In a previous blog, I talked about how the Covid-19 pandemic lockdown had corresponded to an increase in attack intensity. Since then, different parts of the country have begun to reopen, and in some cases reclosing, yet the attackers have maintained their intensity. So, what is the difference now that we are rounding the corner and moving towards fall?
Perhaps it’s the heat – it makes everyone a bit crazy. This summer has been hot for many parts of the country and here in Ohio, we have had 90-degree days for weeks at a time with only an occasional cloudy day breaking up the discomfort. The heat makes both man and beast modify their strategies to improve their survival efficacy.
As attackers have turned up the heat on our customers, we have responded in kind, maintaining very high efficacy rates, even as they retool and focus their efforts elsewhere. In several cases, we shut down an intense attack against a single API endpoint, only to see the attacker change their proxy network and perhaps the API endpoint and throttle back up again. Once they realize that their modifications aren’t working, we see them retool their behavior and attack again. Sometimes they are triggering one of our detection techniques and as they modify their efforts, their behavior triggers a completely different technique.
Just like modifying behavior to stay cool, the key is how we use different techniques to maintain detection efficacy. The attackers only have so many knobs to turn to hide their actions. When they are blocked, one of their first actions is to move rapidly to a different infrastructure network, indicating they believe we are blocking them based on their network IP address.
When we continue blocking, we see the attacker modify their behavior by moving from one User-Agent to another. In a recent attack against one of our customers, the attacker modified their bots to rotate several elements of the User-Agent string. Not only did they modify OS and browser type, but they modified every other element including build numbers and languages, carried in the string. As they changed, we watched them add UAs to the rotation pool attempting to gain a foothold into the system with at least one that would work.
Here is a standard User-Agent String from a Google Pixel 3 that tells users (and attackers) that Android 10 is the OS on a Pixel 3 device and the version numbers for WebKit and Chrome. Bad actors will rotate through each of these elements to avoid detection and achieve their goals. These retooling efforts can successfully client-based detection, but it can also work against the attacker. Here’s how.
CQAI, the analytics engine behind Bot Defense, uses trained ML models to encode common behavioral traits of automated attacks that, when applied to each incoming web application and API requests, result in the creation of a behavioral fingerprint. The behavioral fingerprinting goes far beyond other types of fingerprinting that identify end-user devices based on telemetry signals received from them. More importantly, the result is immediate mitigation efficacy upon deployment.
The CQAI behavioral fingerprint observes the UA string changes mentioned above, along with the attacker’s previous behaviors to maintain detection efficacy. Additional elements considered can include:
- What IP address is the bad user-agent coming from?
- Have we seen this user-agent before and was the user-agent coming from one of these bad IPs?
- Is the IP part of a known or unknown bullet-proof proxy network?
- Does this give us any information on attacks on-going with other customers?