Best Practices for Attack Prevention with Wallarm¶
This article will show you how to use Wallarm, a unique platform that is like having two guards in one, for attack prevention. It not only protects websites like other tools (known as WAAP), but it also specifically safeguards your system's APIs, making sure all the technical parts of your online space are safe.
With so many threats we have online, it is crucial to have a strong shield. Wallarm can stop common threats such as SQL injection, cross-site scripting, remote code execution, and Path Traversal all on its own. But for some sneaky dangers and specialized use-cases like protection against DoS-attack, account takeover, API abuse, a few adjustments might be needed. We will walk you through those steps, ensuring you get the best protection possible. Whether you are a seasoned security expert or just embarking on your cybersecurity journey, this article will provide valuable insights to bolster your security strategy.
Manage multiple applications and tenants¶
If your organization uses multiple applications or separate tenants, you will likely find the Wallarm platform useful for easy management. It allows you to view events and statistics separately for each application and configure specific triggers or rules per application. If you need, you can create isolated environment for each tenant with separate access controls.
Establish a trust zone¶
When introducing new security measures, the uninterrupted operation of crucial business applications must remain a top priority. To ensure trusted resources are not unnecessarily processed by the Wallarm platform, you have the option to allocate them to the IP allowlist.
Traffic originating by the allowlisted resources is not analyzed or logged by default. This means that data from bypassed requests will not be available for review. Therefore its use should be applied cautiously.
For URLs that require unrestricted traffic or for which you wish to conduct manual oversight, consider setting the Wallarm node to monitoring mode. This will capture and log any malicious activities targeting these URLs. You can subsequently review these events through the Wallarm Console UI, monitor anomalies, and, if necessary, take manual actions such as blocking specific IPs.
Control traffic filtering modes and processing exceptions¶
Implement security measures gradually using our flexible options for managing filtration modes and customizing processing to suit your applications. For example, enable the monitoring mode for specific nodes, applications, or parts of an application.
If required, except detectors tailored for specific request elements.
Set up the denylist¶
You can safeguard your applications from untrusted sources by incorporating them into a denylist, blocking traffic from suspicious regions or sources such as VPNs, Proxy servers, or Tor networks.
Block multi-attack perpetrators¶
When Wallarm is in blocking mode, it automatically blocks all requests with malicious payloads, letting only legitimate requests through. If multiple malicious activities from one IP address are detected in a short time (often referred to as multi-attack perpetrators), consider blocking the attacker entirely.
Enable brute-force mitigation¶
Mitigate brute-force attacks by limiting the number of access attempts to authorization pages or password reset forms from a single IP address. You can do this by configuring a specific trigger.
Enable forced browsing mitigation¶
Forced browsing is an attack where an attacker tries to find and use hidden resources, like directories and files with information about the application. These hidden files can give attackers information they can use to carry out other types of attacks. You can prevent such malicious activities by defining limits for unsuccessful attempts to reach specific resources via the specific trigger.
Set rate limits¶
Without a proper limit on how often APIs can be used, they can be hit by attacks that overload the system, like DoS and brute force attacks, or API overuse. By using the Set rate limit rule, you can specify the maximum number of connections that can be made to a particular scope, while also ensuring that incoming requests are evenly distributed.
Activate BOLA protection¶
The Broken Object Level Authorization (BOLA) vulnerability allows an attacker to access an object by its identifier via an API request and either read or modify its data bypassing an authorization mechanism. To prevent BOLA attacks, you can either manually specify vulnerable endpoints and set limits for connections to them, or turn on Wallarm to automatically identify and protect vulnerable endpoints. Learn more
Employ API Abuse Prevention¶
Set up API abuse profiles to stop and block bots performing API abuse like account takeover, scraping, security crawlers and other automated malicious actions targeted at your APIs.
Enable credential stuffing detection¶
Enable credential stuffing detection to have a real-time information about attempts to use compromised or weak credentials to access your applications and a downloadable list of all compromised or weak credentials providing access to your applications.
Knowledge of accounts with stolen or weak passwords allows you to initiate measures to secure these accounts' data, like communicating with account owners, temporarily suspending access to the accounts, etc.
Create custom attack detection rules¶
In certain scenarios, it may be beneficial to manually add an attack detection signature or create a virtual patch. Wallarm, while not relying on regular expressions for attack detection, does allow users to include additional signatures based on regular expressions.
Mask sensitive data¶
The Wallarm node sends attack information to the Wallarm Cloud. Certain data, like authorization (cookies, tokens, passwords), personal data, and payment credentials, should remain within the server where it is processed. Create a data masking rule to cut the original value of specific request points before sending them to the Wallarm Cloud, ensuring sensitive data stays within your trusted environment.
Analyze user sessions¶
Dealing only with the attacks, presented in the Attacks or Incidents section, you cannot see their full contexts: the logic sequence of requests that the attack is the part of.
Wallarm's API Sessions provide this context to allow revealing of more general patterns in how your applications are being attacked as well as understanding of which business logic will be affected by the taken security measures.
Analyze user sessions to identify a logic of the threat actor behavior, verify attack and malicious bot detection accuracy, track shadow, zombie and other endpoints in risk, identify the performance issues and more.
Seamless SIEM/SOAR integration & Instant alerts for critical events¶
Wallarm offers seamless integration with various SIEM/SOAR systems such as Sumo Logic, Splunk and others enabling you to effortlessly export all attack information to your SOC center for centralized management.
Wallarm integrations together with the triggers functionality provides you with a great tool to set up reports and real-time notifications on specific attacks, denylisted IPs, and overall ongoing attack volume.
Layered defense strategy¶
In creating robust and dependable security measures for your applications, it is crucial to adopt a layered defense strategy. This involves implementing a suite of complementary protective measures that together form a resilient defense-in-depth security posture. Besides the measures offered by the Wallarm security platform, we recommend the following practices:
-
Utilize L3 DDoS protection from your cloud service provider. L3 DDoS protection operates at the network level and helps mitigate distributed denial-of-service attacks. Most cloud service providers offer L3 protection as part of their services.
-
Follow secure configuration recommendations for your web servers or API gateways. For instance, make sure to adhere to the secure configuration guidelines if you are using NGINX or Kong.
By incorporating these additional practices along with the Wallarm L7 DDoS protection measures, you can significantly enhance the overall security of your applications.
Check and enhance the coverage of OWASP API top threats¶
The OWASP API Security Top 10 is a gold standard for the evaluation of security risk in APIs. To help you measure your API's security posture against these API threats, Wallarm offers the dashboard that provides clear visibility and metrics for mitigation of the top threats of the 2023 version.
These dashboards help you to assess the overall security state and proactively address discovered security issues by setting up appropriate security controls.
Enable JA3 fingerprinting¶
To make the following functionality more precise:
-
API Abuse Prevention using the API Sessions mechanism
It is recommended to enable JA3 fingerprinting for better identification of the unauthenticated traffic.