Censys: The World of Attack Surface Management
‘Are you a robot?’ We’ve all had to answer this question at least once a day whilst surfing the net. Used as a completely automated public turing test to tell computers and humans apart (CAPTCHA), it’s one of the most common bad bot detection and protection tools. However, new research from bot management company Netacea states that ‘[i]t is becoming increasingly easy for [bot] attackers to bypass CAPTCHA and carry out attacks for their own malicious gain’. So what’s next for bot management? How can we better tackle these malicious threats?
In a bid to seek expert insight, we sat down with Matthew Gracey-McMinn, Head of Threat Research at Netacea. Matthew fell into the cybersecurity industry after studying Japanese history at university. Unintendedly beginning his post-graduate career as an IT Helpdesk Assistant, it wasn’t long before Matthew moved into cybersecurity at KPMG and then Incident Response at ReliaQuest, before occupying the senior position he has at Netacea today.
Thanks for joining us at EM360 Matthew! Can you start by telling us what it means to be the Head of Threat Research at Netacea?
Thank you for having me, it’s a pleasure to be here. So, we in the Threat Research Team are tasked with providing relevant, actionable, and timely intelligence to Netacea’s internal teams and to our customers. What this actually translates to in practice is that we figure out what the bad guys are going to do, how they are going to do it, and what can be done to stop them. Essentially, we try to help organisations get ahead of adversaries, so they can protect themselves from attacks before they happen.
Now, I must ask. You spent your undergraduate and postgraduate education studying Japanese History, which is a rather unique starting point for someone in cybersecurity. Would you say it was your entry-level job as an IT Helpdesk Assistant at Marston’s PLC that sparked your interest in the threat landscape?
Yes, it is a bit of an unusual route into cybersecurity. Though I think when you look at who is in the industry as a whole we really do have people from a lot of different backgrounds, and that is to our benefit as people bring different skills and views to the table. In my personal case, I do think that my time on the helpdesk did contribute greatly to my interest in computers. But long before then I’d always loved history, and some of my earliest memories are actually marvelling at the ruins of castles. Even when living in Japan I spent a lot of time travelling around visiting different castles and wondering at how these structures kept people safe, dissuaded attackers, and provided people with protection against “bad guys”. After joining the helpdesk, I started to also get really interested in computers, and how they work, and cybersecurity seemed like the perfect marriage of these two interests. Now I essentially get to contribute to the construction of digital castles.
What is the current state of malicious bot attacks and which out of the four main types - DDoS, inventory denial, scraping, and credential stuffing - poses the biggest threat to businesses and consumers in 2021?
In a nutshell, we have seen bot-based attacks grow in number and sophistication over the last year. The COVID-19-induced shift to an online-first business model for societies around the world has pushed a lot more customers and businesses online. This means that there are many more targets for adversaries, resulting in more successful attacks being launched. One of the fallouts of there being more successful attacks means that there is more leaked data that can be used to inform future attacks. Plus, of course, as more adversaries start to make bigger profits, more people will be drawn into launching these attacks with the hope of profiting financially.
It is hard to pull out a particular bot type as being a bigger threat than any other. Since, for any individual organisation, the biggest threat will depend on their industry vertical, their business methods, what they have up online, and many other factors. DDoS is often pulled out as a major concern of businesses, but what we tend to find is that it is quite often an inadvertent consequence of a different attack such as scraping. Scraping is a very intensive activity on a website, and if multiple adversaries are scraping at once then they may pull down the website. Obviously, this wasn’t their intention, as by pulling down the website they now cannot scrape it, but it is the result of it. For any given business to understand their biggest threat though, I really think they should start by considering, at least at a high level, what it is their business does. So, if you have a lot of customer accounts you probably want to worry about credential stuffing. Do you sell limited-stock items like tickets etc? Then you probably want to think about how to combat scraping (which looks for when such stock becomes available) and inventory hoarding (which can be a way to prevent legitimate customers from buying from a site while scalpers or competitors sell goods instead).
Netacea recently published a report ‘Buying Bad Bots Wholesale: The Genesis Market’, highlighting that the number of stolen digital identities available to purchase on the marketplace has increased from 100,000 in 2019 to over 350,000 today, with more than 18,000 being added each month. Why do you think the numbers have risen so dramatically?
