NETACEA / WHITE PAPER
WAFS VS ATO ATTACKS
WAFS VS ATO ATTACKS BACKGROUND | WHAT IS A WAF | WHAT IS AN ATO ATTACK | WHY CAN’T WAFS DETECT BOTS CONCLUSION & SOLUTION | ABOUT THE AUTHOR: NETACEA
BACKGROUND It is common knowledge that automated bots accounts for more than half of the worlds web traffic, some for legitimate purposes such as search engine listing, however the majority is of a malicious nature. Given the rise in data breaches, combinations of usernames and passwords are readily available on the web to be exploited for fraudulent reason via automated Account Takeover (ATO) tools. It’s now more important than ever for modern business leaders to get visibility on the different types of traffic hitting their websites. 9 out of 10 website login attempts are performed by Account Take Over (ATO) bots, and while the more basic, high volume attacks are relatively easy to identify, the more sophisticated attacks are still bypass Web Application Firewalls (WAFs). Many businesses rely on WAFs to protect their sites and customer accounts, this is a good policy for protection against a wide range of security attacks; however, many are still falling victim to successful ATO attacks. This paper will detail the most common reasons why WAFs are no longer effective against the rising tide of sophisticated bots.
WHAT IS A WEB APPLICATION FIREWALL? The PCI Security council describes a WAF as the following: “A security policy enforcement point positioned between a web application and the client end point.” WAFs are a common layer 7 security appliance or software, often used in enterprise businesses to protect applications and backend databases from attacks. They inspect web communications to an application or backend sever by looking for malicious strings or engineered packets. This is done by comparing these communications against an implemented rule set, which means a WAFs success largely depends on the breadth and accuracy of the given rule set. WAFs are a reliable and powerful security device and should be considered when setting up any web infrastructure however this report highlights some of the areas where the capabilities of WAFs as a means of defence is limited. PRIMARY OBJECTIVE VS. FAILED PROTECTION Due to how WAFs work and are configured, they are a great form of protection against known vulnerabilities and zero-day exploits, such as SQL injection attacks, session hijacking, cross site scripting and buffer overflows. Ultimately, WAFs are designed for spotting a fundamentally different problem. WAFs are designed for spotting illegitimate requests that are aimed at exploiting security weaknesses in a web application. Bot detection, however is about spotting legitimate requests that are aiming to exploit weaknesses in the business logic of a website. NETACEA.COM
/ 1
Unfortunately, due to the very nature of a predefined ruleset, intelligent hackers can analyse those rulesets with pre-attack reconnaissance activity to understand the WAF thresholds. Once analysed and understood, they can now slip in below the radar with a much stealthier, slower attack that meets the requirements needed to bypass the WAF protection layer and access the website, web application or backend database.
WHAT IS AN ACCOUNT TAKEOVER ATTACK? ATO is a form of fraud where a bad actor(s) will attempt to compromise the integrity of a real users account, often leveraging compromised credentials sourced from the elsewhere to gain something of value. When there is a reported data leak or credentials are compromised, usernames and passwords become available to purchase on the dark web. With every new breach, the dark web comes alive with a frenzy of hidden activity. Hackers and fraudsters scramble to validate combinations against other websites by using automation technologies to test credentials, either en masse , across thousands of websites, or with extremely targeted attacks against specific online services and eCommerce platforms. According to Verizon’s latest data breach study, “63% of confirmed data breaches involved leveraging weak/default/stolen passwords.” Cyber criminals utilise reused, stolen or default passwords to launch credential stuffing operations to take over customer accounts. This is becoming even easier to do particularly due to the rise in sophistication of cracking tools to automate the attacks with little knowledge of traditional hacking techniques required, plus, the widespread incidence of customers reusing the same password across multiple sites AUTOMATED ACCOUNT TAKEOVER TOOLS A common method used to gain access to an account is a credential stuffing attack. Easy to use tools like Sentry MBA and STORM can test compromised usernames and password combinations against website login forms at huge scale to establish a legitimate match in order to successfully takeover an account. These tools are extremely effective against standard security solutions such as WAFs, but arguably more concerning is how easy they are to operate. Even low-tech criminals can profit from automated attacks with little more than a few mouse clicks. This means anyone with intent could take over your customers’ accounts with little to no knowledge of traditional hacking techniques. Former Facebook CSO Alex Stamos, believes password reuse is the single biggest cyber security risk to customers and organizations. He thinks crackers can’t go wrong with a credential stuffing tool as they are free, simple to use, efficient, and extremely effective. Furthermore, tools such as Sentry MBA and STORM even have inbuilt capabilities to bypass login form security controls such as IP rate limits and CAPTCHA checks, making it even easier for crackers to takeover accounts. There are even services to bypass stronger forms of CAPTCHA at a low price, some using humans to physically pass the check. HOW BIG IS THE PROBLEM SPACE? The Open Web Application Security Project (OWASP) see credential stuffing and ATO as one of the most common cyber-attacks and is capable of compromising websites that do not have the traditional security vulnerabilities. Therefore, this puts all at risk; the account owner consumers and the organizations. Forrester estimates account takeover costs $7 billion in annual losses in just the financial services and insurance markets. This excludes retail where we see account takeover attacks costing some of our clients as much as 2.5% of their annual revenue. Others have also reported on this alarming rise in data breaches and ATO. PYMNTS.com reported a 45% increase in ATO in only the second quarter of last year while Forter also found ATO growth to be nearly 35% for the first two quarters of 2018 and NETACEA.COM
/ 2
Javelin Strategy & Research reported the tripling of ATO loses to organisations. On top of the financial loss is also the damage to customers’ faith in their online services.
