🚨 The MOVEit Attack: $6.1M in Financial Services Damage
In 2023, the CL0P ransomware group exploited a zero-day SQL injection vulnerability (CVE-2023-34362) in Progress Software's MOVEit Transfer application. This attack impacted over 600 organizations globally, including major financial institutions.
Average cost per affected financial institution including regulatory fines, legal fees, breach notification costs, and business disruption.
Attack Timeline:
The prevention gap? Proper web application firewall protection with SQL injection detection would have blocked this attack in seconds.
🎯 Want Our Complete 20-Point AWS Security Checklist?
Don't secure just your web applications—get our comprehensive security checklist that covers all critical AWS configurations. Used by 500+ companies to prevent security incidents like the MOVEit attack.
🎯 Why Web Application Attacks Are Devastating
Web applications are the primary target for 75% of all cyber attacks. Unlike infrastructure attacks that may affect systems, web application attacks directly access your most sensitive data—customer records, financial information, and intellectual property.
The Three Critical Attack Vectors AWS WAF Prevents
Attackers inject malicious SQL code into web forms, exploiting poor input validation to access databases directly. The MOVEit attack used this exact method to compromise 600+ organizations and steal sensitive customer data.
Malicious scripts injected into web pages execute in users' browsers, stealing session cookies, credentials, or performing unauthorized actions. Can lead to account takeovers and data theft.
Overwhelming your applications with traffic to cause outages. Application-layer DDoS attacks are particularly dangerous because they mimic legitimate user behavior while consuming server resources.
AWS WAF's new simplified console experience provides pre-configured protection packs that include OWASP Top 10 protections, designed to block the most common web application attacks.
Prerequisites:
- An existing web application on CloudFront, Application Load Balancer, or API Gateway
- AWS Console access with appropriate IAM permissions
- Understanding of your application's normal traffic patterns
Console Steps:
1.1 Access AWS WAF Console
- Navigate to the AWS WAF console
- Select your region (WAF is global for CloudFront, regional for ALB/API Gateway)
- Click "Create protection pack" (new console) or "Create web ACL" (standard console)
1.2 Choose Application Type and Protection Level
- Select your application type: "E-commerce", "API", "Content Site", or "Custom"
- Choose protection level: "Basic", "Standard", or "Enhanced"
- For financial applications, select "Enhanced" protection
1.3 Configure OWASP Core Rule Set
- Enable "AWS Managed Rules - Core Rule Set (CRS)"
- Enable "AWS Managed Rules - Known Bad Inputs"
- Enable "AWS Managed Rules - SQL Database" for SQL injection protection
- Set action to "Block" for production environments
1.4 Associate with Your Resources
- Click "Add AWS resources"
- Select your CloudFront distribution, ALB, or API Gateway
- Confirm the association
Rate limiting prevents automated attacks and ensures application availability during traffic spikes. Configure limits based on your application's normal usage patterns.
Console Steps:
2.1 Create Rate-Based Rule
- In your WAF protection pack, click "Add rules"
- Select "Add my own rules and rule groups"
- Choose "Rate-based rule"
- Name:
GeneralRateLimit
2.2 Configure Rate Thresholds
- Rate limit: 2,000 requests per 5-minute window (adjust for your app)
- Aggregation: Based on IP address
- Action: Block for 10 minutes
2.3 Create Login Protection Rule
- Create another rate-based rule for login endpoints
- Name:
LoginProtection - Rate limit: 50 requests per 5-minute window
- Scope down to login paths only
Geographic blocking helps reduce attack surface by restricting access from high-risk countries where your business doesn't operate.
Console Steps:
3.1 Create Geographic Rule
- Add a new rule to your protection pack
- Select "Geographic match" rule type
- Name:
GeoBlocking
3.2 Configure Blocked Countries
- Select countries to block based on threat intelligence
- Common high-risk countries: Consider regions with high cybercrime activity
- Action: Block
- Priority: Set lower than OWASP rules (higher number)
3.3 Create Allow List for Trusted IPs
- Create an IP set for trusted IP addresses (office IPs, VPN endpoints)
- Add a rule with higher priority to allow these IPs regardless of geography
- Prevents blocking legitimate users traveling or using VPNs
Real-time monitoring enables immediate response to attacks and helps optimize WAF rules based on actual traffic patterns.
Console Steps:
4.1 Enable WAF Logging
- In WAF console, go to your protection pack
- Click "Logging and metrics"
- Enable logging to CloudWatch Logs
- Create log group:
/aws/waf/production
4.2 Set Up CloudWatch Alarms
- Navigate to CloudWatch console
- Create alarm for blocked requests
- Metric:
BlockedRequests - Threshold: > 100 in 5 minutes
4.3 Configure SNS Notifications
- Create SNS topic for security alerts
- Subscribe security team email addresses
- Set up SMS alerts for critical events
4.4 Set Up WAF Dashboard
- Use the built-in WAF dashboard for real-time insights
- Monitor allowed vs blocked requests
- Review top attack patterns and source countries
- Analyze rule effectiveness and false positives
🔍 Validation: Verify Your WAF is Working
Complete these tests to ensure your AWS WAF configuration is properly protecting your application:
- SQL Injection Test: Use a security scanner to test basic SQL injection patterns. Requests should be blocked and logged.
- Rate Limiting Test: Generate traffic exceeding your thresholds from a single IP. Verify blocking occurs at the configured limit.
- Geographic Blocking Test: Use a VPN to access your app from blocked countries. Access should be denied.
- Monitoring Test: Trigger security alerts and verify notifications are received within 5 minutes.
- Log Verification: Check CloudWatch Logs to ensure all blocked requests are being logged with proper details.
- False Positive Check: Verify legitimate traffic flows normally without being blocked by WAF rules.
Security Testing Script
Use this script to validate your WAF protection (Note the XSS has been commented out):
🔧 Advanced AWS WAF Protection Strategies
Custom Rules for Industry-Specific Threats
Financial services applications need additional protection beyond OWASP standards:
- Account Enumeration Protection: Block requests trying to enumerate user accounts
- API Abuse Prevention: Protect against automated API scraping and data extraction
- Session Hijacking Protection: Advanced bot detection for credential stuffing attacks
Integration with AWS Shield Advanced
For applications requiring maximum DDoS protection:
Machine Learning-Based Bot Detection
AWS WAF Bot Control provides advanced bot detection:
- Detects and blocks malicious bots while allowing legitimate ones
- Uses machine learning to identify sophisticated automated threats
- Provides detailed bot classification and scoring
❌ Common AWS WAF Configuration Mistakes
💰 AWS WAF ROI: Why This Investment Pays Off
Beyond direct cost savings, AWS WAF provides:
- Regulatory Compliance: Helps meet PCI DSS, SOX, and other financial regulations
- Business Continuity: Prevents application downtime from DDoS attacks
- Customer Trust: Protects customer data and maintains brand reputation
- Operational Efficiency: Reduces security team workload through automation
🎯 Ready to Implement Enterprise-Grade Web Application Security?
AWS WAF protection is essential, but it's just one component of comprehensive AWS security. Get our complete security assessment to identify all vulnerabilities and optimization opportunities.