What Are Automated Attacks?
The OWASP Automated Threat Handbook provides meaningful insight into the most frequently used application breach techniques hackers are utilizing. Most security vendors want you to believe that your applications are under constant compromise yet in reality, hackers are not necessarily solely looking for bugs or misconfigurations but rather the ability to misuse valid functionality of the application to breach your network. Even Verizon’s Data Breach study states “With so many credential lists available for sale or already in the wild, why should criminals actually earn his/her keep through SQL injection when simple login will suffice”. The most common exploitation is what OWASP calls automated application attacks.
OWASP believes that there needs to be more visibility into threat events targeting web applications using automated actions. These attacks can vary in scale, timing, duration, and frequency. The most frequently used automated attacks are:
- Credential stuffing
- Scraping
- Application layer DDoS
- Captcha Bypass
- Card Cracking
- Credential cracking
- Cashing Out
- Carding
With tools such as Sentry MBA readily available to hackers, credential stuffing is one of the most popular attack vectors used by hackers given its simplicity. Sentry MBA automates the process of testing millions or tens of millions of username/password combinations to see which ones work. Below are the findings of a study conducted by Shape Security analyzing automated application attacks.
- Over one week in December 2015, cybercriminals made over 5 million login attempts at a Fortune 100 B2C website using multiple attack groups and hundreds of thousands of proxies located throughout the world
- Over two days in January 2016, a large retailer saw two major Sentry MBA attacks with over 20,000 total login attempts
- During one day in January 2016, a large retailer witnessed over 10,000 login attempts used Sentry MBA and over 1000 proxies
- Two attacks in December 2015 highlight how cybercriminals are turning their attention to mobile APIs. The first attack, focused on the target’s traditional website application, made over 30,000 login attempts using proxies located in Eastern Europe. The second attack focused on the target’s mobile API, made over 10,000 login attempts on a daily basis. Both attacks shared hundreds of IP addresses and other characteristics, indicating the same actors may have been responsible.
Unfortunately, many organizations do not have the budget or possibly the skillset in-house to manage yet another appliance to solve this issue. Many CSOs have mentioned that over the last three years, their organizations have purchased too many tools and are now looking to consolidate those solutions. One VP of Security from a large software company mentioned that she has 87 people in her organization yet they have 89 tools to manage which according to her was untenable.
Recommendations:
Organizations looking for a holistic approach to application security need to not only consider identifying vulnerabilities in web applications and APIs but also protect against the most sought-after attack vector – automated attacks.
Gartner postulates that there are two ways to defend against automated attacks: deflection and detection. Deflection methods use polymorphism technology to create an environment for a hacker that does not exist. By serving up a website that looks different each time, automated attacks are extremely difficult to execute. In using a detection methodology, abnormal behavior is analyzed. According to Gartner, the three areas that need to be analyzed are endpoint behavior, navigation, and user behavior. Although both methods are complementary, deflection technology requires a significant amount of full-time resources, expertise in identifying the attacks, and a seven-figure budget. Conversely, detection methodology, if offered as a service, will provide full management of the operation using subject matter experts at a fraction of the cost.
- Sign up for the latest security notification from your vendor to protect your applications from known vulnerabilities.
- Conduct website penetration testing on a quarterly basis
- Organizations need to conduct business logic tests on all applications. If expertise is not available, Companies such as Indusface offer a complete end-to-end solution to protect your website and applications from vulnerabilities, 0day threats, and automated application attacks. Specific WAF rules can be created to not only block attacks (via virtual patching) but can also track malicious behavior.
- Sometimes it’s prudent to track the malicious behavior of an attacker initially versus simply blocking the attack. Gathering information such as IP address, User ID if authenticated, GEO location, navigation/user behavior, and machine fingerprint can help gain intel about the attacker’s methodologies so that you can use that information to create more aggressive blocking rules from these attackers.
Find out if your website can be attacked with automated attacks with Indusface Free Website Security Scan.