Understanding Bots And Their Role In Credential Stuffing - Siddharth (Sid) Deshpande: Director - Security Strategy, Akamai
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Understanding
Bots And Their
Role In Credential
Stuffing
Siddharth (Sid) Deshpande:
Director – Security Strategy,
Akamai
1 © 2020 Akamai | Confidential
Introduction to Bots
A BOT can work on any process that allows for automation
BOTs can be good or bad
Valid processes like: OR Malicious processes like:
- ChatBot - Credential stuffing
- Search engine BOT/crawler - Brute force password cracking
- Data Aggregation - Ticket / Retail inventory sniping
- Crypto mining
2 © 2020 Akamai | Confidential
Digital businesses need automated services and
BOT operators exploit this
INCREASED RISK HIGH COMPLEXITY LESS AGILITY
The probability and business Rapid and constant change in the Ability of security organizations to
impact of cyber attack is higher, assets that you are responsible for respond to the needs of business
while confidence in your ability to protecting is reducing your ability partners is declining
respond is lower than ever before to do so
Can’t keep up with the Expanding but poorly Not moving as fast as the
evolving threat landscape understood attack surface business you support
Can’t get to everything so Apps in multiple places with Constantly responding to
assets going unprotected inconsistent security posture fires; not being strategic
!
Potential impact of attacks on Not enough visibility into
$ apps and IT assets going up everything that’s happening
3 © 2020 Akamai | Confidential
SEPARATING BAD BOTS FROM
GOOD BOTS IS CRUCIAL
4 © 2020 Akamai | Confidential
“Good Bots” Have a Job To Perform
To maintain positive SEO Good Bots need to be validated and enabled to carry out that process
Source: Google.com
5 © 2020 Akamai | Confidential
“Good Bots” Have a Job To Perform
How do attackers take advantage of that automated process?
Google Sheets
Is This GoogleBot?
6 © 2020 Akamai | Confidential
“Good Bots” Have a Job To Perform
Verify the good BOTs and “manage” the bad BOTs
O T
N
Is This GoogleBot?
Autonomous System Number Domain Autonomous System Number Domain
AS15169 Google.com AS15169 GoogleUserContent.com
7 © 2020 Akamai | Confidential
Let’s take a look at
BOT WORKFLOW
8 © 2020 Akamai | Confidential
Google’s ChatBot (ChatBase)
Check-in API
9 © 2020 Akamai | Confidential
Do attackers develop bots to follow
your business workflow?
10 © 2020 Akamai | ConfidentialShort Answer: Yes
Many major online marketplaces have BOTs written specifically for them
GameStop Account Checker DASHE AIO: For Shopify Hosted Targets
Nike Sneaker Bot
11 © 2020 Akamai | ConfidentialWhere Are Attackers Buying Their BOT Tools?
Where Are Attackers Buying Their BOT Tools?
CRIMINAL BOT WORKFLOW
EXAMPLE: CREDENTIAL ABUSE CAMPAIGNS
Loyalty
Points
Tax Fraud
CC Fraud
Target Recon
Import Credential Dumps Cred Stuffing Partner
Buy Creds High $$$ Target PWD Spraying AbuseCREDENTIAL PURCHASE/HARVESTING
Data breaches continue unabated, often involving
user login credentials
In 2019 online business incurred a
whopping 5,183 data breaches for a
total of 7.9 billion exposed records.Phishing domains are another popular credential
harvesting technique
Reoccurring attacks from 10-15 years
ago are still being used successfully.
The Homograph Attack is carried out by registering
domains using homoglyphs – non-Latin characters
that look just like letters of the Latin alphabet – to
masquerade as legit domains.
Source: https://www.theregister.co.uk/2020/03/04/homograph_attacks_still_happening/Homograph attacks using the Cyrillic alphabet
Table 1: Using Segoe UI, Microsoft’s system-wide typeface
Table 2: Using San Francisco, Apple’s system-wide typeface
Source: https://blog.malwarebytes.com/101/2017/10/out-of-character-homograph-attacks-explained/https://www.icloud.com Unless you viewed the cert and found that it was not issued to www.icloud.com or Apple Computers, Inc. based in Cupertino California, you might just fall for this.
