Protecting web applications in 2018 is complex, challenging and, for many organizations, an impossible task. The sheer volume and variety of attacks overwhelms traditional security tools. In the past 12 months, some of the world’s most advanced businesses experienced devastating data breaches, with material impacts on their customers, market capitalisation / shareholder value, and reputation.
Underlying this escalation is a change in the tactics attackers use. They leverage automation to:
- launch traditional attacks at a greater scale
- exploit the new genre of more sophisticated attacks such as account takeover / credential abuse, ticket scalping, credit card fraud.
Leveraging automation exploits the design flaws in traditional Web Application Firewalls (WAFs) solutions running in most organizations. In the same way that attackers built solutions to evade our static, rule-based email filtering and virus protection, they are now working around the static rulesets powering WAFs.
Isn’t my WAF stopping that?
Traditional approaches to secure web applications typically focus on protecting against website defacement, data extraction, and ensuring applications are available under high load. This relies on a combination of WAFs to protect the application code/functionality and DDoS solutions to protect against high volume network attacks.
These old-school methods of protecting web applications are not equipped to deal with attack automation. The web application firewall ruleset is a static configuration, limited to guarding against known attacks. As the frequency of new Common Vulnerabilities and Exposures (CVEs) escalates, the complexity and time required to build and maintain a list of known and accurate attack signatures is exponentially more complex.
As well as this, traditional tools are ill-equipped to detect more sophisticated attacks. In an Account Take Over (ATO) attack, for example, traditional tools are restricted to basic IP rate limiting detection, which provides narrow disclosure and high false positives.
Attackers now have access to highly sophisticated and effective automation tools. This enables them to evade the detection of traditional defences, and extend the length of time attacks go undetected.
Polyform – Kasada’s innovative approach
Kasada’s bot solution called Polyform makes it uneconomical for attackers to target our customers websites. Polyform detects the presence of automated attack tools, including Sentry MBA, Selenium, and Burp.
While other bot solutions simply block bots, Polyform is focused on stopping them. We have a three-pronged approach to bot detection:
- advanced fingerprinting
- proof of work
- pattern analysis.
The proof of work enables you to fight back against attackers and inflict service outages on them.
Use cases for proof of works can be found in various different technology streams. The proof of work concept is a fundamental element of blockchain technology. It’s used to enforce a computation effort and, thereby, control the rate of block generation. Similarly, proof of works are used in email security solutions to slow down or prevent spammers.
Polyform’s proof of work is a cryptographic puzzle requiring additional computational resources to control the rate of successful form, AJAX and API data submissions. Polyform leverages a secure hashing algorithm to automatically generate a unique challenge for each request. The system passes the browser a hash of the answer and a seed with a series of missing elements in the answer.
What’s this mean for the legitimate user? They will browse and complete the challenge using a very small amount of available CPU capacity. It’s an asymmetric process, designed to occur in the background with no impact on user experience.
For the malicious user, things get interesting! The difficulty of the formulated response can be altered, in accordance with the perceived risk of an endpoint. Attackers will rapidly experience challenges with system availability as the complexity of the challenge escalates.
The economics of attacking websites
A significant percentage of attacks against corporate websites are conducted by opportunistic attackers, who are rational regarding the time and effort required to attack a site.
Automated tools, including Sentry MBA, Selenium, and vulnerability scanners are heavily leveraged to achieve greater levels of scale. This reduces the time and effort to perform vulnerability discovery, target reconnaissance and launch attacks.
Examples of malicious automation include:
- employing online tools to identify targets using specific, vulnerable software. For example, find all sites using Apache struts 2
- probing a site running Apache struts 2 to discover exploitable code
- mapping the coverage of a WAF rule set, using vulnerability scanners to visualize which attack payloads are not detected
- launching distributed account takeover attacks against portal login pages
- scraping unique content found on a listings / e-commerce website.
Automation is critical to an attacker’s operating model success. It gets rid of hard work for humans, and decreases the time and effort required to successfully attack a site. And, for even greater scale, most automation tools allow an attacker to simultaneously attack multiple targets. Kasada’s Polyform proof of work stops automation and scaled automation.
Kasada’s Polyform allows you to disrupt the automation of the these phases by detecting and preventing the attacker tools-of-choice from working. While other bot solutions simply block bots, Polyform is focused on stopping them. Its proof of work allows you to fight back against attackers and inflict service outages on them. This is truly a case of not needing to outrun the bear, you only need to be faster than the next guy. In this sense, Kasada provides a competitive advantage because you are harder to attack than your competitors.