The OWASP Automated Threat Handbook provides meaningful insight into the most frequently used application breach techniques hackers are utilizing.  Most security vendors want you to believe that your applications are under constant compromise yet in reality, hackers are not necessary solely looking for bugs or misconfigurations but rather the ability to misuse valid functionality of the application to breach your network. Even Verizon’s Data Breach study states “With so many credential lists available for sale or already in the wild, why should criminals actually earn his/her keep through SQL injection when simple login will suffice”.  The most common exploitation is what OWASP calls automated application attacks.

OWASP believes that there needs to be more visibility into threat events targeting web applications using automated actions.  These attacks can vary in scale, timing, duration and frequency.  The most frequently used automated attacks are:

  • Credential stuffing
  • Scraping
  • Application layer DDoS
  • Captcha Bypass
  • Card Cracking
  • Credential cracking
  • Cashing Out
  • Carding

With tools such as Sentry MBA readily available to hackers, credential stuffing is one of the most popular attack vectors used by hacker given its simplicity.   Sentry MBA automates the process of testing millions or tens of millions of username/password combinations to see which ones work.  Below are the findings of a study conducted by Shape Security analyzing automated application attacks.

  • Over one week in December 2015, cybercriminals made over 5 million login attempts at a Fortune 100 B2C website using multiple attack groups and hundreds of thousands of proxies located throughout the world
  • Over two days in January 2016, a large retailer saw two major Sentry MBA attacks with over 20,000 total login attempts
  • During one day in January 2016, a large retailer witnessed over 10,000 login attempts used Sentry MBA and over 1000 proxies
  • Two attacks in December 2015 highlight how cybercriminals are turning their attention to mobile APIs. The first attack, focused on the target’s traditional website application, made over 30,000 login attempts using proxies located in Eastern Europe. The second attack, focused on the target’s mobile API, made over 10,000 login attempts on a daily basis. Both attacks shared hundreds of IP addresses and other characteristics, indicating the same actors may have been responsible.

Unfortunately, many organizations do not have the budget or possibly the skill set in house to manage yet another appliance to solve this issue. Many CSOs have mentioned that over the last three years, their organizations have purchased too many tools and are now looking to consolidate those solutions.  One VP of Security from a large software company mentioned that she has 87 people in her organization yet they have 89 tools to manage which according to her was untenable.

Recommendations:

Organizations looking for a holistic approach to application security need to not only consider identifying vulnerabilities in web applications and APIs but also protect against the most sought after attack vector – automated attacks.

Gartner postulates that there are two ways to defend against automated attacks:  deflection and detection.   Deflection methods uses polymorphism technology creates an environment to a hacker that does not exist.  By serving up a website that looks different each time, automated attacks are extremely difficult to execute.    In using a detection methodology, abnormal behavior is analyzed.  According to Gartner, the three areas that need to be analyzed are endpoint behavior, navigation, and user behavior.  Although both methods are complementary, deflection technology requires significant amount of full-time resources, expertise in identifying the attacks and a seven figure budget.  Conversely, detection methodology, if offered as a service, will provide full management of the operation using subject matter experts at a fraction of the cost.

  • Sign up for the latest security notification from your vendor to protect your applications from known vulnerabilities.
  • Conduct penetration tests on a quarterly basis
  • Organizations need to conduct business logic tests on all applications. If expertise is not available, Companies such as Indusface offer a complete end to end solution to protect your website and applications from vulnerabilities, 0day threats and automated application attacks. Specific WAF rules can be created to not only block attacks (via virtual patching) but can also track malicious behavior.
  • Sometimes it’s prudent to track malicious behavior of an attacker initially versus simply blocking the attack.  Gathering  information such as  IP address,  User ID if authenticated, GEO location, navigation/user behavior and machine finger print can help  gain intel about the attacker’s methodologies so that you can use that information to create  more aggressive blocking rules from these attackers .

 

20_stats_blog

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.