Just-in-time deception to detect credential-stuffing bots

Abhishek Singh (Prismo Systems), Manish Sardiwal (Prismo Systems) & Ramesh Mani (Prismo Systems)
partner message

ANY.RUN - Interactive malware analysis sandbox

http://any.run/

Get fast results in real-time! Intuitive interface. Convenient for any level analysts.

Join for free and start your malware hunting!

partner message

Avira Cloud Sandbox API. Completely private, unlimited-scale, automated malware analysis service

https://oem.avira.com/en/solutions/cloud-sandbox-api

Avira’s Cloud Sandbox API is built to ensure data privacy.

Receive detailed, file-specific threat intelligence reports containing actionable intelligence.

Supports MITRE ATT&CK™ framework.

partner message

Do APT Mercenary Groups Pose Real Threat to Companies?

https://businessresources.bitdefender.com/apt-as-a-service-webinar

Learn about the recent Bitdefender investigation of a new attack attributed to a sophisticated actor offering advanced-persistent-threats-as-a-service.

Access the investigation

partner message

Be a part of the cyber resilience story - explore careers at

https://careers.opentext.com/

Join the cybersecurity and data protection team at Carbonite + Webroot, OpenText companies.

partner message

We don’t just talk about sharing. We do it every day

https://www.cyberthreatalliance.org/our-sharing-model/

Find out more about how threat intelligence sharing and collaboration through the Cyber Threat Alliance can function as a force multiplier to improve defenses across the ecosystem.

partner message

Map Malicious Infrastructures with Pure Signal™ Intelligence

https://partners.team-cymru.com/pure-signal-trial

Elite analyst teams use Team Cymru’s Pure Signal platform to access 50+ data types, including global network flow, PDNS, malware and more.

Start your 2-week trial now!

partner message

What is cyber threat intelligence (CTI) and how is it used?

Join the VB2020 Threat Intelligence Practitioners’ Summit (TIPS)

Join the VB2020 Threat Intelligence Practitioners’ Summit, sponsored by the Cyber Threat Alliance,

to hear from leading industry voices on how CTI sharing can function as a force multiplier to strengthen defenses across the ecosystem.

partner message

Kaspersky Threat Intelligence Portal - find cyberthreats in files, URLs, IPs and domains

https://opentip.kaspersky.com/

Know which alerts or incidents pose real threats, and prioritize them fast and effectively based on impact and risk levels.

partner message

No-Cost Threat Detection for ISPs and Hosting Providers

https://partners.team-cymru.com/nimbus-threat-monitor

Partner with Team Cymru and get near-real-time threat detection, powered by our world-class IP Reputation data.

Join us now!

partner message

Outsource your Unwanted Software/PUA Work for Free

https://appesteem.com/avs

AppEsteem’s feeds sort out the good apps from the Deceptors.

Our criteria are widely accepted. We’ll help with your disputes.

All for Free. Giving you more time to fight real malware.

partner message

Do you want to know how IT security products score in independent tests?

https://www.av-comparatives.org/enterprise/latest-tests/

AV-Comparatives is an ISO certified independent organization offering systematic testing that checks whether security software lives up to its promises.

Results are available for free!

partner message

Defeating Application Fraud - Learn How

https://www.shapesecurity.com/solutions

We protect more accounts from fraud than everyone else in the world combined.

Shape Security is now part of F5 (www.f5.com)

partner message

30+ years of experience in the anti-malware industry

www.virusbulletin.com

Virus Bulletin is so much more than just a great conference.

Check out our website to see what more we have to offer.

partner message

DNSDB®: The DNS Super Power for Security Teams

https://www.farsightsecurity.com/get-started-guide/

Farsight Security DNSDB®: the world's largest real-time and historical database of DNS resolutions.

Get your free DNSDB API key and use it in our newly updated web GUI, DNSDB Scout and your own environments.

Contextualize everything DNS related with one API key - DNSDB.

partner message

Tired of home office and in urgent need of some networking?

https://www.amtso.org/newsletter/

Join the AMTSO community and meet security vendors, testers, journalists, and researchers to discuss cybersecurity trends, tests and standards!

Credential stuffing is a critical exploitation technique. As per the published statistics, between 1 January 2018 and 31 December 2019 there were more than 88 billion credential-stuffing attacks across all industries. On 26 March 2020, a video media service in Europe experienced a strong spike in attacks, reaching 348,050,675 malicious login attempts in 24 hours. On 17 August 2020 the Canadian Revenue Agency portal was directly targeted with a large amount of traffic using a botnet to attempt to attack the services through credential stuffing. The attack led to the compromise of 11,000 out of 12 million personal accounts.

In this presentation, we share our research on using deception to detect credential-stuffing bots. Credential-stuffing bots can either scrape the website's login page, submit the login form with the compromised credentials, or use login APIs to provide compromised credentials. To scrape the victim's page, some of the libraries used by bots are mechanical soup, phantom js, and selenium headless browsers. In such a scenario where bots scrape the victim's login page, breadcrumbs or lures on the web page can divert the traffic of bot to deceptions. In the presentation, we first share the analysis of various credential-stuffing bots, which then lays the foundation for the design of breadcrumbs, which can be dynamically injected to the website to detect credential-stuffing bots.

