Lab 3: Malicious Users

Objective:

  • Leverage User Identification Policies to isolate individual users.

  • Utilize F5 Distributed Cloud’s native AI technologies to block malicious users.

Narrative:

A recent security request came into your queue where multiple WAF violations and 403 http response codes were originating from the same public IP address. ACME’s security incident response team has asked you to block all requests coming from that public IP address as they are concerned about potential attackers successfully accessing the application and then trying to move laterally to access sensitive portions of the application without authorization. Before blocking the public IP, a conversation with the application team uncovered that the public IP address maps the headquarters of a ACME’s largest sand supplier. Since not all of the requests coming from that public IP address are attacks, your goal is to leverage F5 Distributed Cloud to identify only the specific attackers and stop their probing activities but still maintain a low-friction experience for the rest of the valid users.

Note

Expected Lab Time: 15 minutes

Lab 3 Summary-Malicious User Mitigation: Configure Malicious User identification and mitigation. In this scenario, multiple attacks were coming from the same source IP, which also carries legitimate users. Instead of blocking the entire IP (which could impact legitimate traffic), you will leverage F5’s user identification policies (using client-side signals like TLS fingerprint and IP) to pinpoint individual malicious users. You’ll then enable malicious user detection powered by ML/AI and set up mitigation actions (like blocking or challenging those users). This lab highlights how to surgically block determined attackers while maintaining a seamless experience for legitimate users.

Task 1: Creating a User Identification Policy

In this task you will build a user identification policy which will be the basis of identifying clients/users for machine learning driven analysis for malicious user mitigation and actions.

  1. Within Web App & API Protection in the F5 Distributed Cloud Console, Manage > Load Balancer > HTTP Load Balancers and use the Action Dots and click Manage Configuration.

  2. Click Edit Configuration in the top right-hand corner.

lab001

lab002

  1. Click Common Security Controls in the left-hand navigation and locate User Identification.

  2. Click the drop-down under User Identifier and select User Identification Policy from the list.

lab003

  1. Click the dropdown for User Identification Policy and select Add Item.

lab004

  1. In the User Identification window, in the Metadata section enter user-id for the Name and then click configure under User Identification Rules.

lab005

  1. In the resulting window for User Identification Rules, click Add Item.

lab006

  1. In the User Identification Rule window click the drop-down for Identifier Type.

Select JA4 TLS Fingerprint and click Apply.

lab007

  1. Returning to the window for User Identification Rules, observe the prior selection and click Add Item.

lab008

  1. In the User Identification Rule window click the drop-down for Identifier Type. Select Client IP Address and click Apply. (It should be already selected).

lab009

  1. Review the two User Identification Rules and click Apply.

  2. Returning to the User Identification window, note that User Identification Rules are now Configured and click Continue.

lab010

lab011

With User Identification Rules, F5 Distributed Cloud can pull in multiple data points as unique indicators to identify an individual user. In addition to the IP address and TLS fingerprint of the browser, Cookies and HTTP Headers can also be leveraged to specifically build policies around the individual users. Now that the users are more specifically identified, let’s move on to how to block malicious users.

Task 2: Enable Malicious User Detection and Mitigation Actions

In this task you will leverage the user identification policy just built and then enable malicious user detection and create a malicious user mitigation and challenge.

  1. Click Common Security Controls in the left-hand navigation.

  2. Click the dropdown for Malicious User Detection and select Enable.

lab012

  1. Click the dropdown for Malicious User Mitigation And Challenges and select Enable.

lab013

  1. Click the dropdown for Malicious User Mitigation Settings and select Custom.

lab014

  1. Click the dropdown for Custom. Observe the existing other shared policies.

shared/lab-sec-user-mitigation

ves-io-shared/ves-io-default-malicious-user-mitigation

Note

Using shared namespace Malicious User Mitigation provides the ability to use API-updated mitigation controls to implement common service security across multiple resources.

  1. Select Add Item.

lab015

  1. In the Metadata section enter security-user-mitigation for the Name and then click Add Item under Rules.

lab016

  1. In the resulting window, click the dropdown for Threat Level and select Low.

  2. Click the dropdown for Action and select Java Script Challenge.

  3. Select Apply.

lab017

  1. In the Malicious User Mitigation window review the rule just created and click Add Item again.

lab018

  1. In the resulting window, click the dropdown for Threat Level and select Medium.

  2. Click the dropdown for Action and select Captcha Challenge.

  3. Select Apply.

lab019

  1. In the Malicious User Mitigation window review the rules just created and click Add Item again.

lab020

  1. In the resulting window, click the dropdown for Threat Level and select High.

  2. Click the dropdown for Action and select Block Temporarily.

  3. Select Apply.

lab021

  1. Observe the three Rules created and select Continue.

lab022

  1. Note the updated Malicious User Mitigation and Challenges section and at the bottom of the window click the Save HTTP Load Balancer button.

lab023

lab024

With a combination of user identification and malicious user policies, ACME Corp can now detect malicious activities and apply mitigation steps. The mitigation steps include issuing JavaScript Challenge or Captcha Challenge or temporary blocking of the user. Malicious User capabilities from F5 Distributed Cloud leverages AI/ML techniques to correlate multiple suspicious user actions together in order to build a risk score around the user. As the risk score goes up, users who are violating the ACME’s security policies can be stopped from accessing the site while other users who are coming from the same public IP can still access the site without issue.

End of Lab 3: This concludes Lab 3. Feel free to review and test the configuration. A brief presentation will be shared prior to the beginning of Lab 4.

labend