There are many types of abuse and ways to go about performing it. One way to look at the abuse we are protecting against is security at the data layer. Unlike traditional software security that might be in the hardware layer, flipping bits to change values in memory; network layer, man in the middle attack; OS layer, buffer overflow attack. For most products, anti-abuse is in the data layer that is around data in the database and the traffic coming in from users. That data itself is what we need to secure, not its consumption or storage but what it represents.
Some abusive actions might be known to us and well understood, some new, and some we don’t even know about. Regardless our day to day approach should be the same, that is what we are going to talk about here, the strategy and methodology of AbuseOps.
So let's talk strategy!
Strategy is influenced a lot by intelligence gathered on your enemy. In our case, we want to know all the technical details of an attack. By understanding exactly what the attacker is doing, we can not only stop this on-going attack but also stop the next one. We should always have the most complete and holistic block possible.
In order to achieve a viable block for an attack, we will need the right information. This usually entails raw information from the source. A great place for that is looking at the traffic itself since it is how most products interact with its users. Most websites and apps use REST and HTTP, so we would need to save as much of the incoming and outgoing data from traffic that would help us reverse engineer how the abusive attack works. An example would be to save the incoming GET HTTP request to your website with all its headers and values.
But wait, how do we even know if we are under an attack?!?
For that we need detection. Detection is based on a signal in the traffic that identifies it as abusive. This is just terminology so let’s show some examples to better explain the concept. In HTTP traffic we have a field, known as a header, that is called user-agent. That header is used by the client to describe itself. So, if that header is for example “EVIL” or “bad traffic” then it’s a signal that can be used to identify bad traffic and filter it out from the rest of traffic. Once you have a reliable holistic and inclusive signal, it can be used for detection and metrics to measure how much abuse you have on your site and to communicate to other stakeholders in the company vital information about the state of said abuse.
It is important to plot the abusive traffic on a dashboard, at least on a daily scale. More granular resolution is better. More than that, it can be used for alerting and a way to identify more signals. Detecting signals is a highly important endeavor. In essence, a signal is the distilled understanding from the data of a property inherent in the attack.
In many cases, the way to block an attack will be an infrastructure change or a code fix to close a loophole. In other situations, we will need to have new features in the infrastructure to support heuristics or machine learning based systems to block an attack. That is why in many setups, AbuseOps will work directly with other teams. Part of AbuseOps mission is to transfer insight for the attacks to those teams to help them be more effective and impactful.
The concept of Enigma
The Enigma machine was famously used by the Germans in World War 2 to protect military communication from the Allies. What they did not know is that the Allies broke the code and were able to intercept and read information “protected” by the Enigma machine. There are multiple cases of hard decisions made during the war to lose assets and even lives to protect the fact that Enigma was broken because once known, the enemy can easily replace it. Another interesting read on the importance and secretive nature of intelligence had in the war is under the wiki page Ultra.
The relevance of this story to us is that once a signal is used to block an attack you risk showing your hand to the attacker and losing this vitally important intelligence. Therefore, you should always keep a couple of signals for detection and block attacks in other ways. Think of that as the most valuable military intelligence asset, expansive to obtain, easy to lose, vital for our work.
We still have a lot to go over around best practices, but I hope this helped you understand the basics. Next, we will cover some of the tooling needed to accomplish what we talked about here.
Lastly, let’s go over the main points that were presented here:
· Use the most complete and holistic block possible.
· Save data as close to the source as possible.
· A signal is the distilled understanding from the data of a property inherent in the attack.
· Use data to identify signals of abusive traffic.
· Enigma concept – keep a signal or two under your sleeve for detection.