The War No One is Talking About

There is a war brewing in cyberspace. The general public is blissfully unaware, and very likely will remain so. The media, when it talks about cybersecurity, tends to focus on the breach of the week, even though there cannot possibly be any lessons left to learn in that parade of spectacle and shame.

The war we speak of is against malicious automation (bots), and it’s being fought largely outside the gaze of journalism. On one side are the organizations putting their stores, intellectual property, processes, and businesses online in their journey toward digital transformation: the “good guys.” On the other side are malicious actors armed with nearly undetectable automation, intent on theft, political influence, fake news, and fake transactions: the “bad guys.”

Asymmetric Conflict

The comedy of this “automation war” is how lopsided it is, technologically. The bad guys have accumulated an impressive arsenal of tools from Sentry MBA, PhantomJS, and simple proxies, to browser extensions (Antidetect), human click farms, behavior collection farms, global proxy networks and, finally, to headless chrome steered with a real orchestration framework like Puppeteer.

Meanwhile, the good guys have only ancient traps like a CAPTCHA or a web application firewall (WAF), both of which are trivially easy for bad guys to bypass. Organizations aren’t thrilled about annoying their customers with friction (like making them click on blurry pictures of buses for 20 minutes) and endlessly rewriting WAF rules when attackers retool every week. It’s an unfair fight, and who has time for that, honestly.

The Silent War of Automation

The primary tactic of an automation attacker is to imitate a legitimate transaction. It doesn’t matter if the transaction has a very low probability of gain for the attackers, because they can multiply their gains by scaling the transactions into the millions at nearly no cost. Because they are blending in so perfectly, many victim organizations have no idea that it’s happening until they see an effect like fully booked inventory, credit card chargebacks, or a competitor who seems to know the price of every single munition with all possible discounts.

The media won’t write a story about how a competitor reverse-engineered an insurer’s policy premiums through the creation of a million slightly different fake profiles, or how an actor deluged a work-for-hire site with a million fake low-wage contractor profiles that represented their tiny firm in the Philippines, because it’s too complicated and there’s no one to shame. There’s no spectacle there.

So, the silent war goes on, with the bad guys getting better and better at imitation, and organizations in nearly every vertical experiencing bizarre side effects (“All our free passport interview slots have been booked and are being sold!”).

What Won’t Save The Day

Everyone’s been hoping that the silver bullet for the good guys was going to be AI. Surely the incredible volume of modern transactions can be used to train machine learning engines to differentiate real traffic from fake, right? The answer is no, it can’t. At best, today’s ML engines can spot not individual anomalies but patterns of suspicious activity. 

When a campaign is identified as being underway, human operators must step in and determine the intent of the campaign, because understanding is crucial in determining next steps. The mitigation can’t just be simple blocking, because that’s a signal which helps the attacker retool. 

Sometimes, the info-war tactics of misinformation and redirection are the solution for the day. Or evidence collection. You need tacticians. You need real people using automation to fight real people using automation.

CyberHub Summit

The war in cyberspace will be a main topic of discussion next week in Atlanta at the CyberHub Summit. Classy people there will be talking about meta issues like defending the region’s online financial services and de-risking the supply chain. A few of us from Shape Security will be there, and over some pints of the venue’s product, we can show you how we’re fighting the war against malicious automation.

If you can’t make it to the CyberHub Summit, please don’t hesitate to contact us at any of the channels listed under our logo, but otherwise we hope to see you in Atlanta next week!

3 Infosec Notes From Our Time At the MIT Sloan CIO Symposium

Last week, Shape Security attended the MIT Sloan CIO Symposium. Hundreds of CEOs, CIOs, and senior IT professionals from all over the world met to discuss the issues that keep them up at night.
Here we have distilled for you the three most captivating points discussed during the cybersecurity panel.
3. “We are approaching a cybersecurity perfect storm,” said George Wrenn, CSO of European electricity distribution leader Schneider Electric.
Wrenn believes the convergence of  “aging infrastructure, the interconnection of everything, the increasing sophistication of cybercriminals, and the unfixed security weaknesses of the early Internet age” leaves consumers and enterprises vulnerable to attack for the foreseeable future. Not only will it be difficult to address these issues individually, but it will be near impossible to survive a severe, multi-platform attack.
2. “No IT leader wants to stand in the way of innovation or customer satisfaction,” said Roland Cloutier, CSO of payroll services leader ADP
To prevent and survive future attacks, enterprises must shift their focus to mitigating risk over short-term rewards. Customer growth and user retention will only get a company so far if the danger of a breach is always looming. To combat this attitude, product and security leaders must lower risk tolerance across all departments and work together to establish a realistic baseline – for example, a threshold of affected users or records lost.
1. “Adversaries have better technology capabilities than security professionals do sometimes,” said Roland Cloutier, CSO of payroll services leader ADP
Today’s attackers are well-funded entities armed with thousand-node botnets, sophisticated malware, and an entire darknet economy willing to do anything for the right price. This leaves enterprises stuck implementing reactive security measures. The eventual worst-case scenario would be a major national attack that would spur enterprises, governments, and regulatory bodies to produce and enact new security standards. Although the situation would be devastating, the outcome could lead to better protections for consumers.
Take a look at the other events where Shape is attending, exhibiting, and presenting on our website: https://shapesecurity.com/events