Network IQ: How the Largest API Threat Database Protects Your APIs

Introduction

It’s Christmas and your kid wants the new PS5 game console – just like everyone else. As a committed parent, you say you will do what you can. On the date they become available, 9:00 am sharp, with multiple browsers and mobile devices, try to acquire just one. Before you finish typing your credit card, the inventory is sold out. You’ve just lost an automated shopping bot, accurately referred to as a Grinch Bot, designed to use automation, computer-based speed, and massive scale to buy in-demand items. The sheer scale in this scenario is a network of many thousands of IP addresses, known as proxies, used by bot managers to increase the likelihood of success and, just as importantly, maintain anonymity. This blog describes some of the different types of proxies, how they are used by threat actors, and how they can be used by security teams to discover and block malicious transactions, potentially increasing your child’s chances of getting a PS5.

What is a power of attorney?

A proxy is a server that you can send traffic to, which is then re-sent to the destination address, but the source address is now the proxy’s address instead of the original sender. One possible legitimate use case for a proxy is a whistleblower seeking to expose a critical issue but maintain anonymity. On the other hand, as shown in the image below, a bot will use a large pool of these proxy addresses to hide their credential stuffing traffic, so it seems to come from many different addresses rather than all from the same actor. Therefore, proxies are an essential tool for any bot actor working on a large scale to avoid being blocked.

Bulletproof Proxy Services

So, now that we know how essential a proxy network is to conducting a bot attack, how do bot actors access it? It is not financially viable for every bot actor to build their own proxy network, as gaining and maintaining access to a large network is very costly and would render most cases of bot use unprofitable. This is where some smart providers have stepped in to offer proxies as a service. These Bulletproof proxy providers, whose name is derived from Bulletproof hosting, have discovered that there are many actors willing to pay for access to a proxy network and quickly seized the opportunity. Bulletproof hosting refers to hosting providers that advertise a service that doesn’t matter what they host, but still guarantee uptime to customers who host their sites through them. On the outside, this kind of service may seem harmless, as it appears to be an honest and content-blind way to host sites. In practice, these providers and the sites they host are not harmless, with many dark websites being hosted with these types of services.

Similarly, Bulletproof proxy providers advertise unlimited access to market research websites or access from countries where traffic might otherwise be blocked. In practice, however, legitimate users would only need access to a handful of proxies, not the massive networks these providers allow access to. Many providers advertise access to millions of different proxies, both residential and data center, with different pricing plans. Examples of Bulletproof proxy vendors include the recently closed RSOCKs, Microleaves, and SmartProxy.

Residential vs. Data Center Proxies

Data center proxies generally come from large data centers, where individuals have purchased large blocks of network infrastructure for relatively little money. The caveat is that these proxies are of lower quality and come from organizations and ASNs that would not be expected to generate general user traffic for a public website. Residential proxies, on the other hand, are generally of a higher quality and come from organizations and ASNs where one would expect the user traffic to come from. These proxies can be anything we have deployed in our homes — PCs, servers, cable boxes, garage door openers, and even a refrigerator. Residential proxies are more expensive than a data center proxy because the individual IPs have to be acquired or compromised rather than bought in bulk and their residential location makes the traffic more like a real user.

Using bot infrastructure as a defense technique

So, how can we identify bot actors based on their infrastructure? We can target the proxies they use. To defeat threats at scale, you need scale yourself. Cequence Network IQ, with the largest collection of malicious infrastructure, is part of CQAI and is home to our infrastructure threat data. Within Network IQ are several subsystems that allow us to make practical use of its rich data. The system within Network IQ used to identify and tag proxies that bots use every day to attack our customers is called IP Threat Score, so let’s see how it works.

Get IP information from multiple sources: IP Threat Score

The IP Threat Score uses and analyzes large amounts of threat data to identify proxy IPs as soon as we see them in our product. The IP data is collected from multiple sources described below.

• Passive Threat Research: Cequence has crawlers that are constantly running and searching the web for public data feeds that contain proxy or IP reputation information. They automatically fill our databases with their findings.
• Active threat research: The CQ Prime Threat Research team also goes straight to the source – Bulletproof proxy providers themselves. After accessing their networks, we can list the IPs they use and add them to our databases automatically.
• Field data: Finally, the third threat data feed for IP Threat Score is data straight from the field. We automatically tag and record proxy IPs that we see carrying out attacks every day. This is arguably the most critical data source for our system, as it looks at which infrastructure bots are really using to carry out their attacks.

Importantly, most of the data collection is automated and allows our system to instantly adapt to the ever-changing landscape of active bot infrastructure.

Putting data to work Blocking bots

Rich data means nothing if we can’t extract useful information from it. Important for data of this magnitude is to extract meaningful functions that allow us to create a sliding scale in classifying how bad infrastructure is, be it an individual IP address, network block, organization or ASN. Using the extensive data we collect and the features we generate, we can identify not only the worst offending individual IPs, but also entire network blocks, organizations or ASNs. By using both as block criteria, we can identify groups of proxy IPs that match data center proxies, and have the granularity to identify individual residential proxies. For example, for individual attack campaigns that use data center proxies, 98-100% of attack traffic is tagged as such by IP Threat Score, even if the individual IPs themselves are not in our threat database.

This is the power of being able to group and identify malicious infrastructure. Of course, we also have mechanisms in place to address the potential for false positives to ensure that legitimate user traffic is not blocked by our system. In practice, the infrastructure information is combined with our behavioral ML models and rules in CQAI and Bot Defense to distinguish and mitigate malicious bots.

Conclusion

Intelligent threat actors can access massive amounts of network infrastructure to use as proxies for their attacks through Bulletproof Proxy providers, helping them avoid being easily blocked. At Cequence Security, we are in a unique position to use the massive amounts of bot data we process every day to enumerate and tag bot infrastructure with great confidence and efficiency. By identifying bot infrastructure, we can add value on day 1, tagging bot infrastructure out-of-the-box for Bot Defense. Coupled with our ML-based behavioral fingerprinting and mitigation capabilities, bots don’t stand a chance.

Schedule a personalized demo to see how Network IQ and Bot Defense can help protect your APIs and web apps.

The post Network IQ: How the Largest API Threat Database Protects Your APIs appeared first on Cequence Security.

*** This is a Security Bloggers Network syndicated blog by Cequence Security, written by Zack Kaplan. Read the original post at: https://www.cequence.ai/blog/network-iq-how-the-largest-api-threat-database-protects-your-apis/