What Kinds of Threats Does ATO Protection Mitigate?

By Nadav Avital posted 03-16-2020 15:19


ATO Protection addresses attack strategies typically underserved by other cybersecurity technologies.

Two and a half thousand years ago, on the banks of the Yellow river near the modern-day city of Luoyang, a horse-mounted general scribbled a note to himself that would change history:

The skillful leader subdues the enemy's troops without any fighting; he captures their cities without laying siege to them; he overthrows their kingdom without lengthy operations in the field

The value of the practical advice in Sun Tzu’s Art of War has made it one of the most revered books in history. Over the centuries, it has influenced everything from political philosophy to economic theory. Its wisdom has even inspired both cybercriminals and the security professionals charged with stopping them.

Today’s cybercriminals leverage tactics not unlike those described by the ancient Chinese general. The persistent and growing threat of account takeover (ATO) attacks is just one example of how cybercriminals can “subdue” organizations without leveraging expensive digital assets or great technical skill.

Public-Facing Accounts Are the Weak Link

All organizations run on business logic. They are fundamentally defined by a series of processes that transform inputs (customer requests and payments) into outputs (valuable products and services).

Executives, account administrators, and upper management are the individuals entrusted with curating and maintaining these processes. As a result, they make tempting targets for opportunistic cybercriminals.

The practical benefit of this approach is obvious. Instead of dedicating time and resources to finding hidden technical exploits in a business system, hackers only need to obtain a single password in order to begin the exploitation.

User experience design continues to push businesses further towards streamlined self-service environments with exposed business processes. The impact of an ATO attack is now much larger than it was years ago, when company process infrastructures were more fragmented.

At the same time, there is no way to run a business without empowering upper management with administrator-level permissions. Someone has to run things, solve problems, and keep systems operating normally. These accounts represent the highest risk.

Another well-known aphorism attributed to Sun Tzu offers fitting advice for dealing with this threat: 

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

Who Carries Out Account Takeover Attacks?

Cybersecurity experts typically look at intent, capability, and motivation when investigating cybercrime incidents. Account takeover attacks happen when a very specific set of conditions are met:

  • Intent. ATO attacks are deliberate. Since the attack requires sensitive data to carry out, the attacker has to plan in advance and identify an appropriate target. Often, the attacker must wait for an opportunity to defraud that target in order to steal an administrator-level password.
  • Capability. Many ATO attacks do not require a great degree of technical expertise. Instead of “breaking in” to a protected account, these attacks rely on legitimate login credentials. Anyone who has access to account credentials, even for a short window of time, is capable of carrying it out.
  • Motivation. Account takeovers can occur whenever a malicious party with access to sensitive login credentials has an emotional, financial, or political reason to defraud an organization.

Based on these factors, there is a broad variety in the types and intentions of cybercriminals who can carry out an ATO attack. The persistence of insider and outsider threats demands a comprehensive solution for protecting privileged user logins.

External agents with access to cybercriminal resources can also carry out technically sophisticated ATO attacks. Tools like Pony and LokiPWS allow cybercriminals to target accounts in order to manage brute force attacks against high-value individuals. This is what a professional hacker might do to compromise an executive’s email account, for instance.

In both cases, social engineering tactics offer a relatively simple way to defraud legitimate users of their account information. Even the most complex firewall solution on the market will not prevent one of your employees from giving away their password to a sufficiently convincing con artist.

But the most dangerous part of the ATO attack process comes from people reusing their passwords on multiple platforms. More than half of all users have the same (or similar) passwords for different services. 

Remember that app you downloaded and used once, years ago? Probably not, but 

it has your email and password. If someone breaks into that app, they can systematically test that email/password combination on thousands of login portals until they find a match. This severely amplifies the danger that a single compromised account represents.

Why Specialized Cybersecurity Technology is Necessary

ATO attacks work in a way that is fundamentally different than the way most cyberattacks work. If a cybercriminal works out how to compromise a business system using a flaw in the system that enables exploitation (like cross-site scripting, for example), the process will leave traces that form a digital signature.

Cybersecurity professionals like our team at Imperva can then collect digital signature data and add that data to our web application firewall (WAF) database. Once the database is updated, every attack that uses this approach will be blocked.

But ATO attacks use the same functionality that drives business – you can’t deny people from reaching a login page. Upon the completion of a successful ATO attack, it can be very difficult to distinguish between legitimate account usage and unauthorized activity because everything is logged under the same legitimate user account.

This is why cybersecurity experts recommend taking a different approach when it comes to ATO protection. Since there is no way to accurately gauge whether individual accounts are compromised or not, they have to examine account behaviors and device reputations to determine if the accounts are still safe.

Behavioral analysis helps security professionals identify compromised accounts. These processes begin with the development of digital profiles that correspond to legitimate behavior for a specific account. Flags trigger when users appear to stray too far from their usual practices, or when they log in from unusual or far-removed devices.

Can ATO Protection Replace WAF Technology?

WAF technology and ATO protection protect against different types of threats. One does not replace the other. Instead, they go hand-in-hand, keeping organizations safe against different types of threats.

The best cybersecurity defense is a multi-tiered one. No organization should rely solely on a single security solution. Just as Sun Tzu recommended the use of walls, ramparts, armies, and spies to ensure a solid, practical defense, so too must organizations adopt a holistic approach to their digital defenses.

In an age defined by a rapidly growing cybercrime industry, where readily available software packages now drop multiple malware loads onto victim’s servers in one go, multi-tiered defense is absolutely crucial to security success. 

These malware packages are not the exclusive tools of professional cybercriminals anymore, either. Disgruntled employees and corporate spies can use them to further their aims with extraordinary ease. Protect your business’s most important digital assets with a comprehensive cybersecurity toolset managed by some of the industry’s most reputable experts.

Related Community Blogs: 
What is Account Takeover (ATO) Protection and How Does It Work?