CREDENTIAL VERIFICATION
Automated, customizable credential verification tools like SNIPR are very common
SNIPR Account Checker
Configs contain info
on existing account list
and u/p categories
used in account check
process.
http://Reddit.com/r/SNIPRWHAT HAPPENS AFTER CREDENTIALS
ARE VERIFIED?EXAMPLE: ACCOUNT TAKE OVER
Loyalty
Points
Tax Fraud
CC Fraud
Target Recon
Import Credential Dumps Cred Stuffing Partner
Buy Creds High $$$ Target PWD Spraying AbuseUnderstanding a Bot tool: CYBERAIO
AIO = All In One (Bot)
A bot tool that contains
several different capabilities
from account validation,
session tracking, and
application logic workflow that
allows for cart functionality
and checkout.Understanding a Bot tool: CYBERAIO
Understanding a Bot tool: CYBERAIO
CYBERAIO is powered by legitimate database
software hosted on AWS
Organization: Amazon Technologies Inc. (AT-88-Z)
RegDate: 1991-12-19
Updated: 2015-03-20IOCs
Shopify/Dashie.io https://dashe.io/
Understanding Dashe Bot Tasks Task configurations are simple Store selector are a list of all the Shopify stores that are supported by the tool. Checkout proxy allows me to pass all requests through a network of anonymous proxy servers. Username and Password allow me to input the credentials I’ve already verified to be good. Monitor settings allow me to watch for success or failure keywords or error messages.
How Bot Operators Use Youtube Opening Youtube and watching content provides the viewer with reCaptcha tokens which provide the user with one-click captchas if/when prompted.
Do I look like a human (at the transaction level?)
not
sophisticated sophisticated
35 © 2020 Akamai | ConfidentialLet’s break down the challenge of heuristics
Operational Goal for a Bad Bot : Try to Appear as Human as possible.
For a single transaction Bot needs to appear human
For multiple transactions, Bot needs to appear as different
humans
36 © 2020 Akamai | ConfidentialDo I look like a human at the crowd level? And… Will I be detected as same human? 37 © 2020 Akamai | Confidential
Some Strategies for Bot Management
Increasingly sophisticated evasive methods used by
BOT operators
JavaScript Execution - Deep JavaScript Property Emulation
Full Cookie Support
TLS fingerprint Full Headless Browser with
Browser Fingerprint randomization Human Biometric Emulation
Low Request Rate Spoofing
User Agent Request Headers Human Biometric Emulation/Replay
2010 2020
Simple Sophisticated
39 © 2020 Akamai | ConfidentialBot detection needs to stay ahead of attackers’
sophisticated evasion methods
Behavioral Data Analysis Engine Bot Detection
Client-side data collection Asynchronous server-side analysis Human or bot with high accuracy
User behavior signals Signal processing w/hundreds of signals Adjust detections to match
changing attacker behavior
Device + browser characteristics Threat intelligence informing decision
making
Limited obfuscation required
40 © 2020 Akamai | ConfidentialIts all about Bot Management, not just Bot
Mitigation
E
M
CO
UT
O
IMPACT
ACTION
Bot management response actions
Monitor
Monitor Tarpit
Tarpit Serve
Servealternate
alternatecontent
content
Block
Block Slow
Slow Serve
Servealternate
alternateorigin
origin
Signal
Signalorigin
origin Delay
Delay Serve
Servecached
cached
41 © 2020 Akamai | ConfidentialRecommendations
Treat bots as a business challenge, not just a security challenge
Understand your risk surface and improve visibility around bot
traffic on your public websites
Explore Bot Management options that disrupt attackers’
business models, not just tactical outcomes
Leverage threat intelligence to stay ahead of Bot Trends in your
industry and adjacent ones
42 © 2020 Akamai | ConfidentialRecommended Reading and Next Steps
Forrester New Wave: Bot Management, Q1 2020
[Free Download, click here]
Learn more about Akamai’s approach to Bot Management
[Free Resources and Reports, click here]
Further Questions -- Siddharth Deshpande
sideshpa@akamai.com (Director – Security Strategy)
https://www.akamai.com/us/en/solutions/security/bot-
43
management-and-credential-st
© 2020 Akamai | Confidential44 © 2020 Akamai | Confidential
You can also read
