Wednesday, December 11, 2019
  • The Great $50M African IP Address Heist
  • Protection against Magecart with new Instart Web Skimming Protection for Salesforce Commerce Cloud
  • The Old Authorized Third-Party Payment Processor Gambit, Eh?
  • How Hackers Get Our CVV Numbers | Avast
  • Top 5 Cybersecurity Trends to Prepare for in 2020

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
    • News Releases
  • Security Bloggers Network
    • Latest Posts
    • Contributors
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Webinars
    • Upcoming
    • On-Demand
  • Chat
    • Security Boulevard Chat
    • Marketing InSecurity Podcast
  • Library

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
Application Security Security Bloggers Network 

Home » Cybersecurity » Application Security » How Account Takeover Botnets Outsmart Traditional Security Controls

How Account Takeover Botnets Outsmart Traditional Security Controls

by yurygueller on July 22, 2019

Account Takeover (ATO) describes when an online account is accessed and/ or used by someone other than its legitimate owner, usually for malicious purposes. Account Takeover attacks happen when an attacker is trying to get unauthorized access to an account or when the account has already been compromised and the attacker uses the account for a malicious purpose, such as unauthorized access or data theft. 

Although the risk is not new, Account Takeovers pose one of the top risks for financial loss for corporations and individuals today. The reality is that businesses rely on limited detection methods like static security rules, rate limit and basic bot protection. These methods work well on technical attacks like SQL injection or cross site scripting. When part of an integrated multi-layered solution, they also help provide defense-in-depth that can help slow down the momentum of a wide variety of attacks. 

However, those methods are less effective against business logic attacks such as ATO that target, for example, user logins. These methods can be easily bypassed as today’s ATO attackers use advanced tools and a widely-distributed infrastructure that allows them to operate at a slow steady rate, impersonate legitimate clients and to morph the attack when needed.

To better understand the problem, let’s look at this real life example of site login traffic (figure 1). The daily volume is almost the same, except for one specific day. When looking into this day using traditional security controls, we cannot point out any suspicious activity —  no strange errors, no known attacks, no device operating at a high rate and no hacking tools or other bad bots involved. This incident would likely be considered benign and overlooked in the sea of potential security events that the SOC team handles daily.

Figure 1 – login requests distribution over time in a single site

Now let’s look at this example again from a different angle with a different security control —  behavioral-based detection. 

Behavioral-based detection methods analyze deviations from normal user behavior, providing more advanced security controls that can deal with complex attacks.  

In the context of account takeover, we talk about the behavior of a user or a device when accessing the login page or the authentication API. There are many potential variables that can be used to define normal behavior: the ratio of successful vs. failed login attempts, the ratio of weak passwords or common users, usage of leaked credentials, number of users per device, etc. Of course, your security solution would need to be aware of the context of the requests that it examines, whether they are indeed login attempts, the provided user, and the password and login attempt result. In addition, prior knowledge of common users, weak passwords, leaked credentials, and way to keep these lists updated, are all required. Once you have all that in place, you can start learning what is normal behavior and detect anomalies that may indicate account takeover attacks. The learning phase and the certainty of the learned behavior are determined by the amount of data that you inspect. If you inspect a lot of data then you might be able to build a reliable behavior model. Taking this one step further, you can also aggregate the attack data and run analytics on it. Running analytics on a single site may prove useful; if you run your analytics on top of hundreds of thousands of sites, you can get much more interesting results.

And this is exactly what we have done 😉

Running an analysis on the attack data, we managed to uncover several botnets whose sole purpose is to take over accounts. We also discovered why, from a single site point of view, these attacks are so difficult to defend from.

The Data

The data was collected by our Account Takeover Protection solution based on behavior anomalies detected when a user or a device accessed the login page or the authentication API as explained above. Since Imperva protects more than 100,000 websites that receive millions of login attempts each day, we are talking about a lot of data. This data stored in our data lake has generally been hashed or masked of personal data, and allows us to run all kinds of analytics. In this case, we used a machine learning algorithm (dbscan) to cluster ATO attacks events based on the magnitude of the attack, time of occurrence and similar credentials to establish a correlation between various devices that form a botnet. 

In the following section we will focus on a specific botnet, a group of devices that are highly correlated based on the above mentioned features, that operated between April 7th to April 22nd this year. 

The Botnet

The botnet contained 2,500 IPs overall and attacked more than 300 sites while active. Each day, 800* IPs (figure 2, right side) were active attacking 30* sites with 150,000* login attempts (*median value).  

Figure 2 – overall botnet activity (left side) and its statistics (right side) 

Looking at this botnet from the victim site perspective, we found that each site was attacked for 7* hours (figure 3) by 500* IPs (figure 4) sending 7,000* login attempts (figure 5) with 7,000* different credentials (*median value).

Figure 3 – Distribution of botnet activity over time (left side) and its statistics (right side) 

Figure 4 – Distribution of botnet IPs per site (left side) and its statistics (right side)

Figure 5 – Distribution of botnet login attempts per site (left site) and its statistics (right side)  

From a single site perspective, each botnet-controlled IP was responsible for ~14 login attempts during the attack time, or ~2 login attempts per hour. This is called a “low and slow” attack – the botnet uses a lot of devices, each sending only a handful of requests, to masquerade its attack with legitimate traffic. 

