The Power of Advanced Visibility

Delivering great value to customers starts with the product. Exceptional products are easy to use, intuitive and effective. With minimal required effort it delivers the desired outcomes and provides powerful insights. Exceptional products ease customer’s pain points and as a result, create great relationships. Kasada’s customers appreciate the interaction with our technology and our people, this differentiates us from our competitors.

Kasada provides powerful insights into application performance, request flow analysis and malicious automation. This is incredibly valuable for our customers. Our customers often tell us they have tried a competitive product, but it didn’t really pick up any activity. Our ability to represent a 360-degree view of a web application is the core of our value proposition. Visibility enables insights. It allows us to easily understand our customer’s applications, quickly identify malicious activity and regularly present our observations. Our significant advantage is the ability to log human, bad-bot and benign traffic.

More exciting things are just around the corner

Kasada are building some new features that will make an enormous impact to our product offering in early 2019. We’re completely rethinking the way we visually present data to customers. We’re also introducing new capabilities that will allow customers to explore and analyse traffic patterns.

Visibility and insights in practice

We’ve experimented with a few new features during some recent integrations. Each new dataset allows us to further extend the capabilities of our platform. It’s also a great opportunity to test our latest features. Our evolving analysis capability also allows us to gather incredible intelligence on the attackers.

I was tracking a bot builder as they encountered our platform during one integration. The following is a great example of the visibility that we provide our customers:

Step 1: Reconnaissance

The first step in building bots is to browse the target site and analyse the requests.

In this phase, the attacker is identifying the relationship between the front-end website and the back-end API. Their goal is to identify the backend API request that will allow them to log into the application.

Step 2: Automation testing

Once they have identified the specific request, they load this into their tool of choice and launch some preliminary requests. In this series of requests the attacker is rotating through user agents, which is a fantastic tactic against sites that control access via traditional WAF request rate limiting.

The script is directly targeting the back-end API. This technique would be incredibly successful against a traditional tool such as a WAF. The payload is benign, the rate is low, the headers are randomised and they are avoiding the frontend.

Kasada’s ability to enforce request flow patterns and prevent direct API attacks completely disrupts this attack model.

Score
0
Kasada
0
Bot Builder

Step 3: Manual confirmation

The next step is to go back to your browser, open the developer console and observe the requests in more detail.

At this point, Kasada is discretely capturing advanced telemetry that allows us to closely track the activity

Score
0
Kasada
0
Bot Builder

Step 4: Automation testing v2

The next step is to try another tool.

Unfortunately in this instance we see the bot builder’s next mistake: when you cut and paste the user agent from your browser into a headless browser, you don’t include “User-Agent:” part… 🤔

Score
0
Kasada
0
Bot Builder

Step 5: Further investigation

When all else fails, start cycling through all your available tools. It’s interesting that this attacker was using Postman to analyse the site. Postman is an amazing tool. We use it internally at Kasada and most of our customers also rely on it heavily. Evidently so do credential abuse bot builders. It makes perfect sense.

Note: this is why we use the term malicious automation to describe the challenges with bots. People building the bots are using the same tools that we are all using to build our apps.

Score
0
Kasada
0
Bot Builder

Step 6: Webstorm

We identified another request that was clearly sent from a development environment, in an attempt to reverse engineer our detection mechanisms. In this case this was revealed by analysing the referer header, which was:

“headers.referer”=“http://localhost:63342/ssu/application/chrome/content/xxxxx/fi-scripts-tests-fixtures/xxxxxxxxxxxxxx?_ijt=xxxxxxxxx” 

Again, this request would be impossible to detect using a tool that only shows bad-bot activity.

Score
0
Kasada
0
Bot Builder

Summary

We monitored this bot builder over the course of 5 days as they triggered all three layers of the Kasada platform. Each defensive module behaved exactly as intended. Our platform is designed to detect automation, cripple attackers, and silently gather intelligence that we can leverage to our customers’ advantage. The cryptographic challenge allows us to protect API calls in a way that no other vendor can. Our ability to dictate the rules of engagement when submitting API requests is Kasada’s greatest power.

Our visibility enabled us to not only brick this bot but also uncover the organization that was behind the activity. This is not commonly achieved in security and it’s a key reason Kasada is geared up to have an amazing 2019.

2018-12-11T13:47:50+00:00 11th December, 2018|Categories: Articles|Tags: , , , , , , , , , |

Kasada