WAFs and Ignored Threats


There is growing, general dissatisfaction with Web Application Firewalls (WAFs) as highlighted in a recent study by Neustar and subsequent article by DarkReading.


These solutions, which include Cloudflare, Citrix Netscalar, and Fortinet Fortiweb, filter application-layer traffic as opposed to network firewalls which filter network- and transport-layer traffic by IP and port number. They are specifically designed to filter malicious requests that look legit to traditional network FWs; however, 40% of surveyed CISO’s felt that such products were at best stopping half of the application-layer attacks attempted against them. Other research such as last year’s Ponemon study echoes these findings.

So, the question is why does this occur? The main reason is that hackers seem to work-around the WAF signature rules. This is a classic differentiation between an exploit and a vulnerability. For a given vulnerability, there can be multiple exploits. A vulnerability can only truly be resolved by patching or upgrading – which can often be costly. Meanwhile, mitigation solutions, such as a WAF, focus on implementing rules to counter particular methods of exploitation.

Case in point: F5 Networks published a mitigation for the Big-IP vulnerability (CVE-2020-5902) which was exploited in early July[1]. However, recent reporting by HelpNet Security states that hackers have been able to overcome the mitigation leading Zeljka Zorz to write, “Any organization that applied the original, incomplete mitigation instead of patching their F5 BIG-IP boxes should take action again.”

Likewise, a recent joint WhiteSource-CYR3CON study found that hackers tended to exploit open source vulnerabilities leveraging certain weaknesses – with CWE-20, CWE-125, and CWE-79 topping the list –dealing with improper input validation, overflow, and improper user input respectively. All of these weaknesses are for the very vulnerabilities WAFs are designed to protect against.

Essentially, WAFs are one cause of ignored threats; meaning that the CISO has been lulled into a false sense of security. Implementing mitigations without understanding ongoing threat activity can render them useless and needlessly assume risk. Ignored threats like these can be addressed with proactive intelligence. When a CISO is faced with a Qualys or Nessus vulnerability list numbering in the thousands, choosing what to patch vs. mitigate is an important decision. Understanding the adversary is key to making the right choice.

For a limited time, CYR3CON is offering a free FIT (Find Ignored Threats) Assessment to identify the threats you are ignoring in your enterprise through a combination of AI and intelligence. CYR3CON customers use this to prioritize their efforts and make the tough decisions relating to patch vs. mitigation. Contact CYR3CON for more information.



[1] CYR3CON’s platform predicted exploitation about a month in advance. Following CYR3CON predictions enabled enterprises to prioritize patching for this particular vulnerability and also supplied a stream of the latest related intelligence.