WHY CAN’T WAFS DETECT SOPHISTICATED BOTS As modern bots carry out malicious activity in an ever more humanlike manner e.g. browsing log in pages whilst trying to take over accounts or scraping data, they become increasingly hard to distinguish from customers. This level of complexity makes it increasingly hard for WAF systems to identify such bots.
Number of Malicious ATO Attempts (orange) That Bypassed Two Leading Waf Systems
The creation of new rules to identify this more intelligent humanlike behaviour runs the risk of blocking legitimate human customers which could be detrimental to your business. As WAFs are designed to detect unusual activity and as sophisticated bots mimic human behaviour at an individual request level, it’s only when looking at the pattern of requests over the full session does the behaviour start to look unorthodox. SUCCESSFUL ATTACKS AND REACTIVE COUNTER MEASURES As a result, most WAFs are unable to detect automated attacks that originate from bots and therefore bot activity goes unnoticed or is only detected when it impacts backend infrastructure, alerting the operations and support teams. These teams must conduct complex and lengthy log analysis to identify the offending IP address and/or user agent before adding it to their WAFs blacklist. Unfortunately, this cycle creates a never-ending circle of identification and blocking for IT teams. Furthermore, this reactive workflow has failed to block the bot in the first instance and a successful attack may have already happened and the newly added rulesets merely prevent that IP address from performing further attacks. Considering many of the automated tools available at the hacker’s disposal, most if not all provide the ability to hide behind proxy’s and rotate their IP addresses at an alarming rate, meaning once used that IP address will not be used again, therefore making the newly added WAF IP Rule irrelevant. BLOCKING I.P ADDRESSES The heat map below shows how many days over a 14-day period an IP address identified as a source of nonhuman traffic was detected accessing a system. NETACEA.COM
/ 3
The results illustrate that most IP addresses were only seen for just one single day out of the 14-day monitoring period, demonstrating that most attacks hitting the application are rotating IP addresses and ranges daily. This means that even if IT teams react quickly enough to deal with an attack as soon as it’s detected and block the malicious IP address or user agent, it’s unlikely to provide any long-term solution to the problem, and of course, the successful attack has already breached their systems.
Visual Diagram To illustrate the Queuing Process
RATE LIMITING Monitoring network traffic for spikes in requests from a single IP Address or IP Range can be used to identify simple ATO behaviour. However, prior to a modern-day attack, reconnaissance missions will be launched against the target, with one objective being to understand the WAF rate limit thresholds in place so the upon attack execution the offenders can work at a level below what the WAF is configured to look for. Sometimes these attacks can take the form of a ‘low and slow attack’, with login attempts spanning several days or even weeks, making rate limiting ineffective against sophisticated attacks. REAL WORLD CUSTOMER EXAMPLE One recent large eCommerce customer site we mitigated was attacked using a widely distributed botnet across 138 countries, rotating thousands of IP addresses and user agents, and attempted to login over 500,000 times over days. The IP rotation was very rapid, and country-based blocking would have resulted in blocking billions of potential customers. These ATO attempts were geographically split over the multiple countries, in multiple time zones and continents, and had no discernible geographic pattern. In this case the WAF offered no real-world protection, nor would a team and security professionals be able to add the offending IP addresses to the rule set fast enough as the attackers would be on to another rotation of IP addresses. It was only though applying cutting edge machine learning and behavioural science to the problem were we able to identify the bad actors that were evading the current security layers. By understanding the behaviour and intent of the automated traffic remediation measure were automatically applied and prevented the ATO attack in real time. NETACEA.COM
/ 4
ADDITIONAL EXAMPLE A recent OWASP Presentation, given by Deloitte cyber security expert Michael Ritter, discusses how attackers identify WAFs based on cookies, headers or responses used. Once identified, attackers then modify the bot’s behaviour to bypass that WAFs known mitigation techniques. Further details of the presentation can be found here.
CONCLUSION & SOLUTION As demonstrated in this paper, most WAFs are unable to identify sophisticated bot attacks and intelligent bots are rotating IP addresses daily leaving most manual identification processes unable to keep pace. Given most bots are shielding malicious activity under increasingly humanlike behaviour, modern bot detection systems must automate the process of identifying bots through pattern and behavioural analysis. Only by looking at the pattern of traffic through a system and comparing bot traffic to typical user, can a reliable assessment of whether the traffic is human or non-human be made. Once bot traffic is identified, businesses can then decide how to manage it, be that to block, limit or divert it. DEDICATED BOT IDENTIFICATION AND ATO PREVENTION Over 50% of all website traffic is made up of automated traffic. Standard security solutions and practices are no longer robust enough to protect against sophisticated malicious bots and cracking tools. Dedicated bot management solutions leverage the power of shared intelligence, specialist data scientists, customised rules and machine learning to stay one step ahead. Deploying these solutions will help your business identify and tackle ATO and, protect you against many of the other issues caused by a much wider range of non-human traffic.
ABOUT THE AUTHOR | NETACEA Netacea has a mission to harness the power of artificial intelligence to protect and optimise all of the world’s biggest websites. The company was created from the product development function within Intechnica. Working with many customers showed there was a need for solutions that would improve both the security and performance of websites, and that artificial intelligence could be harnessed to create next generation solutions to this problem After several years on incubation, the Intechnica product suite including the TrafficDefender product was consolidated and extended to become Netacea and a separate company formed to focus entirely on development and sales of the Netacea products. Netacea: The World’s Most Advanced Account Takeover and Bot Management Solution. To learn more, please visit Netacea.com
Netacea provides advanced insight and visibility into your web traffic, allowing you to create powerful actions based on deep machine learning insight, using APIs. Visit Netacea.com to find out more.
NETACEA.COM
/ 5