Prevent credential stuffing attacks through attack cost analysis
Date:
Sat, 11 Sep 2021 08:34:32 +0000
Description:
All businesses are guided by a cost-benefit analysis of their work -
including online fraudsters.
FULL STORY ======================================================================
All businesses are guided by a cost-benefit analysis of their work. Its the same for money-motivated online fraudsters. To operate profitably, cybercriminals need to devise systems that bring in more money than they
spend on conducting the attacks. About the author
Carlos Asuncion, Director of Solutions Engineering, Shape Security at F5 .
There are two key factors influencing this calculation: the cost of
operations and the changing cybersecurity landscape. And costs are falling fast, which means hackers can spend a few hundred dollars to mount attacks with the potential to draw back millions of dollars.
As a result, were seeing credential stuffing become an increasingly popular and prevalent method of online fraud. Indeed, F5 Labs and Shape Security research recently reported that credential spill incidents nearly doubled
from 2016 to 2020. Credential stuffing
Credential stuffing entails hackers acquiring usernames and passwords at ultra-low prices (sometimes for free) from easy-to-access sources. They then use custom-built or off-the-shelf software to automate the login process across millions of user accounts on hundreds of websites.
They do this hoping that, for example, someones Facebook password might
double as their Internet service provider account login or even their bank account login. The traffic is distributed globally to avoid suspicion, and, with another small investment, hackers can also defeat basic automated defenses such as the Completely Automated Public Turing (CAPTCHA) test by outsourcing to CAPTCHA-solving plugins or services.
At Shape Security, we estimate the cost of 100,000 account takeover attempts at roughly $200, including the necessary software, network proxies, and
stolen credentials. Success rates typically range from 0.2 to 2%. Successful takeovers are then sold on various forums and markets for between $2 and
$150, equating to a return of between 100 and 150,000% or even more. That
adds up to a financial return of between $200 and $300,000-plus.
Unfortunately, many organizations still focus heavily on fending off bot attacks by using IP address or User-Agent string blocking, which quickly devolves into an anxiety-inducing and futile game of Whack-a-Mole. Instead, the emphasis should be on eliminating the value proposition for attackers to attack your digital properties. Pricing the fraudsters out of business
For businesses, this means improving their defenses to such an extent that it is too costly for hackers to beat them. A real-world criminal will always target an open window rather than buy expensive tools to pick the lock of a solid door. The rules are the same for virtual properties.
The best method is to deploy a series of measures that force fraudsters back to the cost-incurring stages of their attacks. If this happens too many
times, the cost-benefit analysis swings away from them and expenditure eventually outweighs any potential return. David Bianco introduced a concept back in 2013 called the Pyramid of Pain and it holds true when it comes to mitigating credential stuffing attacks with long-term efficacy.
Engaging in Whack-a-Mole with IP addresses and User-Agent strings, which sit at the bottom of the pyramid, is futile. It is better to focus efforts higher up the pyramid and mitigate fraudsters tools and TTPs (tactics, techniques, and procedures). In other words, continually frustrate your adversary and force them to go elsewhere. Three-point plan
To get it right, you need to figure out how much it actually costs to attack your web and mobile properties. If you dont know how much it costs, you dont know what kind of friction and interdiction to put in place. Once youve done that, it is time to initiate a three-point plan.
First, address weak spots by auditing your network exposure to remove all low-hanging fruit. This creates a minimum barrier which attackers must overcome. For example, analyze your web application authentication pages and make sure you are not providing unnecessary feedback that may be helpful to fraudsters. Password reset pages are a common example here.
Saying something like sorry, that account does not exist, please try again actually helps fraudsters. It tells them which accounts are valid on your
site and which are not, thus improving the accuracy and efficiency of any subsequent credential stuffing attacks. A better response message would be,
we have received your password reset request. If this account exists, a password reset email will be sent to you.
Next, perform penetration testing on your own organization's web and mobile apps to understand how easy or hard it is to compromise them to commit fraud. This process should be guided by evidence and not by gut feeling. It will
help you build a toolbox of defenses that mirror likely attempts to beat your security measures.
Remember, the goal posts are always moving. The tools available to criminals improve by the day, so the third step is to regularly update and upgrade your security controls to keep pace with the ever-evolving risk landscape. This
can include security analysts (in-house or contract) putting on their red
team hats in order to stay plugged into the latest attack vectors and tools discussed on the dark web and fraud forums. Bug Bounties may also be a solution to identify control gaps or new ways to circumvent existing controls before the fraudsters can find and abuse them.
Remember, credential stuffing is cheap and easy, so it makes strong economic sense for fraudsters who pocket millions every year from the crime. Dont make it easy for them! We've featured the best identity management software .
======================================================================
Link to news story:
https://www.techradar.com/news/prevent-credential-stuffing-attacks-through-att ack-cost-analysis/
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)