Blog, Events & News

Netacea discusses Bot Groups at Cyber Security Digital Summit

By Netacea / 19th Mar 2021

On 16th March Netacea sponsored the virtual Cyber Security Digital Summit where, alongside speakers from Blackberry, Thycotic and Disney, Netacea’s Head of Threat Research, Matthew Gracey-McMinn hosted a session for attendees. During the showcase, Matthew explored “Lessons Learned From An Invite Only Bot Group & Developing A MITRE-Style Framework for Bots”.

Matthew discussed how the Netacea threat research team infiltrated the bot groups, mapped out their tools and capabilities, and shared findings critical to understanding the various bot communities that reside behind the curtain.

In this roundup blog, we will cover those topics and also report on the current state of the bot communities and the developing top threats to businesses.

What is bot traffic?

Bot traffic is any request that is made by an automated process rather than triggered by human action. Good bots include search engines, content aggregators, SEO tools and price comparisons; which are used daily by individuals and businesses across the globe. Bad bots expose your business to malicious automated attacks, including credential stuffing, scalping and carding.

These automated processes carry out legitimate activity to exploit business logic weaknesses within your website, mobile apps and APIs.

“Bots are a niche area of cyber security – we need to get everyone on the same page.”
– Matthew Gracey-McMinn

Find out what tools bot groups are using and their capabilities

Our goal is to stop the bots by using shared vocabulary and solving bot problems using models and frameworks. To do this we needed to find out who the attackers behind the bots are, what they are doing, how and why. To start, we needed to try and understand the machine.

We have existing models to understand attacks that have already happened, but how can we use this analysis to examine data as it hits our defences? The proactive way of doing this is to examine bot groups from the inside.

What bot groups look like from the inside

It is not merely the hooded hacker in a back bedroom posing a threat to businesses, in 2021 there are well funded, well organised communities orchestrating attacks across continents. Upon looking into these bot groups, we found that these groups are professional, organised and really well run.

We realised that these bot-based attacks seem to go through a series of stages during the course of an attack. That these attacks seem to go through separate stages reminded us of the Lockheed Martin Cyber Kill Chain, but given that these bots aren’t exploiting technical vulnerabilities, the Cyber Kill Chain didn’t really fit the stages we were seeing. Instead, we built out a new kill chain that allowed us to map one of the types of bot attacks we see a lot of (in this case scalper bots). We then realised that this kill chain didn’t apply to some of the other bot attacks we saw and so decided to build out a new kill chain for each type of bot.

Once we had built out all of these kill chains we saw that there was significant overlap between them, and that some of the more advanced bot attacks were really nothing more than other bots acting in sequence to perform a larger attack.

We came to the conclusion that we could combine our kill chains into a larger, overarching model that would list the tactics, techniques, and sub-techniques employed by our adversaries, much as is done by the MITRE ATT&CK Framework. In this way, we were able to build a new framework for understanding these attacks against business logic that allows us to break down these attacks into different stages. This helps us to understand the techniques employed by attackers and why they are employing those techniques.

Our framework is designed to be as futureproof as possible, even if we come across a tool we’ve never seen before.

What are the biggest threats to your brand in 2021?

Credential stuffing, scalper and carding attacks are the three top threats Netacea has observed increasing in frequency and becoming more sophisticated throughout 2020 and beyond, as online activity continues to grow. Read more about the biggest threats to your brand here.

We need to be adaptable and flexible to understand and mitigate new forms of attacks by developing shared knowledge and capabilities; because prevention is better than a cure.

All websites, mobile apps and APIs are now a target for malicious attacks by automated bots, putting profits, customers, data and reputation at risk. Without specialist bot protection in place, attacks such as credential stuffing, carding, fake account creation, scraping and scalping will succeed or go undetected.

Sign up for a personalised demo and find out how Netacea detects and mitigates against sophisticated bot attacks.


Related posts: