Full Report
Cloudflare customers can now use Cloudforce One threat intelligence directly within the WAF to block high-risk traffic. By using new cf.intel fields, security teams can automate protection against specific threat actors and targeted industries in real time.
Analysis Summary
# Best Practices: Integrating Cloudforce One Threat Intelligence into Cloudflare WAF
## Overview
These practices address the integration of real-time threat intelligence (Cloudforce One) into Web Application Firewall (WAF) policies. This approach shifts security from reactive pattern-matching to proactive, actor-based blocking, allowing organizations to automate the defense against specific adversaries and industry-targeted campaigns.
## Key Recommendations
### Immediate Actions
1. **Enable Cloudforce One Feeds:** Ensure the Cloudforce One subscription is active and the `cf.intel` fields are visible in your Cloudflare dashboard.
2. **Audit Industry-Specific Threats:** Identify whether your organization belongs to a targeted sector (e.g., Finance, Healthcare, Gov) and implement a "Log" rule to see how much traffic matches that industry's threat profile.
3. **Implement High-Confidence Blocking:** Create a WAF Custom Rule to block traffic where the threat intelligence score indicates a high confidence of malicious activity.
### Short-term Improvements (1-3 months)
1. **Automated Actor Blocking:** Configure WAF rules using the `cf.intel.actors` field to automatically drop traffic from known Advanced Persistent Threat (APT) groups relevant to your region.
2. **Refine False Positive Monitoring:** Set up Alert Notifications for any WAF rules using `cf.intel` fields to monitor for legitimate traffic being inadvertently blocked.
3. **Policy Layering:** Integrate threat intel fields with existing Geo-blocking and IP Reputation filters to create a multi-layered defense.
### Long-term Strategy (3+ months)
1. **Shift to "Deny-by-Intel":** Transition from legacy manual IP blacklisting to dynamic, intelligence-driven automation.
2. **Intelligence Lifecycle Integration:** Create a feedback loop where Security Operations Center (SOC) teams use Cloudforce One's deep-dive investigations to update WAF logic quarterly.
3. **Global Policy Alignment:** Standardize threat intel-based blocking across all global zones and endpoints.
## Implementation Guidance
### For Small Organizations
- **Focus on Low Maintenance:** Use broad `cf.intel` categories (e.g., "Botnets") rather than tracking individual actors.
- **Default to Managed Rules:** Rely on Cloudflare’s managed rulesets that incorporate this intel automatically if you lack a dedicated security engineer.
### For Medium Organizations
- **Industry Targeting:** Prioritize rules that block traffic targeting your specific business vertical.
- **Staged Rollout:** Deploy rules in "Log" mode for 7 days before moving to "Block" to ensure business continuity.
### For Large Enterprises
- **Granular Actor Response:** Customize responses based on the specific threat actor (e.g., Honeypot for research-based actors vs. Drop for ransomware-linked actors).
- **API Integration:** Use the Cloudflare API/Terraform to push intelligence-based WAF rules across hundreds of zones simultaneously.
## Configuration Examples
**Example 1: Blocking Specific Threat Actors (WAF Custom Rule)**
text
Expression: (cf.intel.actor in {"APT28" "Lazarus_Group"})
Action: Block
**Example 2: Protecting Industry-Specific Assets**
text
Expression: (cf.intel.targeted_industries contains "finance" and cf.threat_score gt 10)
Action: Managed Challenge (Interactive)
**Example 3: Logic-based Intelligence Filtering**
text
Expression: (cf.intel.is_malicious_proxy or cf.intel.is_vpn) and (cf.intel.threat_type eq "phishing")
Action: Block
## Compliance Alignment
- **NIST SP 800-53:** Align with SI-4 (Information System Monitoring) by using external threat intelligence.
- **ISO/IEC 27001:** Supports A.12.6.1 (Management of technical vulnerabilities).
- **CIS Controls:** Directly supports Control 7 (Vulnerability Management) and Control 13 (Network Monitoring).
## Common Pitfalls to Avoid
- **Over-Reliance on Static Lists:** Failing to use the dynamic `cf.intel` fields and instead manually copying IPs into lists (which go stale quickly).
- **Broad Blocking without Context:** Blocking an entire "Industry" category for public-facing APIs without verifying if legitimate partners use similar network profiles.
- **Ignoring the Log Mode:** Moving straight to "Block" on intelligence fields, which may lead to blocking legitimate users on shared/VPN infrastructures.
## Resources
- Cloudflare WAF Documentation: `https[://]developers[.]cloudflare[.]com/waf/`
- Cloudforce One Overview: `https[://]www[.]cloudflare[.]com/threat-intelligence/`
- NIST Guide to Cyber Threat Information Sharing (SP 800-150)