some time intervals. Users with frequent and instant replies are likely to be sending spam messages.
Credit investigation model:
Along with the birth of the internet was a classic conclusion: “No one knows you are a dog on the internet.” However, in the business security scenario, identifying user identity and evaluating user credibility are important basis for business risk control.
Now the internet has become a mature closed ecosystem leveraging the mature credit investigation system in the realistic society. Users are marked through the device fingerprints, and their credibility is rated based on their activity history on the internet. Coupled with the incredibility user list, high-risk users that have bypassed the first two levels will be intercepted.

0x04 Values of WAF data risk control service
Back to the question at the beginning of this article: how can we make the business security prevention and control a “business facilitator” and can WAF data risk control service achieve this goal? The answer is yes.
WAF data risk control service boasts two major advantages, and the two advantages guarantee the business security of enterprises while promoting business development.
First, business transparency. The business development resources can focus on business code to cut down the cost for the enterprise to fulfill the security requirements.
Second, fast deployment. WAF data risk control service can facilitate fast full-site deployment to safeguard the website against business risks in a quick manner. Just like the invention of safety belt which safeguards drivers while enabling cars to move at a higher speed safely, the implementation of full-site business risk prevention and control can also truly push the service to target users, so as to accelerate the enterprise's business development.
Guest