Manual Chapter : Managing Threat Campaigns

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0
Manual Chapter

Managing Threat Campaigns

Central management of threat campaigns

Threat campaign signatures are based on current “in-the-wild” attacks that exploit the latest vulnerabilities and/or new ways to exploit old vulnerabilities.
Threat campaign signatures
contain contextual information about the nature and purpose of the attack. BIG-IQ allows you to oversee threat campaigns for managed BIG-IP devices version 14.0 or later. This means you can manage devices with threat campaign protection services, and you can maintain an up-to-date database of ongoing exploits.
By default, managed devices provide immediate action once an active threat campaign signature is detected. You can select one or several threat campaigns to include a staging period in which identified requests are allowed for a temporary period of time.
In addition to providing protection from active threat campaigns, regular updates mark campaigns that are no longer a threat as inactive. Once the threat campaign is in an inactive state, the system no longer provisions resources for identification and mitigation.
To view a complete list of all threat campaigns and their statuses, go to the global setting screen
Configuration
SECURITY
Web Application Security
Threat Campaigns
.

Configure threat campaigns for a Web Application Security policy

You must have a BIG-IP version 14.0 or later, with threat campaigns provisioned and licensed on that BIG-IP device. On BIG-IQ, ASM services must be discovered on BIG-IQ Centralized Management.
If you intend to configure settings for a child policy, you need to decline inheritance settings of the parent policy. See
Edit inheritance settings for threat campaigns
for more information.
You configure your Web Application Security policy to include protection and/or staging against active threat campaigns.
  1. Go to
    Configuration
    SECURITY
    Web Application Security
    Policies
    .
  2. Click a policy in the
    Name
    column.
    The screen changes to show properties for that policy.
  3. To view, or disable threat campaigns available to a selected policy, click
    THREAT CAMPAIGNS
    on the left.
    The screen displays a list of all the active threat campaigns found in the the global settings (found on the screen at
    Configuration
    SECURITY
    Web Application Security
    Threat Campaigns
    ).
  4. From the Policy Properties menu on the left, go to
    POLICY BUILDING
    Settings
    , scroll down and expand the
    Threat Campaigns
    setting.
  5. At the far right of the field, select one or more policy action to take once a threat campaign is detected:
    1. Select
      Block
      to block requests that include signatures of the enforced threat campaigns.
    2. Select
      Alarm
      to generate an alarm when requests contain threat campaign signatures.
  6. To perform staging for new and updated threat campaign signatures for a period of time, select the
    Enable Threat Campaigns Staging
    check box.
  7. Once you enable staging, select specific threat campaigns for staging from the policy's settings (see step 3).
    1. Select
      Enabled
      for
      Enable Threat Campaigns Staging
      .
      By default, all threat campaigns are unstaged.
    1. For
      Threat Campaigns Enforcement Readiness Period
      , set the number of days to enforce staging.
  8. Click
    Save & Close
    .
Ensure that you update your threat campaigns files regularly, so that your protection is up to date. To do so, see
Customize device updates from threat campaigns
.

Edit inheritance settings for threat campaigns

Before you can edit any settings for threat campaigns, you must have an existing Web Application Security policy.
You can change the properties of inheritance settings for a child policy to configure threat campaign protection that is different from a parent policy.
  1. Go to
    Configuration
    SECURITY
    Web Application Security
    Policies
    .
  2. Click the appropriate parent policy name to display the policy's properties.
  3. On the left, expand
    POLICY PROPERTIES
    and click
    Inheritance Settings
    .
  4. From the
    Threat Campaigns
    setting select
    Optional
    .
  5. Click
    Save
    .
  6. Return to the Web Application Security Policies screen, and click the appropriate child policy name.
  7. Click
    Inheritance Settings
    .
  8. From the
    Threat Campaigns
    list, select
    Decline
    .
    This action rejects the parent policy's inheritance settings for threat campaigns, so that you can edit the child policy's staging and enforcement settings.
  9. Click
    Save & Close
    .

Device updates for threat campaigns

Due to the dynamic nature of the threat landscape, threat campaigns need to be maintained and up-to-date. This includes updating your database to include newly discovered threat campaigns, and removing those that were resolved. Live updates can be scheduled and fine-tuned, based on your protection needs.
The accuracy of threat campaigns signature detection provides a minimal chance of false positives, and F5 recommends that you leave blocking enabled. However, threat campaign enforcement readiness periods and threat campaign staging provide a period of time in which you can evaluate the threat level of a threat campaign, before the system begins to block traffic

Customize device updates for threat campaigns

Before you can customize device updates, first ensure that your managed BIG-IP is version 14.0 or later, with threat campaigns licensed, and threat intelligence updates enabled. On BIG-IQ, ASM services must be discovered on BIG-IQ Centralized Management.
Regular updates ensure that your system has the most up-to-date information about ongoing threat campaigns and their malicious signatures for all discovered BIG-IP devices. Enabling regular updates to your threat campaign files ensures that devices can provide protection from newly detected threats, and refresh information for threat campaigns that have become inactive.
  1. Go to
    Configuration
    SECURITY
    Threat Intelligence
    Web Application Security
    .
  2. On the left, expand
    THREAT CAMPAIGNS FILES
    and select
    Threat Campaigns Files List
    .
  3. For general download settings, click
    Download
    to change the settings for file sources.
    By default, the system downloads all threat campaign files, regardless of device or status.
  4. For customizing the regularity of updates for devices, click
    Settings
    :
    1. Ensure that the
      Remote Updates
      setting is
      Enabled
      .
    2. For
      Interval
      , select the regularity in which the system collects threat campaign updates.
    3. Ensure that devices are listed in the
      Allow auto update
      list to enable automatic updates for the selected devices.
    4. To remove one or more device from the auto updates list, select the device and move it to the
      Skip Auto Updates
      list.
    5. From the
      Install To
      list you can select
      Active Devices Only
      to install updates on active, high availability devices in your BIG-IP device cluster.
  5. Click
    Save & Close
    .
To complete the process of scheduling automatic updates on a specific BIG-IP device, go to
Configuration
SECURITY
Web Application Security
Devices
, click the device name in the devices list, and for the relevant file type, select the link for
Allow Automatic Install
.