Defending Against Data Breach from Low and Slow Botnets
Posted November 11, 2015
The ThreatMetrix Cybercrime Report for Q3 2015 is out and one unmistakable trend is the surge in cybercrime via botnet attacks and data breaches. In an era dubbed by some as the “post data breach world” it’s not surprising that attacks using stolen credentials are trending higher. Surprising is the new low and slow nature of the recent attacks indicating an alarming change in cybercrime tactics that some retailers are perhaps not all that well equipped to handle.
Attackers are now targeting retailers where they are most vulnerable. Why break in to the network when they can simply sign-in as customers and employees? Further, as digital transactions continue to grow, customers are storing personal information in retailers’ online accounts more than ever before. Retailers naturally want to protect and mine this information, but unlike banks retailers cannot force customers to use stronger authentication systems. Retail customers simply have a lower tolerance for added friction. This makes account takeover a prime target for cybercriminals.
Botnets are the new data breach threat
Bots are software applications that run automated tasks. Botnets are networked / connected bots and attacks using them target confidential data such as login and payment details from the outside-in (versus Advanced Persistent Threats that attack the network from the inside out). As clearly illustrated in the latest cybercrime report, cybercriminals are turning to bots to increase the sophistication and efficiency of their attacks — evading existing network-centric protections.
While it has been widely believed that the most destructive attacks use brute force and generate massive traffic, the recent data suggests online businesses are facing a surge in daily traffic resulting from low frequency botnet attacks designed to evade rate and security control measures, and thus evade detection. These attacks use slow traffic that not only appears legitimate but also bypasses any triggers set around protocols and rules. As a result, they are able to pass undetected and avoid the network security systems companies have deployed. Such attacks also cause an increase in traffic that drains the business’s resources.
Cybercriminals are coming in low and slow
The recent trend toward low and slow bot attacks can often bypass traditional security defenses such as Web Application Firewalls (WAF). Existing Web Application Firewalls and authentication solutions, whether on premise or in the Cloud, are vulnerable to low and slow botnet attacks that resemble valid customers.
The problem is that WAFs were designed to prevent attacks against Web services – not those on customer identity. As a result, they rely heavily upon IP Reputation services and IP Velocity Filters to detect bots. This method has been proven ineffective against bots that rotate IP addresses and have access to previously leaked user credentials, often from another site, enabling them to fly under the radar.
Such vulnerabilities expose companies to increased fraud losses, customer attrition due to lack of trust, insult due to false positives and ultimately a loss in shareholder value and brand equity. The level of brand risk is often hidden as hackers farm user credentials under the radar, creating a huge compliance and customer life time value exposure, even if fraud losses and data theft are not immediately apparent. Customer experience is further compromised as botnets run massive identity testing sessions to penetrate fraud defenses.
So what does all of this mean for retailers and businesses at large? Clearly they need to be sure all lines of defenses are up, but they also need to consider new ways of recognizing and validating customers online. The problem here of course is that existing payment and fraud detection systems do not have enough information to differentiate between a hijacked account and a valid customer returning to purchase. Remember, full and detailed customer personal information stolen from hundreds of companies in this year alone is already spread globally across the Internet. The fraudsters have access to the same, detailed authentication information as the customers themselves.
ThreatMetrix digital identity solutions go well beyond traditional authentication technologies. They help prevent bot breaches and at the same time reduce false positives that lead to losses in revenue and productivity. Within a hundred or so milliseconds ThreatMetrix helps identity attacks as they happen and enable a fast policy-based response that these tech savvy cybercriminals simply can’t handle.
ThreatMetrix is the partner you need
In Q3 of 2015, ThreatMetrix helped detect millions of botnet attacks using its robust account takeover solution, in addition to authenticating digital identities using the ThreatMetrix Digital Identity Network™.
ThreatMetrix uses context-based information to perform behavioral analysis of a business’s customers during periods of normal operation and compares such data to that gathered during a Slow-Rate attack. WAF logic can be evolved to detect these attacks.
This enables ThreatMetrix to differentiate between a human and a bot the moment they land on the site. Logins are rapidly becoming a leading use case for retailers as they seek to establish meaningful relationships with their customers. As a result, retailers need to deploy a solution to secure their customer login transactions at the same level as payment transactions.
With ThreatMetrix, businesses can passively authenticate the digital identities of their customers across devices to identify returning customers without compromising their digital experience. Behavioral profiling and analytics provided by the Digital Identity Network perform continuous cataloging of all the activities related to a device, account or persona. This enables detection of low-volume, low-frequency attacks – even if they are distributed across a wide network.