Blog

Tales From the Front Lines: New Applications Protected in Just 33 Minutes

June 8, 2021 | 4 MIN READ

by Matt Keil

In this week’s blog, we will talk about two recent customer scenarios where the value of our no JavaScript or SDK approach became evident in minutes: when customers needed to prevent an attack on a new application. As a reminder, Cequence uncovers malicious transactions hiding in plain sight with CQAI, a patented, multi-dimensional analytics engine. This means that there is no added web and mobile application development, QA, testing required to add and protect a new application. It also means highly sophisticated attacks are (more) effectively detected and blocked.

Previous blogs have discussed how quickly new customers were able to begin detecting and blocking attacks using the Cequence Application Security Platform SaaS. To begin protecting apps with the SaaS platform, a routing configuration is modified to redirect traffic to Cequence, then on to the origin server. Web, mobile, API-based applications are “onboarded” by tagging them so they can then be added to policies. The process is fast, simple and straightforward, placing no added burden on application development teams.

Scenario 1: From under attack to protected in 33 minutes

This new customer is working with our Customer Success team to migrate hundreds of web, mobile and API-based applications to the Cequence Application Security Platform SaaS. During the migration process, threat actors hammered a mobile application (not yet protected by Cequence) with an Account Takeover (ATO) attack. The timeline from attacked to protected is as follows:

  • Assistance request (15 minutes): The mobile application is onboarded through a traffic routing configuration modification to direct the application under attack to Cequence, then on to the origin server.
  • Attack detected and blocked (plus 3 minutes): The Cequence dashboard immediately showed that much of the traffic was sourced through Bulletproof Proxy networks, so the new application was added to existing known Bad Infrastructure policies to effectively mitigate ATO.
  • Policy fine-tuning (add 15 mins): The Threat Monitoring Team fine-tuned the policy by adding several Behavioral Fingerprints that protected the application from retooling efforts commonly seen in this customer environment.

Customer Outcome: The ATO was prevented and traffic volumes returned to normal in just 33 minutes. If they had continued to attempt mitigation using their previous solution, the effort to prevent the attack would have taken days, possibly weeks because the SDK would have needed an update, testing, then rollout, and potentially a forced user upgrade. Once fully mitigated, the attackers made several retooling efforts where they changed the behavior and the infrastructure, yet the Cequence Behavioral Fingerprint automatically detected the retooling and blocked the attack. Thus providing sustained efficacy with minimal effort.

Scenario 2: ATO-based Gift Card Fraud Detected and Blocked in Roughly an Hour

This large, retail customer was predominantly targeted by automated shopping bots, so when they detected high volumes of suspicious account registration and login behavior, they were a bit surprised. Teaming up with the Threat Monitoring Service Team, they discovered that the malicious behavior was a sophisticated ATO campaign where compromised accounts were then used to generate (fraudulent) e-gift cards.

Customer Outcome: Within an hour, a Behavioral Fingerprint-based policy was deployed and blocked roughly a million malicious requests. Over the course of the following week, the attack continued, totaling roughly 7 million malicious requests mitigated. An outbound alert was configured to initiate account reset requests for any potentially compromised accounts. An added twist was that this particular threat actor had begun selling the attack configs to others, so the team added a deceptive response to the policy as a means of disrupting the economics of the future attacks.

A question may arise – Why wasn’t the attack prevented automatically? The answer lies in a combination of sophisticated attack behavior and the fine line required to ensure that the new policies were not blocking legitimate users. Compared to the previous bot prevention solution, an hour-long effort from detection to prevention felt instantaneous.

Both of these scenarios highlight key differentiators for Cequence – speed of deployment, ML-based detection of retooling (Behavioral Fingerprinting) and automated policy updates.

See Behavioral Fingerprinting in action in this short demo:

Matt Keil

Author

Matt Keil

Director of Product Marketing

Matt Keil focuses on product marketing and content creation. Previously, he spent nearly two decades in enterprise network security, including roles at Palo Alto Networks where he was instrumental in launching the company.

Related Articles