Coming soon to Reblaze: a significant new feature named Flow Control.
Here’s the tl;dr:
Flow Control is a new method of threat detection within Reblaze: an additional layer of security added to its existing modules (WAF, bot management, DDoS protection, rate limiting, Account Takeover prevention, API security, etc.).
Admins now have an intuitive interface for defining the behavioral patterns of legitimate users of their web applications and APIs—the sequences of actions that legitimate users will take. Once these sequences are set up within Reblaze, Flow Control policies will block traffic sources that deviate from them.
This can detect hackers that are trying to appear benign and evade other methods of threat detection. It can even block attacks in their preliminary stages, before malicious activity is even attempted.
Now for more detail.
Introducing Flow Control
Flow Control is a new approach to behavioral threat detection. Reblaze already uses behavioral analysis to automatically create profiles of legitimate user activity, so it can recognize when traffic sources are varying from these expected patterns. Flow Control allows admins to construct and enforce their own custom profiles as well, by defining sequences of expected events for specific paths and processes.
This capitalizes on a major weakness of threat actors—that they usually behave quite differently than legitimate users. Hackers are incentivized to wage as many attacks as possible, in as short of a time as possible. So, threat actors will often skip actions that don’t contribute directly to their attacks.
For example, when a legitimate user attempts to log into a web application, the initial access of the login page will generate a GET request. Subsequently, a POST request will be generated with the user’s login credentials.
However, a hacker that’s attempting a credential stuffing attack on a login page will issue a series of continuous POST requests until one of the requests succeeds. There is no need to issue GETs in-between. (In fact, a savvy hacker will not do so, because this would make the attack far less efficient.)
Therefore, an admin can create a Flow Control policy based on the event sequence that legitimate users will follow. Here’s what the sequence would look like in the Reblaze interface:
Now, whenever a POST request arrives that was not immediately preceded by a GET, this sequence will have been violated. Reblaze will then execute the policy’s defined action. (Typically, this will be to block the violating request, or even to ban the requestor completely for a specific length of time.)
Here’s another example that shows an entire Flow Control policy. A traffic source attempting to login via a mobile API endpoint must submit a properly structured email address and password, followed by a six-digit 2FA OTP (one-time password) within two minutes of the initial request. If a traffic source fails to do this three times in a row, its subsequent requests are blocked with a 503 error.
A variety of configuration options are available for Flow Control policies:
- Requests can be tracked according to the requestor’s IP address, as shown above, or by another parameter (or a combination of parameters) such as headers, cookies, arguments, or other attributes.
- Request parameters can have their allowable formats/structures defined and enforced.
- Violators can be blocked with a 503 error, or they can be given a bot challenge, redirected to a specified path, served a custom response, or banned completely for a specific length of time.
- Policies can be enforced as broadly or as narrowly as the admin desires: from entire sites down to individual URLs.
Also, admins can define sequences with as many events as needed. Here’s an example that enforces the correct checkout procedure for each unique session id:
The examples shown above are for demonstration purposes, and are rather simple. In production use, Flow Control policies can be as complex as the admin desires, and overall, they represent a powerful new approach to threat detection. We recommend that our customers spend some time thinking about their web applications and APIs, mapping out the event sequences that all legitimate users would follow, and then constructing Flow Control policies accordingly. (And meanwhile, if you need assistance upgrading to version 2.20, please contact support and we’ll be happy to help.)
Since its inception, Reblaze has used a multi-layer approach to web security, subjecting traffic sources to multiple forms of verification. These currently include:
- Content filtering and signature detection (available via Reblaze’s next-gen WAF)
- Blocking traffic sources sending high volumes of requests (DDoS Protection)
- Blocking traffic sources sending lower, but still anomalous, volumes of requests (Rate Limiting)
- Blocking undesirable traffic sources that aren’t human (Bot Management)
- Banning requestors exhibiting hostile activity patterns (e.g., Account Takeover prevention)
- Using additional specialized techniques for API traffic (API security)
- Detecting and blocking malicious traffic sources based on their actions (Machine Learning and Behavioral Analysis)
Flow Control is the latest addition to this list; a powerful new capability for admins to use when protecting their sites, web applications, and APIs, available now within Reblaze.
For more information about Reblaze, or to get a demo, you can contact us here.
Note: the Flow Control capabilities described above will be part of the Reblaze platform. A smaller set of Flow Control features are also available in Curiefense, Reblaze’s open-source web security solution that integrates with NGINX and Envoy Proxy.