Wordfence Launches Wordfence Intelligence for Hosts and Network Defenders
This morning the Wordfence team is launching Wordfence Intelligence live at Black Hat 2022 in Las Vegas. Our entire team is here in Las Vegas, including our international team members. I’d like to tell you more about what we’re launching and how Wordfence Intelligence will help us go even further to make the online community safer. Here’s a quick video where I introduce the product and provide the rationale behind it. Or you can continue reading below.
For the past decade, Wordfence has had a relationship with our customers that I’d describe as a virtuous cycle. Our customers run the Wordfence plugin, they are frequently attacked by threat actors on the Net, and we protect them from those attacks. We also receive attack reports from more than 4 million customers at a rate of about 700 to 800 attack reports per second. That’s about 1.8 billion attacks reported to us every month.
We distill that data into an IP blocklist, and combine it with multiple other sources to create malware signatures and firewall rules. Collectively we give this threat intelligence back to our customers to help protect them. That means that if a single customer is attacked, our 4 million other customers become safer because Wordfence blocks the attacker’s IP address, detects and blocks the malware payload the attacker tried to upload, and blocks any exploit attempts that break our firewall rules.
During the past few years, our focus has been on getting better at distilling the threat data we receive into effective threat intelligence and redistributing that to our Wordfence plugin customers. High-quality threat intelligence is critical to the success of our product and of our customers.
Introducing Wordfence Intelligence
Wordfence Intelligence will make the Web even safer by deploying Wordfence Threat Intelligence to large networks. Today we are launching a set of APIs that make our comprehensive IP threat data, our malware signatures, and our vulnerability database available to enterprise customers through an enterprise licensing agreement.
Here is a brief video introducing Wordfence Intelligence:
The problem we solve for hosting providers
Many hosting providers run customer-owned and operated virtual server instances or containers. They can not see web-based attacks transiting their network and targeting their own customers on their own infrastructure because those connections are end-to-end (e2e) encrypted using TLS. Wordfence has a unique advantage in this respect because we protect over 4 million customers in every country and territory around the world on over 12,000 unique networks, and we can see attacks targeting our customers because we execute behind the TLS termination point.
This gives us unique situational awareness on who is attacking web applications and services, which exploits they use, what the malware payload is, and what their tactics, techniques, and procedures (TTPs) are. Via Wordfence Intelligence, we can give hosting companies the situational awareness they lack. Our threat feed tells them which IPv4 and IPv6 addresses to block, our malware signatures give hosts the detection capability they need, and our vulnerability database allows hosting providers to preemptively fix vulnerabilities in their customer websites before they are exploited.
The problem we solve for enterprise network defenders
Many security operations teams are defending a network containing servers belonging to a wide range of customers. These may include large cloud providers, hosting providers and companies that provide server instances or containers on demand. These security teams can not see inside HTTPS encrypted attacks originating from their own servers and transitioning their own network because that traffic is end-to-end encrypted using TLS.
Wordfence is at the receiving end of those attacks as we defend over 4 million customers on over 12,000 unique networks against those attacks. We can provide security operations teams with visibility into which hosts on their network have been compromised and are launching attacks on the rest of the Web. This shortens time-to-mitigation, reduces the probability of lateral movement, and improves network reputation by helping security operations teams maintain a cleaner network.
Whether you are a cloud provider or a government working to mitigate compromised hosts within your territory, we would like to make your job easier and your customers more secure by helping you rapidly identify and clean compromised systems.
The Data We Provide
Wordfence Intelligence is launching with three data feeds and we will be adding additional feeds and tools over the coming weeks and months.
An IP Threat Feed
Wordfence Intelligence includes an IP Threat Feed which is a continually updated feed of malicious IP addresses that are launching attacks on our customers. The attack surface that we protect is massive and diverse. Wordfence monitors attacks across over 4 million websites on over 12,000 unique networks or ASNs. To illustrate the scale at which we operate, we have over 8,000 customers in Ukraine alone, to which we recently deployed our Premium product at no cost to all customers. Our customers in Ukraine include government, law enforcement, and several large universities. When we deployed our IP blocklist, we started blocking 10,000 additional attacks in Ukraine per hour to help protect the Ukrainian people against Russian attacks.
Wordfence also monitors threat actors targeting non-WordPress systems. We protect port 443 and port 80 and have global visibility on any threat actor targeting services on those ports. For example, if you are a Java house, our Threat Feed can tell your systems which threat actors are targeting the log4j vulnerability and how to block them.
Our IP Threat Feed uses a simple format and is incredibly powerful. We include a searchable list of IPs engaged in malicious activity, the number of attacks for each exploit class, and how many attacks in that class we’ve seen in the past 4 hours, 24 hours, 7 days and 30 days.
The Wordfence Intelligence IP Threat Feed is an excellent tool for edge blocking, endpoint blocking, forensic analysis, and monitoring malicious inbound and outbound traffic. Whether you are a hosting company interested in creating value-added services for your customers, or an enterprise network defender looking for better situational awareness, we think you’ll find our IP Threat Feed is a powerful enabler.
Industry Leading PHP Malware Signatures
The Wordfence team monitors attacks on our customer websites, and the 1.8 billion attacks we see every month give us unmatched insight into attacks targeting web applications. Our business is to protect WordPress, and to that end, we have developed nearly 5,000 malware signatures that we use to detect malware targeting our customers. The signatures we develop originate from our incredible situational awareness and the hands-on work that our 24-hour incident response team does to protect our customers.
Our malware signatures are continually updated and are unmatched in their efficacy in the industry. We distribute them in YARA format for high-performance scanning across thousands of filesystems at the OS level. The tools we provide set you up to rapidly scan for malware across your customer server instances in the most performant and resource-efficient way possible.
Whether you’re a hosting provider looking to add security and added value for your customers or a corporate network defending PHP applications, our signatures give you the best shot at detecting the newest PHP malware without impacting server or network performance.
A Current and Comprehensive WordPress Vulnerability Database
Our team protects WordPress, and we do that extremely effectively for over 4 million customers globally. We frequently publish new and breaking vulnerabilities on our blog, and release new firewall rules in real-time to our Premium, Care, and Response customers. We are also a Certified Numbering Authority, which means we are authorized to assign unique identifiers to WordPress vulnerabilities that are reported to us by threat researchers.
We maintain an extremely current and comprehensive WordPress vulnerability database that we include as part of Wordfence Intelligence. The data we provide gives our enterprise customers the ability to execute high-performance concurrent scans for WordPress vulnerabilities across all their filesystems and alert their customers or proactively fix issues they find.
This product is ideal for hosting companies looking to create value-added services for their customers or enterprise defenders who run WordPress at scale.
Launching this morning at Black Hat 2022 in Las Vegas
Our official launch for Wordfence Intelligence happened this morning at Black Hat 2022 in Las Vegas where we are an exhibitor. Here’s a pic of our team celebrating the event at our booth a few minutes ago:
Let’s work together to make the Web safer for all!
If you’re a hosting company or enterprise network defender, we’d love to work with you to help make. your customers safer, and improve security overall for the online community. Visit the Wordfence Intelligence product page and use the form at the bottom to contact our sales team. We’d love to hear from you.
Mark Maunder – Wordfence Founder & Defiant Inc CEO