New threat intel framework takes aim at bot-fueled business logic attacks

Cyber Security News

A newly launched open-source threat intelligence and knowledge framework, inspired by Mitre ATT&CK, has been designed to help users detect and defend against automated business logic attacks perpetrated by bots.

Called BLADE, an acronym for Business Logic Attack Definition Framework, the framework specifically addresses scenarios in which bots exploit legitimate web applications and API-enabled services – using them as they were intended, but for malicious purposes such as credential stuffing and account takeovers, data scraping, spreading disinformation online, ad fraud and more.

A classic example is the Grinch bot, which buys up scores of sneakers, video game consoles, event tickets and other popular items from online retailer so that they can be resold at a higher price. No vulnerable code is hacked, and no employee is phished or infected with malware – yet these bots can create a lot of angry, dissatisfied customers and hurt a company’s bottom line.

Officially launched this week by bot management company Netacea, the BLADE framework was created to develop a more universal understanding of various bot-fueled business logic attacks that currently threaten organizations across industry verticals. This includes the tactics and techniques used in such attacks, so businesses know best to defend against and mitigate them.

According to Matthew Gracey-McMinn, head of threat research at Netacea, BLADE fills a void that Mitre ATT&CK and previous frameworks haven’t covered.

“Traditionally we’ve had a lot of frameworks around understanding how your traditional technical cyberattack works,” said Gracey-McMinn. “But nobody had the same thing from a business logic standpoint.” And that presents a problem because such attacks have “really started to come to the forefront.”

Oftentimes, said Gracey-McMinn, the conditions that leave applications and websites prone to business-logic attacks are been addressed by web development teams rather than security professionals – because “it’s not exploiting a code vulnerability, it’s not a technical attack.” And yet these business logic attacks have become an actual security issue because they are “costing companies more and more.”

Adam Pennington, Mitre ATT&CK director, commended the effort. “We think there’s a value in this kind of organization of knowledge, and it’s why we’ve tried to be open with how we created and how we think about ATT&CK itself. We’ve seen some great work in ATT&CK-like frameworks similar to this,” he said.

“ATT&CK focuses on behaviors that have been seen from a range of real-world adversaries in the wild, currently focusing on activity against enterprise networks, mobile devices and industrial control systems,” Pennington continued. “There’s a wide range of activity that is possible but has never before been seen in the wild, or is out of scope to us for other reasons where others may be able to fill in gaps. We wish them well, and look forward to seeing how this work develops.”

The information and intelligence within the BLADE framework will remain tool-agnostic, focusing more on the methods used. “The attacker can change their tool very easily, but changing the methodology behind the tool is a much bigger lift so we’re helping together to raise the barrier to entry,” Gracey-Mcminn explained.

The BLADE framework categorizes business-logic attack techniques into six stages – resource development, reconnaissance, defense bypass, attack preparation, attack execution and post-attack exploitation. Each technique (there are 25 altogether so far) are then further broken into sub-techniques. For instance, the defense bypass category includes CAPTCHA bypass, human emulation, proxying and smokescreening as techniques. Drilling down further, the human emulation includes four sub-techniques: device fingerprint emulation, fake credibility generation, mouse usage and user agent emulation.

Matthew Gracey-McMinn, Netacea

Gracey-McMinn said that as the project grows, the BLADE development team will add kill chains for each of the business logic attack methodologies, as well as additional detection and mitigation tips. “Really, it’s about trying to help defenders, understand the problem more granularly so that they can take steps more informed steps, and hopefully get a better return on investment in terms of time and resources in dealing with these attackers,” he said.

And because BLADE is open-source, an array of contributors will grow and change the framework over time as threats evolve. Already, BLADE seen contributions from influential organizations such as Adidas, Gartner and ReliaQuest. Major health care groups telecommunications companies and law enforcement organizations have also anonymously reviewed the framework, Grace-McMinn noted.

Michael Daniel, CEO of the Cyber Threat Alliance, said that the formation of new threat frameworks comes with pros and cons.

“As a general matter, agreed-upon frameworks and data formats make the exchange of threat intelligence much easier,” stated Daniel. “Such frameworks can increase the scope, scale and speed of sharing, because standard formats are much easier to automate. However, the key is getting broad agreement on the standards and frameworks. Many companies used what they call open-source frameworks, but what they really mean is public as opposed to treating it like a trade secret. As a result, in many cases, the issue isn’t lack of standards; it’s that there are too many of them.”

Meanwhile, Kunal Anand, chief technology officer at database security company Imperva, which also provides bot protection, said that BLADE on the surface “seems like a good attempt to bring the bot community together to thwart threat actors and bot attack cycles,” but stressed that it would be important for the framework to stay vendor neutral.

Asked which of the bot-fueled business logic attacks are generating the most concern right now, Gracey-McMinn cited account takeovers. “If you have any sort of a user login portal, you’re facing risk from account takeovers. It affects streaming, it affects e commerce. Even if it’s just a website that has a newsletter – some of these things have value to attackers because if they get into one account, people often reuse usernames and emails elsewhere so it can be used elsewhere. So you get this credential stuffing on pretty much every single login page on the internet.”