It is clear now why traditional security controls couldn’t have identified this attack. Since Imperva Account Takeover Protection relies on behavior-based detection, we were able to detect this activity and protect the relevant sites. Moreover, the botnet activity started on April 7th and this particular site was not hit until April 11th. That means we can use this knowledge to provide Account Takeover Protection before a website admin would be aware of a potential attack.

Conclusions

Business logic attacks such as account takeover require more advanced detection tools. It is difficult to defend against ATO attacks using traditional defense mechanisms since, as demonstrated above, attackers use advanced tools and wide infrastructure that allows them to spread the attack and to go undetected for a long period of time. 

As attackers progress technologically, so should defenders. Behavioral-based detection takes defenders one step forward in this long path, as it can provide an effective way to find anomalies that highlight ATO attacks. 

Account Takeover Protection is available to Imperva FlexProtect customers and is part of the Imperva Application Security suite. For broader protection against bots, including Account Takeover attacks, Imperva also offers its Bot Management solution acquired from Distil Networks.

The post How Account Takeover Botnets Outsmart Traditional Security Controls appeared first on Blog.

*** This is a Security Bloggers Network syndicated blog from Blog authored by yurygueller. Read the original post at: https://www.imperva.com/blog/how-account-takeover-botnets-outsmart-traditional-security-controls/

July 22, 2019July 22, 2019 yurygueller account takeover protection, Application Security, ATO, bot management, Distil Networks, flexprotect
  • ← PyPi ‘Cheese Shop’ Malware Illustrates Software Supply Chain Risk Vector
  • Okta® vs Duo® →
Featured Blog

Enzoic

Automate Password Policy & NIST Password Guidelines

Enzoic

Enzoic Customer Profile: IDShield

Enzoic

Old vs. New Methods for Employee Password Hardening

Enzoic

Shop Safely This Cyber Monday

Subscribe to our Newsletters

Get breaking news, free eBooks and upcoming events delivered to your inbox.
  • View Security Boulevard Privacy Policy

Most Read on the Boulevard

The Role of Technology in the Modern SOC
Lack of Mobile Strategy Creates Security Holes
Predictions 2020: Data Security Next Year and Beyond
AWS Previews Cloud Security Advances
Trend Micro Looks to the Cloud for Security
Amazon Battles Leaky S3 Buckets with a New Security Tool
Going After the Good Guys: The Government’s Ransomware Identity Crisis
Ransomware at Colorado IT Provider Affects 100+ Dental Offices
Social Engineers are No Match for Artificial Intelligence
United States Of American National Pearl Harbor Remembrance Day

Upcoming Webinars

There are no upcoming webinars at this time.

Download Free eBook

SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters

Recent Security Boulevard Chats

  • Cloud, DevSecOps and Network Security, All Together?
  • Security-as-Code with Tim Jefferson, Barracuda Networks
  • ASRTM with Rohit Sethi, Security Compass
  • Deception: Art or Science, Ofer Israeli, Illusive Networks
  • Tips to Secure IoT and Connected Systems w/ DigiCert

Industry Spotlight

Predictions 2020: Data Security Next Year and Beyond
Cybersecurity Data Security Industry Spotlight Security Boulevard (Original) 

Predictions 2020: Data Security Next Year and Beyond

December 10, 2019 Ameesh Divatia | 1 day ago 0
The Role of Technology in the Modern SOC
Cybersecurity Incident Response Industry Spotlight Security Boulevard (Original) 

The Role of Technology in the Modern SOC

December 9, 2019 Jason Mical | 2 days ago 0
Learning From Health Care’s IoT Security Strategy
Cybersecurity Industry Spotlight IoT & ICS Security Security Boulevard (Original) 

Learning From Health Care’s IoT Security Strategy

December 6, 2019 Mike Nelson | Dec 06 0

Top Stories

Apple Passive-Aggressive PR Sparks Privacy Fear (Yet Again)
Cybersecurity Endpoint Featured Mobile Security News Security Boulevard (Original) Spotlight Threats & Breaches 

Apple Passive-Aggressive PR Sparks Privacy Fear (Yet Again)

December 6, 2019 Richi Jennings | Dec 06 0
StrandHogg Pwns 80% of Android Phones; Google Fiddles While Platform Burns
Cybersecurity Data Security Featured Malware Mobile Security News Security Awareness Security Boulevard (Original) Spotlight 

StrandHogg Pwns 80% of Android Phones; Google Fiddles While Platform Burns

December 3, 2019 Richi Jennings | Dec 03 0
TrueDialog Leaks 600GB of Personal Data, Affecting Millions
Cloud Security Cybersecurity Data Security Featured Governance, Risk & Compliance News Security Boulevard (Original) Spotlight 

TrueDialog Leaks 600GB of Personal Data, Affecting Millions

December 2, 2019 Richi Jennings | Dec 02 0

Security Humor

via    the comic delivery system monikered  Randall Munroe  at   XKCD  !

XKCD, Flu Shot

Join the Community

  • Add your blog to Security Bloggers Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: info@securityboulevard.com

Useful Links

  • About
  • Media Kit
  • Sponsors Info
  • Copyright
  • TOS
  • Privacy Policy
  • DMCA Compliance Statement

Other Mediaops Sites

  • Container Journal
  • DevOps.com
  • DevOps Connect
  • DevOps Institute
Copyright © 2019 MediaOps Inc. All rights reserved.
Our website uses cookies. By continuing to browse the website you are agreeing to our use of cookies. For more information on how we use cookies and how you can disable them, please read our Privacy Policy.