Netacea unveiled bot management framework. The Business Logic Attack Definition Framework (BLADE) sets the stage for shared understanding and knowledge among vendors, cybersecurity professionals and customers who are proactively tackling an increasing number of malicious bot threats.
Available as an open-source framework, BLADE is based on extensive input from businesses, industry influencers and Netacea’s own in-depth research into threat group activities and bot attack cycles.
“As MITRE Corporation have demonstrated with their ATT&CK matrices, having a framework to build a shared understanding of abuse of our systems can be a great enabler for defenders. As other retailers of limited-edition high demand “hype” products have also found, the use of bots poses a significant business challenge and having a structured means to develop and share understanding within the business and with partners is welcome,” said Simon Goldsmith, Team Lead for Information Security Strategy and Programmes at Adidas.
“I believe contributors to the BLADE framework will see significant business benefits in sharing their knowledge. It proves a commitment to collaboration in solving an important problem and we look forward to developing and further proving its value.”
Netacea discovered that bots are comprised of separate specialised automated processes that work as one to infiltrate businesses. These bots take a modular approach to attacks and are programmed to overcome any challenge, such as CAPTCHA.
Netacea was able to detail the six stages of a scalper bot attack in the BLADE framework:
- Resource development (pre-attack) – Adversaries build or attain access to the infrastructure they will need in launching the attack (such as proxies to hide the true source of the attack).
- Attack preparation – Adversaries start preparing the attack by creating accounts and aggregating them under a single point of control.
- Reconnaissance – Adversaries look for a specific item like a PS5 and the exact moment it becomes available.
- Defence bypass – Adversaries might be challenged by defences, such as CAPTCHA, during any of the stages of the attack. If this occurs, this module design will kick in, bypass the defence and hand control back to the bot module managing reconnaissance.
- Attack execution – When the item is identified as being available, the bot will automatically move on to executing the attack by purchasing the item.
- Post attack – After the product has been purchased, adversaries will seek to bring it into their position while bypassing any restrictions on one item per customer or address.
Once the attack stages for a scalper bot attack were confirmed, Netacea analysed the tactics, techniques and processes of other types of bot attacks and captured all automated bot threats and their lifecycles in a series of comprehensive kill chains.
“The threat landscape has been shrouded in ambiguity and misinformation for too long, and bot actors have taken advantage of it to cause significant damage which costs businesses globally,” said Matthew Gracey-McMinn, Head of Threat Research at Netacea.
“Taking inspiration from the MITRE ATT&CK Framework, our ambition with BLADE is to silence the noise in the industry, provide security operation teams with a level of understanding and knowledge that has not yet been available, and empower those teams to detect and mitigate malicious bot attacks. Our goal? Help stop bots in their tracks – no matter who is doing the stopping.”
Netacea’s research also uncovered that many organizations behind bots operate at a professional level, with consultants, help desks and highly specialised infrastructure providers accessible through covert forums. This has contributed to the easy availability of bots by bad actors from all walks of life.
Gracey-McMinn said as bot attacks grow in volume and sophistication, it’s crucial that bot defence systems mature and develop to combat the evolving threat. “Our latest survey, which will soon become available, found that on average it takes businesses three months to detect that a bot attack has occurred. This is in part due to the lack of a unified approach and shared language in the bot community and a lack of understanding around the methods and motivations behind bot attacks. The absence of methodology and framework has left the door open for threat actors to continually exploit businesses in a way that leads to reputational damage, lost revenue and skewed website analytics,” he said.