Cloudflare can now block communications by 'attacker name,' integrating threat intelligence into its WAF.

Cloudflare has announced a new feature that allows threat intelligence to be directly incorporated into its Web Application Firewall (WAF). This feature will enable users to create block rules in Cloudflare WAF based on criteria such as the attacker's name associated with the source IP address and the industries that the IP address has previously targeted.

Turning Cloudflare's threat indicators into real-time WAF rules

https://blog.cloudflare.com/realtime-threat-intel-waf-rules/

Cloudflare has a threat analysis feature called Threat Events, which uses the large volume of traffic Cloudflare processes to investigate 'which IP addresses are attacking which industries' and 'which attackers are prominent.' Traditionally, the process tended to involve creating rules on the WAF side after reviewing the visualized information, and Cloudflare explains that 'the process of translating visualization into actual mitigation measures tended to be manual and reactive.'

Therefore, Cloudflare has made it possible to use Threat Events information directly in creating rules for Cloudflare WAF. This means that Cloudflare's live threat intelligence is incorporated into the WAF engine, allowing it to conditionally block known dangerous communications before attacks reach your infrastructure.

This new feature, which integrates Threat Events with WAF, allows threat intelligence to be added early in the processing of HTTP requests, enabling the WAF to evaluate communications based on criteria such as attacker name, targeted industry, targeted country, country of origin, and type of threat intelligence. For example, rules can be created based on conditions such as 'IP addresses associated with a specific attack group,' 'IP addresses that have previously targeted the financial industry,' or 'IP addresses included in DDoS-related datasets that target specific countries.'

Cloudflare has added a WAF field that allows users to create rules based on 'known threat group name,' 'industry targeted by the target IP address,' 'country of origin of the threat event attack,' 'target country,' and 'source of information such as DDoS or WAF.'

The new feature is based on the same concept as Cloudflare's 'always-on detection' introduced for Attack Signature Detection. It runs the detection process in the background even if blocking rules haven't been created in advance, and adds threat metadata to the analysis information of HTTP requests. The aim is to avoid a binary choice between just viewing logs or blocking, and instead first analyze the attacker name and target industry, and then switch to blocking as needed.

For users with a Cloudforce One subscription, threat intelligence-based information is automatically displayed on the analytics screen. You can check which attackers are accessing your site and which industries the originating IP addresses typically target, and then enable blocking rules. The automation covers the creation and application of rules, but users still need to configure which conditions to use for blocking.

In terms of operation, the new 'cf.intel' field can be used for WAF custom rules and rate limiting. Rate limiting is a mechanism that restricts communication that sends too many requests in a certain period of time, and by including attacker names or target industries as conditions, it becomes possible to configure it to 'treat communications with a specific context strictly' rather than 'blocking everything indiscriminately'. It also supports Cloudflare API and Terraform, so it can be incorporated into operations that deploy the same defense policy across multiple domains and accounts.

Furthermore, the Threat Intelligence Dashboard allows you to save the conditions you've investigated as Saved Views, and then create WAF rules from those saved conditions with a single click. For example, if you save a condition such as 'IP addresses that have attacked the financial industry in the past 7 days,' you can convert your investigation results into defense rules without having to manually copy a list of IP addresses.

When a rule is triggered, it is recorded in Security Analytics, allowing you to see which rule was triggered and which threat indicators were matched. It's not just a matter of blocking; the logs are recorded in a format that makes later investigation easier, which can be used to check for false positives and analyze incidents after they occur.

According to Cloudflare, the threat intelligence dataset is compressed into a high-performance format and distributed to Cloudflare data centers around the world. When a request reaches the Cloudflare network, Cloudflare WAF searches the locally located dataset in a constant time , so the increase in latency is virtually zero, down to microseconds, whether the metric is 10 or 10 million.

The new feature that integrates Threat Events with WAF currently uses IP address-based matching, but Cloudflare plans to expand this to include JA3 fingerprinting and domain-based matching in the future. JA3 fingerprinting is a method that identifies client software based on the characteristics of TLS communication, and Cloudflare states that this will allow for blocking attacks by identifying the characteristics of the software used and malicious links, even against attackers who frequently change their IP addresses.

This new feature is available to customers with a Cloudforce One subscription. Cloudflare says that customers can create their first Threat Intel rule from Threat Events or the WAF section of the Cloudflare Dashboard, and that it can be used as a way to transform global threat visibility into local defense.