Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Mitigation

Overview

When deployed inline, Spec can take action to nullify attacks before they ever reach your systems. We provide a variety of standard mitigation strategies, but we are also always happy to work with customers to explore novel approaches to deal with the specific attacks that they are seeing.

Unlike other vendors, Spec is able to take action based on the totality of your traffic, tying together disparate events into unified sessions, and linking sessions by common entities. This visibility allows Spec to better spot malicious behavior from bots, fraudsters, and malicious users.

Here, we discuss some of the ways that Spec can mitigate incoming attacks. As mentioned above, this is not a comprehensive list: Spec engineers are constantly evolving the platform to address new threats, and we are more than happy to work with our customers to develop new strategies for their use cases.

Mitigation Process

Broadly, the decision to take mitigating action is driven by the presence of Signatures. As we process incoming events, we group events from the same user into a Session. Similarly, disparate Sessions are grouped by the presence of common entities.

When certain behavioral patterns are detected in a Session or among entities in a Session, Spec applies Labels tagging that behavior. While an individual Label may not necessarily indicate malicious behavior, a collection of such Labels can lead to the application of a Signature, a sort of meta-label that indicates a broader pattern of behavior.

The presence of a Signature can also trigger the application of an Action. There are a variety of Actions that we may apply, including the mitigating actions discussed in this document. In addition to mitigation, Actions may include notifying your team in your medium of choice (Slack, Jira, etc.), triggering some downstream service, etc.

This entire process is deterministic, explainable, and can be introspected in the Spec Hub, where you can see all of the Labels, Signatures, and Actions that were taken in a given Session.

Mitigation Availability

As noted elsewhere, Spec can be deployed in a variety of configurations. Full mitigation is only available in Active Mode, via either a DNS Integration or a CDN Integration configured to use inline mode. A limited subset of mitigation Actions are available in Pass-through or Mirror mode.

Active Mode

In Active Mode, Spec sees both request and response traffic, and is able to take action either on a request, before it reaches your servers, or on a response, before it reaches the user. Actions are based on blazingly fast realtime analysis and can respond to changes in incoming traffic patterns based on intelligent risk assessment.

Pass-through/Mirror Mode

Mitigating actions are more limited in these modes. Spec is only able to perform traffic analysis and risk assessment, with actions limited to asynchronous operations like sending Slack alerts, populating charts and reports, etc. The assessments provided in these modes can be illuminating: we regularly have customers initially deploy in Pass-through Mode, only to upgrade to Active Mode when they see how many attacks we could be stopping for them.

Example Mitigations

The following are some typical Mitigations that Spec can deploy in order to address fraudulent or bot traffic. This is not a comprehensive list: there is a wide variety of mitigating Actions we can take, and we are always happy to work with our customers to find the best fit for their use cases.

Honeypot

One popular and historically effective Mitigation is the Honeypot. In this pattern, when Spec detects suspicious traffic, we redirect it to a decoy endpoint, where we then allow the attacker to harmlessly submit data for further analysis.

As an example, consider an account takeover (ATO) attack, in which a malicious user is rolling through a script trying out thousands of usernames and passwords, perhaps scraped from some public breach of another website. When the realtime platform detects ATO behavior from a session, it can intercept the login requests and send them to an alternative backend endpoint, which is totally invisible to the attacker, while simultaneously returning an "Unauthorized" response to the attacker. This allows our customers to collect submitted credentials and notify their users that their accounts have been compromised, while making the attacker think that all their purchased credentials are invalid.

The Honeypot pattern can be used in a variety of ways, allowing for attacker identification, attack pattern recognition, and threat intelligence gathering. It is one of the most powerful tools in the Spec toolbox.

Step-up Challenges

Another common Mitigation is the Step-up Challenge. No, this is not a segment of a jazzercise class, but rather a heightening of security based on the presence of suspicious Session behavior.

For example, based on the presence of suspicious behavior, Spec can direct a login to an additional challenge, such as requiring a 2FA code, redirecting to an interstitial page requiring JavaScript proof-of-work to catch bots, or triggering a captcha. Since Sessions are evaluated on a sliding scale of risk level, we can tailor the challenge to the risk.

Of course, we can also invert these patterns to optimize the experience for known good sessions. A login by a trusted user in an expected Session context can be treated as safe, bypassing any increased security checks and smoothing out their experience.

Key Advantages

The Spec platform provides a number of major advantages over other solutions on the market. We provide transparent, inline protection: attackers don't even know we're there, but we still sit in front of your servers, providing a shield against malicious traffic.

Transparency

  • No JavaScript integration: deployment of the Spec platform requires zero changes to the content of your site
  • Invisible to attackers: from the outside, your traffic still looks like it's flowing straight to you
  • No client-side detection: because there is no Spec-specific JS added to your site and no outbound requests to Spec, client-side attackers can't tell they're being watched

Protection

  • They're attacking us, not you: inbound attacks hit us first, giving us the opportunity to mitigate before the malicious traffic ever reaches your servers
  • Centralized defense: Spec provides a centralized point of defense for all inbound traffic, which lets us build a comprehensive profile of Session behavior across time
  • Shared threat intelligence: we are constantly seeing new attacks across all of our customers, and we are able to bring learnings from those attacks to your environment, providing proactive protection.