Cequence Security

Enumeration Attacks use automation to rapidly iterate through numeric or alpha-numeric sequences used as identifiers for public-facing applications with the end goal of discovering legitimate web conferencing meeting, valid gift card numbers or an in-transit shipment.

Enumeration and Snooping Attack

Automation allows a bad actor to launch enumeration attacks directly against the application APIs as shown in the Prying-Eye vulnerability where a bot cycles through (enumerates) and discovers valid numeric meeting IDs. If the common user practice of disabling security functionality is followed, then the bad actor would be able to view or listen to an active meeting.

Enumeration and Snooping Attack

Targeting the web conferencing application APIs directly, this attack (1) uses a bot to enumerate and discover the numeric, or alphanumeric identifiers that (2) perform the attendee access control function. If the application is not protected by a password or other authentication mechanism, (3) the bad actor can surreptitiously gain access to the web meeting.

Gift Card/Check Enumeration

Enumeration Attacks are often used by bad actors to validate and use gift cards before the real owners are able to do so. Bad actors can easily determine the numeric sequence by viewing the cards on display in retail stores. Armed with the numeric pattern, a bot can be programmed to validate the card numbers. In some scenarios, a bank validation is required prior to use, and if successful, they can then be used immediately to make valid purchases.

Enumeration and Snooping Attack

Preventing Enumeration Attacks: Key CQ botDefense Differentiators

  • ML-based analytics engine automatically discovers enumeration patterns: CQ botDefense is based on CQAI, an ML-based analytics engine that operates out-of-band to automatically discover all your web, mobile and API-based endpoints, building an intuitive site map that can be used for visibility and policy-based protection. Alternative JavaScript instrumentation and mobile SDK integration-based solutions rely heavily on device-only telemetry, injecting application deployment delays with extended QA/validation processes, security gaps between mobile app variants, and user dissatisfaction with slow page load times.
  • Open, extensible platform with customizable responses including deception: Using more than 150 customizable automation indicators, CQAI determines the malicious or benign intent of each numeric/alphanumeric transaction. Customizable mitigation policies provide multiple response options including block, rate limit, geo fence, or deception. Using deception allows you to send a custom response to the attacker, effectively putting guardrails around their activities. Alternatively, the REST API can be used to export CQAI findings to external systems for archiving, additional analysis or an alternative response.
  • New apps protected automatically, security-induced delays eliminated: As new public-facing applications that use numeric identifiers are deployed, they are automatically discovered and protected by CQ botDefense, effectively baking security into your application deployment workflow.
  • Consistent protection for APIs, web and mobile applications: CQ botDefense protects all of your public-facing applications – web, mobile and any supporting APIs – from automated attacks. A single, consistent security policy protects all of your applications, providing an opportunity to consolidate application security functions into a single platform.
  • Deployable anywhere: A container-based software architecture allows CQ botDefense to be deployed in your data center, the cloud or as a SaaS offering, allowing you to choose the architecture that best fits your needs.

Additional API Security Resources

Prying Eye: Direct to API Enumeration Attack Webinar

CQ botDefense 5 Minute Demo

CQ botDefense API Security Solution Brief