WP Preparing for Heightened Attacks in the Current Geopolitical Environment | Imperva

Preparing for Heightened Attacks in the Current Geopolitical Environment

Preparing for Heightened Attacks in the Current Geopolitical Environment

The current geopolitical environment has raised many concerns about security postures and readiness to respond to a cyberattack. Today, Imperva customers are protected by our world-class network, application, and data security products. Alongside that, Imperva Threat Research is closely monitoring the attack landscape for new emerging threats, vulnerabilities, attacks, and incidents. In this post, we provide proactive measures that can be taken to improve the effectiveness of an Imperva Web Application Firewall (WAF) deployment. 

In recent days, Imperva Threat Research has seen a surge (10x increase) in infrastructure and web DDoS activities designed to disrupt critical business applications and services. We’re also monitoring a sharp increase in application and API attacks designed to inject malware and perform lateral movement for data exfiltration. Attackers are targeting all industry verticals with a concentration on government, telecommunications providers, financial services, and banking.

To help guide customers through this unpredictable time, below are recommendations all Imperva customers can action to improve their security posture: 

Use Attack Analytics to Simplify Security Monitoring & Response

It can be difficult to stay ahead of this fast-moving attack landscape and hunt for emerging threats. Use Imperva Attack Analytics to aggregate incidents at a global level, and to understand attack narratives. It enables security analysts to investigate incidents more closely and to understand the attack tools used and CVEs that are targeted. It also allows customers to assess in real-time the security posture of the WAF’s configurations, rules, and policies.

Ensure Complete DNS Onboarding

Missing or partial DNS configurations may result in access to the target destination without going through Imperva WAF. Make sure DNS settings are properly configured (A Records and CNAMEs) for specific web applications and APIs. This information is readily accessible in the security console. 

Configure Web Application & API Appropriate DDoS Thresholds

Web applications and APIs protected by Imperva are shielded from both network and web DDoS attacks. All customers can set a threshold at any time via the security console.  Additionally, Imperva produces a DDoS threshold recommendation based on the previous 30 days of traffic. Given the heightened state of cyberattack threats globally, coupled with a frequent rate of traffic change, it is important to check this regularly. 

Detect & Prevent the Most Common Attack Types

Customers can configure Imperva WAF to block large classes of attacks, like SQL injection, Cross-Site Scripting (XSS), Remote File Inclusion (RFI), Illegal Resource Access, and more. Unless there are compatibility issues with the business logic of an application or API, we recommend that customers turn all of these capabilities on — not just to alert mode, but to block mode.

Constrain Origin Server Access

Imperva recommends all customers change ingress rules for their origin servers to only accept traffic from Imperva IP addresses. By doing so, attackers must go through Imperva WAF if they want to attack the underlying infrastructure or app. This is an easy change all customers can make to prevent malicious users from accessing or disrupting a web application. The latest IP address ranges can be found in the Imperva Documentation Portal.

Implement Geo-Blocking and Use Threat Intelligence Rulesets

With elevated activity, it’s advised that customers review end-user traffic origination patterns and trends. It’s a common practice for customers to prevent traffic from countries where they are not transacting or expecting visitors.

Customers can set up geo-blocks through policies or rules:

  • Policies: Imperva customers can use high-level policies to block countries, URLs, IP addresses. These policies can be applied to specific web application and/or API assets at a customer’s discretion. 
  • Rules: Imperva customers can build out more advanced geo-blocking rules, that include access to more response actions, including honeypotting, session blocking, data center forwarding, and more. Imperva Threat Research also built IP-reputation lists for specific geo-targeted attacks that can be used as security rules. Contact Imperva Customer Support for details.

Enforce API Schemas

Imperva API Security enables customers to implement a positive security model. This approach enforces all communications with the underlying API endpoint to meet criteria specified in the schema (URL, method, parameters, etc.). 

Customers can either upload an Open API Specification (e.g. Swagger) or generate one based on API activity. Schemas can be visualized in a table view, with the ability to configure specific controls on an individual endpoint. 

With APIs directly in front of data stores, attackers are now explicitly targeting weak and misconfigured APIs. Attempting to fuzz or probe an API with a positive security model will likely fail.

Prevent Online Fraud

Imperva Threat Research is monitoring an increase in large-scale credential stuffing attacks. We recommend that Imperva Account Takeover be enabled to prevent any potential online fraud risks.

The product monitors for repeated login attempts, successes, and failures for specific applications. Imperva Threat Research is also regularly compiling a dictionary of leaked credentials, correlating that metadata with attacks on web applications.

Summary

Imperva is working around the clock and ready to help customers prevent edge, application, and data security attacks. If you’re a customer and require assistance with any of the actions referenced above, please reach out to the Imperva Customer Success team. Existing Imperva customers can create support tickets using the Imperva Support Portal. 

Like many around the world, we at Imperva hope for a peaceful resolution soon. We appreciate your trust in us and are ready to help you during these uncertain times.