SESSION ID: #RSAC John Ellis – 周由安 Good Bot, Bad Bot, Ugly Bot. Battle of the Bots! TTA-R08 Chief Strategist, Cyber Security (APJ) Akamai Technologies @zenofsecurity
SESSION ID:
#RSAC
John Ellis – 周由安
Good Bot, Bad Bot, Ugly Bot.Battle of the Bots!
TTA-R08
Chief Strategist, Cyber Security (APJ)
Akamai Technologies
@zenofsecurity
#RSAC
About me
Kiwi (New Zealander)
20+ years experience in IT security (trained sheep to hack)
Have worked in defence, telecommunications and banking
Consider myself a student, but love to share what I know
9 years in Singapore, and see we’re still trying to find the Asian solution to the Asian problem (talk to me afterwards if you want to know more).
Still ‘trying’ to learn Mandarin….might one day get there
2
#RSAC
Cyber ‘buzz’ bingo
Cyber SaaS Threat Intel Cloud BOYD
IoTCyber Kill
ChainInnovation Big Data Breach
TTPs Signal to noise Cross-Platform SMAC Next-gen
APT China Data DrivenThought
LeadersCyber Attack
BOT Game Changer PaaS Cyber Crime Hacktivist
#RSAC
What is a bot?
A software application that automates tasks that are simple and structurally repetitive at much higher rates or precision than a human.
#RSAC
Bot trends & environment
44% Human traffic 56% Bot traffic
22% fraud activity
3.5% Hacking tools
3% scrapers
0.5% Spammers
Bad BotsAccount for 29% of all
website visits
Good BotsAccount for 27% of all
website visits
Source: Incapsula / Akamai
Search engine, crawlers, spider bots
Vulnerability scanner, Site performance bots
Partner bots
Aggregator, media bots
Hacker, Fraud botsScraper bots
DDoS bots
Spam bots
Good Bad
#RSAC
Good bots
Search engine optimization (SEO)
Marketing
Vulnerability ScannersPerformance analysis tools
#RSAC
Bad bots
Vulnerability scannersFraud
DDoS attacks
Malware
Spam (it ain’t ham)
Scrapers (your competitors)
Did I mention malware?
#RSAC
Ugly ‘naughty’ bots
Want to know everything about you
Too Friendly
Crawlers
Malicious? Maybe, Maybe not
Scrapers
Price Aggregators
#RSAC
SPAM Bots
9
Target marketingImprove SEO Malware distribution Fraud
#RSAC
Scraper Bots (an example)
10
Aggregator Website
Scraping Service / Tools
#RSAC
Commercial Scraping Services / Tools
11
kimono
#RSAC
The BOT evolution
12
Desktop
Server
Cloud
Mobile
Internet of Things (IoT)
#RSAC
DDoS Bots
13
Source: Akamai SOTI Security Report Q1 2015
DDoS attacks instances plotted over time Q113-Q115
#RSAC
Top 10 Source Countries for DDoS Attacks
14
Russia5.95%
France6.03%
U.K.6.17%
Korea6.23%
India6.93%
Spain7.29%
Italy8.38%
U.S.12.18%
German17.3%
China23.45%
China
1.4 billion people
642 million people online
Over 50% of systems infected with viruses
9 out 10 Windows systems pirated
70% of Windows systems never patched
#RSAC
DDoS 4 Bitcoin (DD4BC)
Who, What, Where & How
DD4BC (DDoS For Bitcoins)
Online ransom group
Not ransomware
No other attribution
Publicly available DDoS toolkits &
rented botnets in the underground
Who are the targets?
15
74%
15%
4%7% Banking&CreditUnions
Gaming
Media&Entertainment
PaymentProcessing
#RSAC
Great Canon (GC) of China
16
An in-path system, capable of
injecting traffic and directly
suppressing traffic
Acting as a full “man-in-the-
middle” for targeted flows
‘Harnesses’ legitamate web
browsing traffic for attack
capability and capacity
Source: https://citizenlab.org/wp-content/uploads/2009/10/ChinasGreatCannon.pdf
Coding error provides clue as to how to detect and filter traffic. Example of cat and mouse game
Targets of http get flood DDoS attack
#RSAC
Value of a hacked PC (Brian Kerbs)
17Source: http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/
Reputation hacking
Virtual goods
Webmail
Web Server Bot activity
Spam zombieDDoS extortion zombie
Click fraud zombieAnonymization proxy
Captcha solving zombie
Account credentials
Ebay / paypal fake auctionOnline gaming credsSkype / VoIP creds
Website / FTP credsClient side encrypt certs
Financial credentials
Bank account dataCredit card data
Stock trading account dataMutual fund account data
Hostage attacks
Email account ransomFake antivirusRansomware
Web cam extortion
Phishing siteMalware download siteWarez / Piracy server
Child pornography serverSpam site
Webmail spamStranded aboard scam
Harvesting email accountsHarvesting associated
accounts
Online gaming charactersOnline gaming goods
PC game licensesOS licence keys
FacebookTwitterLinkedinGoogle+
Spam zombieDDoS extortion zombie
Click fraud zombieAnonymization proxy
Captcha solving zombie
#RSAC
Using Botnets to access market insights
18
Investors
Managers / Analysts
Legion / infantry / operators
Legal return on investment
Illegal access to information
Source: Interpol
#RSAC
Account checkers and Fraud
19
Builds tools server
Cultivate list of open proxies
Acquire compromised logins
Check / alter compromised accounts
Make fraudulent purchase
1
2
3
4
5
How does this evil deed typically happen?