Traditionally, deception-based technology involves using statically placed breadcrumbs and lures to divert the traffic generated by the malware or threat actor for detection. In this presentation, we will also introduce just-in-time deception. Just-in-time deception leverages instrumented applications, and upon the occurrence of an event, it will inject breadcrumbs. Once these breadcrumbs are accessed, the traffic is analysed by the detection algorithm for the detection of the credential-stuffing bot. The design of the algorithm will be shared in the presentation.

Finally, we conclude by sharing the results of our study. Our study shows that deception-based detection is not only highly effective in detecting bots that scrape websites and submit stolen login and passwords, but it also provides the inherent advantage of detecting bots on the first attempt at exploitation.
Abhishek Singh
Prismo Systems Abhishek is currently Chief Researcher at Prismo Systems. Prior to joining Prismo Systems, he led threat research and detection R&D at FireEye, Microsoft, and at Acalvio. He has authored/co-authored 24 patents (issued and pending), 15 research papers and six technical white papers for work done on the architecture of various technologies such as the virtual machine-based approach to real-time threat analysis, IPS, technologies to detect threats over the web, email, and at the endpoint. The patents, papers, and technical reports also detail the novel approach to detect malware, vulnerability, lateral movement, exploitation techniques, behavioural algorithms, machine-learning algorithms, emulators, code similarity, and algorithms leveraging deceptions.
Manish Sardiwal
Prismo Systems Manish is currently serving as Staff Security Engineer at Prismo Systems. Prior to joining Prismo Systems, he worked at FireEye, where he worked around exploits, malware, and lateral movements research and detections. He has authored many blogs and whitepapers for APTs, exploits.
Ramesh Mani
Prismo Systems Ramesh Mani is a senior principal architect at Prismo Systems. Prior to joining Prismo Systems, he worked at CA, where he led the designing and building of APM agents in multiple languages using byte code instrumentation. He has extensive experience in Java, J2EE and .NET, and led the development of APM, CRM, B2B portal, e-commerce, workflow automation, financial and business systems. His work has resulted in more than 10 patents.
arrow left Back

Just-in-time deception to detect credential-stuffing bots

Abhishek Singh (Prismo Systems), Manish Sardiwal (Prismo Systems) & Ramesh Mani (Prismo Systems)
Credential stuffing is a critical exploitation technique. As per the published statistics, between 1 January 2018 and 31 December 2019 there were more than 88 billion credential-stuffing attacks across all industries. On 26 March 2020, a video media service in Europe experienced a strong spike in attacks, reaching 348,050,675 malicious login attempts in 24 hours. On 17 August 2020 the Canadian Revenue Agency portal was directly targeted with a large amount of traffic using a botnet to attempt to attack the services through credential stuffing. The attack led to the compromise of 11,000 out of 12 million personal accounts.

In this presentation, we share our research on using deception to detect credential-stuffing bots. Credential-stuffing bots can either scrape the website's login page, submit the login form with the compromised credentials, or use login APIs to provide compromised credentials. To scrape the victim's page, some of the libraries used by bots are mechanical soup, phantom js, and selenium headless browsers. In such a scenario where bots scrape the victim's login page, breadcrumbs or lures on the web page can divert the traffic of bot to deceptions. In the presentation, we first share the analysis of various credential-stuffing bots, which then lays the foundation for the design of breadcrumbs, which can be dynamically injected to the website to detect credential-stuffing bots.

Traditionally, deception-based technology involves using statically placed breadcrumbs and lures to divert the traffic generated by the malware or threat actor for detection. In this presentation, we will also introduce just-in-time deception. Just-in-time deception leverages instrumented applications, and upon the occurrence of an event, it will inject breadcrumbs. Once these breadcrumbs are accessed, the traffic is analysed by the detection algorithm for the detection of the credential-stuffing bot. The design of the algorithm will be shared in the presentation.

Finally, we conclude by sharing the results of our study. Our study shows that deception-based detection is not only highly effective in detecting bots that scrape websites and submit stolen login and passwords, but it also provides the inherent advantage of detecting bots on the first attempt at exploitation.
Abhishek Singh
Prismo Systems Abhishek is currently Chief Researcher at Prismo Systems. Prior to joining Prismo Systems, he led threat research and detection R&D at FireEye, Microsoft, and at Acalvio. He has authored/co-authored 24 patents (issued and pending), 15 research papers and six technical white papers for work done on the architecture of various technologies such as the virtual machine-based approach to real-time threat analysis, IPS, technologies to detect threats over the web, email, and at the endpoint. The patents, papers, and technical reports also detail the novel approach to detect malware, vulnerability, lateral movement, exploitation techniques, behavioural algorithms, machine-learning algorithms, emulators, code similarity, and algorithms leveraging deceptions.
Manish Sardiwal
Prismo Systems Manish is currently serving as Staff Security Engineer at Prismo Systems. Prior to joining Prismo Systems, he worked at FireEye, where he worked around exploits, malware, and lateral movements research and detections. He has authored many blogs and whitepapers for APTs, exploits.
Ramesh Mani
Prismo Systems Ramesh Mani is a senior principal architect at Prismo Systems. Prior to joining Prismo Systems, he worked at CA, where he led the designing and building of APM agents in multiple languages using byte code instrumentation. He has extensive experience in Java, J2EE and .NET, and led the development of APM, CRM, B2B portal, e-commerce, workflow automation, financial and business systems. His work has resulted in more than 10 patents.