Blog, Events & News

BACK TO ALL

Attack vectors part one: The classic approach

By Netacea / 23rd Jul 2019

In this series, we’ll look at the evolving attack story that we’ve observed with a single customer.

As certain doorways have been closed to the bots, they’ve attempted to find new ways in. Thus far in our partnership with this customer, there have been three clear stages in the journey. This blog post will explore the first: The Happy-Go-Lucky Chancer.

Later editions will introduce you to The Sneaky Snake (aka Mr Low-and-Slow) and then finally The Vulnerability Exploiter. This third iteration in particular is becoming more and more common with any major website also running an app via an API for their mobile users. One of the main issues with APIs is the comparative lack of visibility available to those who maintain them. Many organisations have no real understanding of who is accessing them, what they are doing and why. Attackers are using this to their advantage, and attacks against APIs are becoming ubiquitous.

Why are attack vectors changing?

This evolution of attack methods is something you should expect to see on your own site once you start mitigating the more obvious methods of attack. When attackers think nobody’s watching, the malicious bots will hit frequently, and at volume. If they’re keeping their traffic levels under that which a standard site could expect to cope with – i.e. they’re not in danger of bringing down the whole site and thus alerting the unsuspecting site owner to their presence – they will not make any efforts to disguise themselves.

Once the attacker realises you’re onto them, they’ll become a little sneakier, and you’ll have to employ more complex methods of defence. We’ll explore such techniques in more detail later this blog series, but for now we’ll focus on the first stage: The Happy-Go-Lucky Chancer.

What do these attacks look like?

Meet the Happy-Go-Lucky Chancer

Netacea had only very recently engaged with this customer, one of the country’s most recognisable department stores with a huge online presence. We were actually in a POC with them at the time and only monitoring traffic via log ingest; nobody was expecting there to be a requirement for any sort of mitigation activity. However, within four days of streaming and analysing logs, the customer was hit by an enormous and brute force ATO (account takeover) attack, with thousands of login attempts made over a very short period of time.

This wasn’t what anyone could claim to be some sort of ‘low and slow’ attack; there was no subtlety at play here. It’s exactly this sort of attack that companies without any sort of bot protection are likely to suffer from most often – the attacker knows they can get in and out before anyone has a chance to respond, and they don’t have to be sneaky about it.

The only attempt that the Happy-Go-Lucky Chancer makes is to spread the requests out to several countries and sources. The above chart illustrates the hugely distributed nature of the attack. This sort of behaviour is to prevent a traditional WAF from blocking the attack – as a rule, they’re unable to act swiftly enough to stop traffic from such a large range of sources, if the attack is fairly short in duration.

The attack that we’ve outlined in this post is a classic beginner-level of bot attack. They’re operating on the basis that if no-one’s actually watching them, they’ll be able to get in and out again before anyone realises they’ve been there. Netacea’s behavioural analysis and mitigations would have stopped this sort of activity in its tracks, and it was the very next day that the customer decided to move from monitoring only, into active blocking mode.

In part two of this series, we’ll look at what happens when Mr Happy-Go-Lucky realises that he must be a little sneakier and try a little harder to get what he wants.

Secure your web traffic with Netacea

Netacea takes a smarter approach to bot management. Intent Analytics powered by machine learning quickly and accurately distinguishes bots from humans to protect websites, mobile apps and APIs from automated threats while prioritising genuine users. Actionable intelligence with data-rich visualisations empowers you to make informed decisions about your traffic. Talk to our team today or discover more about the threat of account takeovers to your business.