The process of creating an accurate virtual patch is bound by:
(a) No false positives – This is always the top priority. The legitimate traffic won’t be blocked under any circumstances.
(b) No false negatives – This can be considered a high priority. When the offender deliberately attempts to evade detection, never miss the attempt.
Virtual patching is all about Risk Reduction.It might not be possible to adhere 100% to every goal. The business owners’ needs to be understood while gaining the advantage of shortening the Time-to-Fix metric. It might not be implementing a complete fix for the bug.
The virtual patch creator must keep all of these as priorities and their relative sorting. The art of creating blocking virtual patches is generalizing the detection logic as much as possible to rigorously meet rule #b, without ever violating rule #a.
Deriving a Zero False Negative Virtual Patch
While conducting technical vulnerability research, the virtual patch writer should initially search for all of the important circumstances for an attack to succeed. The researcher can begin by getting all the technical information that triggers the vulnerability remotely. Modifications are done one by one and prepare notes on each action made. The list includes Strings, length values, character encoding, white space, and so on. The variable is inapplicable for the virtual patch criteria if the attack succeeds when that particular variable is assigned to a random variable. In the end, the researcher can determine the whole variable set that is crucial to the success of the attack. If there are multiple distinct attack vectors, the researcher must perform this analysis on each one separately.
Deriving a Zero False Positive Virtual Patch
The writer must examine the accuracy of a patch regarding false positives. At this particular stage, the writer tries to discover a minimum of one characteristic that would never happen in normal traffic. If a characteristic comes up which is both anomalous as compared to normal traffic and critical to the offender’s success, then the zero false-negative virtual patches can be also considered as a zero false-positive signature. Manual Virtual Patch Creation¶
Positive Security Virtual Patches
A positive security model (whitelist) is a comprehensive security mechanism that provides an independent input validation envelope to an application. It is a Recommended Solution. The model provides valid input characteristics such as character set, length, etc… It also rejects everything that does not satisfy the characteristics. By defining rules for each parameter on each page in the web application makes the application protected by additional protection envelop independent of its source code.
Negative Security (Blacklist) Virtual Patches
A negative security model is based on a rule set that detects some known attacks rather than allowing only valid traffic. It is used for misuse-based detection. The differentiation between these two security models is subjective and shows the tightness of the security envelope around the application too. Limiting the characters allowed in an input field can be a good example. If the character set is closed, providing an allowed list of permitted characters is similar to providing a deny list of forbidden characters.
Better Method for Virtual Patching – Positive or Negative Security
A virtual patch can operate either a positive or negative security model. Determining which method is better depends on the scenario and the points under consideration.
For instance, negative security rules can be implemented rapidly, and possible evasions are more probable.
Positive security rules give better security but usually, it is a manual process and therefore difficult to maintain for dynamic sites. While a positive security model may be specifically employed when a vulnerability alert determines a particular location with an issue.
Automated Virtual Patch Creation
Automated patch creation comes into play as the number of vulnerabilities grows. When you identified the vulnerabilities using automated tools and the corresponding report in an XML format is accessible, it is viable to leverage automated processes to auto-convert the data related to the vulnerability into virtual patches for security systems. Several WAF products can import XML report data and automatically adjust their protection profiles.