Exam CISM topic 1 question 952 discussion

D. Block the IPs from where the attack originates.

It says the best way to "contain" the attack when the firewall is only "detecting" the sql injection, simply put it on block mode...

Pentester here - it's B. WAF can be configured to either be IDS or IPS (broadly speaking). So since WAF already detected it, you can simply flip a switch and put it in prevention mode and you're done.

C. Update the detection patterns on the web application firewall. By updating the detection patterns on the web application firewall, you can enhance its ability to recognize and block the specific patterns associated with the SQL injection attack. This proactive measure allows the WAF to better identify and prevent similar attack patterns in the future, providing a more robust defense against SQL injection attacks. While options like blocking the IPs (Option D) or reconfiguring the web application firewall to block the attack (Option B) can be part of the response strategy, updating the detection patterns is a more precise and focused approach to mitigating the specific type of attack. It allows for a targeted response without disrupting legitimate traffic.

If Waf was able to detect, it is easy to switch into prevent. Blockin IP is very inefficient solution in case of L7 attacks.

Blocking the IPs from where the attack originates, can be useful if the attack is coming from a specific set of IP addresses. However, it may not be effective if the attackers are using multiple IP addresses or if they are using techniques such as IP spoofing. Updating the detection patterns on the web application firewall (option C) is often the best approach because it allows the firewall to better identify and block SQL injection attacks. By updating the detection patterns, the firewall can recognize the specific patterns or signatures associated with SQL injection attacks and take appropriate action to block or mitigate them. This approach is generally more flexible and adaptable to new attack techniques compared to simply blocking IP addresses or reconfiguring the firewall.

D. Block the IPs from where the attack originates.

Out of the options provided, the BEST way to contain an SQL injection attack that has been detected by a web application firewall is option C: Update the detection patterns on the web application firewall. SQL injection attacks can exploit vulnerabilities in web applications to execute malicious SQL queries on the underlying database. When a web application firewall (WAF) detects an SQL injection attack, it is important to take appropriate measures to contain and mitigate the attack. In summary, updating the detection patterns on the web application firewall is the best way to contain an SQL injection attack that has been detected. It enhances the WAF's ability to identify and block the attack, providing immediate containment and reducing the risk of further exploitation.

The WAF detected the SQL injection attack but was obviously unable to prevent it. Therefore, best course of action to contain the attack would be to block all IP addresses from where the attack originates.