Reputation intelligence is information about cyber entities known for specific activity, whether malicious or benign, which can be fed to and actioned on by a web application firewall (WAF). It provides an additional application security layer by effectively identifying and blocking threats from known malicious sources. Using reputation intelligence, large amounts of traffic can be classified as malicious or benign, reducing the workload of WAFs to inspect the actual content of that traffic. You can better understand where traffic originates, who is creating it and the potential risk.
With up to date information on all known cyber entities delivered to your WAF, reputation intelligence can help block an attack or allow legitimate traffic, which in turn significantly reduces false positives.
Examples of reputation intelligence entities include:
- Malicious IP Addresses: Sources that have repeatedly attacked other websites
- Anonymous Proxies: Proxy servers used by attackers to hide their true location
- TOR Networks: Anonymous communication software used by hackers to disguise the source of an attack
- IP Geo-location: Geographic location from which attacks are initiated
- Phishing URLs: Fraudulent sites (URLs) that are used in phishing attacks
- Comment Spammers: IP addresses of known active comment spammers
- Remote File Include (RFI): URLs that were identified as locations from where malicious files are downloaded
- SQL Injection IPs: IP addresses that were identified as serial SQL injection attackers
- Scanner IPs: IP addresses that were identified as serial scanner attackers
- Spamdexing: URLs used in comment spam attacks
Benefits of Reputation Intelligence
People often ask us why they should add reputation intelligence to their WAF. One of our large global customers summed it up best, “Reputation intelligence is the low hanging fruit, we just block based on the feeds delivered to the WAF and see immediate value – I’m blocking the bad guys without creating new security rules.” This is the fundamental benefit delivered by reputation intelligence – automated blocking of threats based on specific entities, such as IPs or URLs.
There are additional benefits to adding reputation intelligence to your WAF such as gaining geo-location information to reduce false positives and establish and enforce business policies. For example, many enterprises have geo-location restrictions. Some media entertainment companies such as Netflix provide service to their customers in the US only and they could use a geo-location feature to enforce that policy.
Reputation intelligence is also used to minimize false positives generated by a WAF by providing white list resources:
- CDN IP addresses
- Legitimate search engines
- Well-known “good” (non-malicious) entities
A WAF can use this intelligence to exclude certain entities from strict policies. For example, if you want to block scanning attempts based on the resource polling frequency from servers you can do it while allowing legitimate search engine indexing traffic to avoid false positives.
Reputation intelligence will enable a WAF to enforce other business-oriented policies. For example, some enterprises want to allow users browsing access to their website from certain countries that use anonymized proxies. On the other hand, attackers frequently use automated tools behind anonymized proxies to attack web applications. A WAF with reputation intelligence can set a granular policy to block automated tools that hide behind anonymous proxies and TOR networks while allowing legitimate human traffic.
Apart from delivering feeds on cyber entities, reputation intelligence is also used to mitigate zero-day attacks. After the latest Apache Struts remote code execution vulnerability was released (CVE-2017-9805) Imperva used its reputation intelligence service to push the mitigation for it in a matter of hours to SecureSphere WAF customers providing them with zero-day protection.
Measuring the Quality of Reputation Intelligence
Various vendors offer reputation intelligence services, so how do you know which one is best? Great question, difficult answer. If there are a lot of false positives that’s an obvious indicator that the reputation intelligence service feed is not high quality and you don’t want to use it. But there are several parameters to consider. Here’s what to look for:
- Size of feed – The number of entries in the feed will vary by the content—from a few hundred to a few thousand—but they should represent the real-world landscape of good and bad cyber entities that extend beyond IP addresses to include phishing sites, TOR networks, and proxies. For example, you might expect a feed of dedicated phishing sites to contain a few dozen active sites, malicious SQL injection IPs to contain a few hundred, and IP comment spam as much as 50,000 IPs.
- False-positive and true-positive rates – This reflects the accuracy of the feed. Lower false-positive rates and higher true-positives rates indicate better feed quality.
- Geographic diversity – In cases where a company’s business is open to the entire world, you will want reputation feeds that cover all parts of the world and aren’t limited to a specific geo-location, such as US traffic only.
- Reputation intelligence updates – Most malicious entities are constantly changing. IPs on the world wide web are dynamically allocated to users. For example, the majority of phishing sites remain active for only four to eight hours. Therefore, the frequency in which the feeds are updated is important.
You need to be sure that a vendor’s coverage of the web is wide enough. Vendors that see many gigabits of traffic per day across different regions around the world will have more visibility to provide more accurate coverage. This will dramatically increase the size of the feed and the true positive rate, reduce the number of false positives and provide higher diversity of resources.
You Have Reputation Intelligence, Now What?
Once you have reputation intelligence delivered via automated feed to your WAF you can take the following actions:
- Block threats – With high quality reputation intelligence feeds you will see a low-to-zero false-positive rate and can begin using WAF in blocking mode.
- Perform forensics – Gather reputation based traffic in your estate and use it to correlate with other security devices for forensics and incident response.
- Build compound policies – Use the reputation intelligence feeds to create more robust security policies. For example, IP comment spam resource feeds can be combined with the behavior characteristics of publishing a comment on a web site (such as POST HTTP method and a parameter with a URL).
In summary, reputation intelligence improves your application security posture, reduces false positives, increases accuracy and mitigates zero day threats.
Learn more about Imperva reputation intelligence services or request a demo.