Analyst & Research Reports

O'Reilly Modern Defense in Depth

Issue link:

Contents of this Issue


Page 43 of 53

set up a blocking function at a preceding line of defense quite easily by making a simple change via an API. The concept of scripting is quite powerful due to the ability to write a script one time and then repeatedly call that script to convert a log or alert into an action with very little, if any, human interaction. To help to explain this better, let's observe the following scenario. For instance, let's say the Web Application Firewall (WAF) line of defense detects a steady stream of dissimilar web requests that all appear to be malicious, repeatedly coming from the same source IP address (source). The source is not violating any access control list (ACL) rules on the upstream routers, and the source is not partici‐ pating in a DDoS attack. The source is not attacking the DNS, and it is performing the required TCP three-way handshake with the upstream reverse proxy. The source has a browser with JavaScript enabled and passes all bot challenges, yet the WAF confirms that the source (likely being controlled by an attacker) is trying its best to break into the web application downstream. Can you defeat this activity upstream? Absolutely. The best way to block this activity is to automate the calling of a script based upon the attacker source IP address, port, protocol, and behavior and then make a change to all preceding lines of defense via their APIs to block the source for a short amount of time. If the offending source eventually stops the unwanted behavior, another script can be called to remove the block and allow that source through as long as it continues to exhibit good behavior. No one would want to block the source IP address indefinitely due to the potential for IP address spoofing, which is very common. In this case, a short-term block is all that is needed. Although in the early stages of an SOC, much of this is being per‐ formed via human intervention. As the SOC team and its support approaches mature, much of this activity can be fully automated. This is the true power being wielded in the hands of today's advanced SOC personnel. Value of Intelligence Beyond the usage of scripts and automation performed by the SOC team, the value of tactical and strategic threat intelligence can be realized. The intelligence gained by "internal means" can be put into action automatically, making it "actionable" threat intelligence. This 34 | Chapter 4: How to Achieve the Integrated Approach

Articles in this issue

view archives of Analyst & Research Reports - O'Reilly Modern Defense in Depth