Source: https://www.akamai.com/us/en/multimedia/documents/infosec/akamai-security-and-compliance-account-checkers-and-fraud.pdf
Compromise web server
Use bulletproof hosting with
proxies
…did someone mention the
cloud?
Load scripts…ready to go
Obtain list of web proxies
Open proxies allow route
around IP blacklists
Proxies need to be of
sufficient length to mask
attack
Attackers obtain harvested /
stolen credentials from sites
such as pastebin, or from
underground sites.
Many underground forums
sell such information
Attackers use variety of tools to rapidly check the validity of the accounts.
Accounts that work are marked, and the attackers log in using the credentials.
Once logged in, the attackers can collect the user’s personal data and credit card information to use for further fraud
Attackers may modify the shipping address of the victim and make purchases with their stored information.
The merchandise is sent to an address near the attacker and picked up.
Recently gift cards, both physical and electronic have been key items for purchase as they are easily available, difficult to trace and easy to transport.
#RSAC
Account checkers and Fraud
20
#RSAC
How to manage em’ BOTS
#RSAC
Block, Mitigate or Manage?
Blocking BOTS causes them to go underground, mutate and harder to detect
Management strategies vary depending on the nature of the BOT and it’s goal
Not sure if bot......or
Stupid human?
#RSAC
TTPs for the Good, Bad and UglyA
ggre
ssiv
enes
s
Degrees of Desirability
Terminate with extreme prejudice
Client ValidationWelcome Bots
Reduce Impact
Desirable Undesirable
#RSAC
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Solution Landscape (what can you buy)From a technology perspective:
BOT Detection Methods
BO
T R
esp
on
se M
eth
od
s
Cloud WAFs
Cloud BOT Mgt.
BOT Obfuscation
On Prem WAFs
Alert/Deny
CAPTCHA
HTML Obscuring/
Rewriting
Slow BOT/ Serve Alt./
etc.
No BOT Detection
Rate Based Detection Cross CustomerHeader/IP Based Tracking
Cross CustomerFingerprint Based Tracking
Advanced BOT Evasion Traps
#RSAC
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Cooking your BOT management program
Detection
MitigationLearnings
#RSAC
Bot Detection Methods
Client reputation
Client and browser fingerprinting
HTTP header anomaly detection
JavaScript Injection
JS BOT evasion traps
Behavioral Analysis
#RSAC
Bot Response Methods
IP blocking
Geo blocking
Rate controls
Web Application Firewall Rules
Obfuscation for HTML, JS, URL and Form
Serve slow, stale, alternate, tar pit
CAPTCHA challenge
#RSAC
Bot Learnings
BOT scoring, categorization and trends
Crowd sourcing of new BOTS www.botopedia.org
Resource usage by BOT
Input into evolving your detection and mitigation tactics
Understand the cost of your mitigation strategies
#RSAC
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
7 Key Ingredients to Succeed (today)
1. Scale your defenses with a Cloud WAFExtend your perimeter beyond your site
2. Reverse ProxyAutomatically drops traffic not on port 80 or port 443
3. Geo-based blockingRefuse requests from customer-selected list of countries
4. Validate against known list of attackersPositive or negative security model (black or white lists)
5. Rate ControlsBlock requests that are too fast or too slow (anomaly scoring)
6. Data driven WAF WAF rules continuously refined based on visibility into web
7. CachingDynamic and static caching to serve requests
#RSAC
Looking ahead
Good Bots are an essential part of our Internet ecosystem
It’s an arms race, and you need to have a clear strategy
If you don’t have a WAF….get one!!!
Threat intel (bingo) is vital in understanding. Learn from others
Now you’ve got a strategy, have a plan and rehearse it!
It’s hard…but understand what normal looks like (try..please)
Think active defense…be smart in how you operate
#RSAC
Friend or Foe? You need to decide
#RSAC
I would like to thank
Mike Smith (Akamai APJ Security CTO)
Patrick Laverty (Akamai CSIRT)
Mike Kun (Akamai CSIRT)
Dave Lewis (Akamai Global Security Advocate)
….and Akamai’s customers and competitors (they keep me honest)
我也感谢我的太太(大熊猫)
32