Tales from the Frontlines: Increasingly Sophisticated Cat and Mouse Games  

June 4, 2020 | by Jason Kent

The last Tales from the Frontlines post focused on a single customer and the attack volume increase they experienced following the COVID-19 lockdown. In this installment, we will look at the increasingly sophisticated game of cat and mouse defenders are playing with attackers, including high-volume diversionary tactics commonly used as distractions from the real attacks.

When attackers change their tactics, the mitigation techniques of organizations need to evolve with them. When bad actors attempt to take over accounts, create fake accounts, steal inventory, or utilize someone else’s financial information to commit fraud, they must maintain the attack.

To understand these attacks, one must also understand the attacker’s motivation. In most instances, the motivation is purely financial. People have money, and attackers want it. Often, it is how the attacker approaches the situation that determines the outcome.

For instance, the romance industry (various dating sites and “computer dating” platforms) are highly targeted because, according to the FBI, they are the second most lucrative attack type, just behind email “phishing” campaigns.

Additionally, retailers that utilize gift card services, rewards programs, and other means to entice legitimate customers with loyalty points leading to free items, are also attracting the attention of BOT attackers. Usually, the sole intent is theft, but often it isn’t the retailer that notices the theft until after the damage is done. Loss prevention used to be cameras in stores. Now it is alerts on systems that were never intended to be used for that specific purpose.

When met with resistance to their efforts, many attackers modify their tactics and techniques to continue their malicious actions. As defenders, we must stay one step ahead of the attackers.

Here are some of the attack trends we are seeing in our customers’ environments.

Increased Use of Commercial Proxy Networks to Mask Identity and Location

Proxy networks that enable an attacker to distribute their attack, hide their identity, and mask their location have become big business. The most significant change we see is that attackers are using multiple commercial proxy networks, not just the free ones. They are available with almost any geography as the exit point for the attack and vary in price based on the bandwidth and speed needed.

As we reported in the Bulletproof Proxy update, these tools make it easier to anonymize traffic’s originating country, ISP, etc. The first assumption most attackers have is that their IP address cannot be associated with thousands of requests against the same server. Rotating this IP address has become table stakes in an attack. We often see the attackers rotating every one or two transactions, changing between ISPs and countries on each subsequent request.

When drilling down into our customers’ environments, it isn’t uncommon for a single attacker to hit a handful of URIs from as many as 30,000 different IPs.

In a few cases, we see overall volumes to well-known endpoints increasing, /login and /password-reset are examples of places that are consistently under attack. But, we’ve also noticed behaviors that use volume to hide, such as a few attempts with known dumped credentials, and sometimes the endpoints get rotated while an attack uses volume on another endpoint to disguise activity.

More Rapid Changes to User-Agent Behavior

Once the attacker has established their attack infrastructure, they will want to consider what they look like to the end (target) systems. If they are targeting Android API endpoints, attackers don’t want to be using IOS based user-agents. But, that isn’t the only behavior that attackers have to monitor and understand.

All manner of tracking cookies and session tokens might be associated with a user’s activity. The same session token may or may not work with different user accounts or browser/mobile app types. Mitigation efficacy depends on the ability to see that the same user is coming from 12,000 different IPs and uses the same session token.

As the attackers modify their behavior, mitigation efforts change. If protection isn’t automated, the attackers will begin to win for a bit, then the defenders stop them. The attackers adjust, and then the defenders change.

Without automation detection strategies, the whole thing becomes a huge game of whack-a-mole.

Automated Detection is Needed

The way we detect attacks has changed and will continue to change as the bad actors’ tactics and techniques evolve. As attack sophistication increases, mitigation efforts need to maintain pace accordingly.

One thing we have observed within our customer base is that many never had an automation strategy against automated attacks before using our platform, and the attacks initially detected aren’t very sophisticated. When they first deploy Cequence, the alerts and triggers are often on straightforward things. Over time, the attacks tend to become more nuanced, requiring more information to set off the triggers and alerts.

For example, in the early stages, username and password attempts from the MySpace dump (yes, they still use it) may occur. Then, we’ll observe things like country language mismatching combined with inferred vs. tested browser types added onto known proxy networks. As our platform adjusts to the attackers, we end up in a situation where we don’t care where the moles pop up. They will get swiftly whacked.

Though attacker volumes may be changing, and though the attackers may be distracting us with noise to keep their sophisticated attacks working, we are still catching their bad behavior.

Applying data science to user behavior and understanding attackers means that we can maintain detection efficacy no matter how much they change, staying a step ahead as defenders.

Jason Kent

Author

Jason Kent

Hacker in Residence

Additional Resources