I’d like to introduce you to CQ Prime, the Cequence Security threat research team whose singular mission is to help the security industry and our customers understand the Tactics, Techniques and Procedures (TTPs) utilized by cybercriminals who execute automated malicious bot attacks against your public facing web, mobile, API-based applications. These attacks target your application business logic with what appear to be legitimate or syntactically correct transactions, making it difficult to determine whether or not the actual intent is malicious.
CQ Prime has developed the Four Pillars of Detection framework to help us consistently answer some basic, yet complex questions:
- What are my adversary’s goals?
- What does my adversary need to accomplish those goals?
- Who is my adversary, what resources do they have and how determined are they?
- What should my strategy be to mitigate my adversary?
Our framework focuses on how to think about, understand, and ultimately respond to these sophisticated attacks. At its most basic level, we want to understand what a bad actor needs to launch an attack. The answer lies within our Four Pillars of Detection, which form the foundation of our research framework and are defined below.
Tools represent the most basic components of these type of attacks. The research surrounding this detection pillar focuses on the heuristics that deal with the immutable characteristics of the code launching the attack or increasingly, the characteristics of an off-the-shelf tool that are difficult to change for novice bad actors. Examples of topics the CSRT will discuss include:
- Deep dives into popular off-the-shelf tools, like “SNIPR”, “SentryMBA”, “BlackBullet”, and “OpenBullet”.
- Analysis of the underlying ecosystem surrounding these tools including who the users are, who develops and distributes them.
- Pricing variations for different types of tools for different targets; a topic that opens a window into the successes and challenges the bad guys are facing.
Simply put, Infrastructure represents the resources that bad actors need to distribute their attack and anonymize themselves. As such, infrastructure is an essential component to successful automated bot attacks. Our research team will publish findings on:
- The top offending organizations and networks we see being used for abuse across our customer network.
- Increasing use of high reputation Residential IP Proxies (RESIPs) through services like Luminati, StormProxies, and more
- The growth of “proxy-as-a-service” businesses that tacitly allow and encourage fraud through their networks, and are capable of fooling enterprise-grade IP geo-location at scale.
- The continued trend of using compromised IoT devices as semi-public open proxies (to launch the attacks).
From the perspective of a single, victim organization these attacking resources appear disparate, random and therefore more “legitimate”. By correlating data across a wide range of customers with a variety of attack types, distinct patterns have emerged.
Credentials are essential for automated business logic abuse. Simply put, bad guys need user accounts – either legitimate and compromised, or fake– through which to carry out these attacks. Our research surrounding the Credentials detection pillar will rise above the “another high-volume breach” signal noise, focusing on how the credentials are used in automated attacks. Topics will include:
- Analysis of techniques and patterns used across many requests that could indicate credential abuse.
- Behavioral analysis of metadata to gain an understanding of a user’s behavior over time.
- Inspection of large-scale manual fake account creation to uncover patterns that may expose the bad actor’s intent.
Behavior cuts right to the heart of automated bot attacks as it represents the unique fingerprint a bad actor creates when using Tools, Infrastructure and Credentials to launch the attack. Much of our research into “bot behavior” actually deals with the human element of automated bot attacks. How does the human operator(s) respond to mitigation, friction or any kind of defensive action? Research findings to be published will include:
- How “low & slow” is an bad actor willing to throttle their attack without negatively impacting their unit economics to the point where they are losing money.
- Different types of “fast & furious” attacks, and what the bad actor’s go-to moves are as they continue to try evade detection and carry on with their abuse.
- How qualitative behavioral analysis can aid in both attribution and understanding the bad actor’s motivations, resulting in improved mitigation techniques.
As a security research team, our goal is to analyze what we see within our customer networks and across the industry to better understand the inner workings of a bad actor and share that data to help improve prevention techniques as a whole.
Why CQ Prime?
Many will ask, were did CQ Prime come from? We chose CQ Prime because in mathematics, the prime is generally used to generate more variable names for things which are similar. CQAI, our machine learning-based analytics engine makes heavy use of mathematics to separate legitimate from malicious transactions as a means of detecting malicious bots and targeted application vulnerabilities. Much of our research will be rooted in the data that CQAI provides, so the name seemed to fit well.