I think it really comes down to money at the end of the day. The individuals running the Genesis Market, like most of these adversaries, are ultimately after financial profit. These are businesses, albeit illegitimate ones. Their goal is to make money. Such significant growth in the marketplace suggests it’s a growing market, that there is a demand (amongst criminal actors) to purchase these stolen digital identities. The Genesis Market is growing because those running it are able to increase their profits by growing it. This may suggest that either they’re grabbing more market share, or, far more likely, the amount of demand for stolen digital identities is growing. I suspect the shift to more people being online (partially driven by the COVID-19 pandemic) is helping to drive more criminal actors into undertaking their activities online rather than in the physical world. This, in turn, creates more demand for tools that facilitate such crimes, such as stolen digital identities, and so these sorts of marketplaces grow, offering more stock and products to keep up with increasing demand.
To what extent do CAPTCHA verification questions such as ‘Are you a robot?’ help to keep the internet safe from cybercriminals and, more specifically, bot attacks?
CAPTCHA is a defensive tool. And like any defensive tool, it should form part of a defence-in-depth model. If we go back to the example of a castle, you can see there are multiple layers of defences. Generally, you would have outer walls, inner walls, fortified buildings, watchtowers, patrolling guards, maybe even boiling oil. Each is a defensive measure that individually would offer little protection but together make for a formidable defensive structure. We may not have many opportunities to use boiling oil in cybersecurity, but we can definitely learn from this approach. CAPTCHA is one level of defence, sort of like a guard at the gate checking the credentials of those trying to enter the castle. That CAPTCHA guard will turn away anyone who cannot present correct credentials bypassing the CAPTCHA challenge. However, more sophisticated bots have ways of passing CAPTCHA, or, for our example, can present false credentials to the guard. So, CAPTCHA is a very useful tool, and it will stop a lot of unsophisticated threats, but the more sophisticated (and thus generally more dangerous) bots can bypass it, and you will need more layers of protection behind CAPTCHA to stop them. Really, for a comprehensive response to these sorts of automated threats, you need a bot management strategy.
Towards the end of Q1, you hosted a webinar at the virtual Cyber Security Digital Summit on ‘Developing A MITRE-Style Framework for Bots’. How does this bot management framework work and in what ways is it helping cybersecurity professionals to take a more proactive approach to tackling malicious bots?
Mitre’s ATT&CK Framework is a tried and tested tool for responding to what are considered “Technical Attacks”. These are attacks that try to exploit code vulnerabilities or weaknesses in underlying systems. It’s a simple, yet comprehensive framework for understanding what stages an adversary will go through while attacking, what they want to achieve at each stage and what methods they will use to achieve it. However, we found that the framework doesn’t work so well with what are called “Business Logic Attacks”; these are attacks where an attacker uses a web app or API in its intended function, but for malicious purposes. For instance, you want people to use a username and password to login, but you don’t want them to steal a username and password from someone else and login with those. Alternatively, you want people to use their credit card to buy things, but not to use stolen credit cards to do so. In both cases, either the login page or the payment page is being used in their intended fashion, but they are being used as part of malicious activity.
Our NetBLADE (Business Logic Attack Definition) Framework is designed to cover this gap. It provides a comprehensive view of the stages that bot attacks go through, and what methodologies adversaries will employ at each stage. This allows an organisation to have a far more granular understanding of what attacks are being employed against them. This allows for a better understanding of risk, as well as for identification and mitigation of attacks. By using the NetBLADE Framework, an organisation can look for indicators of specific techniques, rather than just looking for something “anomalous” or “bad”. They can also map their defences against specific techniques, and thereby understand where there may be gaps that need coverage. Also, when trying to determine how to defend themselves, an organisation can use the NetBLADE Framework to understand what sort of attacks are likely to be employed against them, and so direct security investment towards identifying and mitigating against these specific techniques. This facilitates a much more efficient response and a better ROI. We’ve also found that the NetBLADE Framework facilitates reporting. It makes it much easier to know how far along an attack is when detected, what may happen next if it isn’t stopped, and what may have been missed by defences in earlier stages.