Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Jason Kent
Jason Kent
Connect Directly
E-Mail vvv

When Achieving Deadpool Status Is a Good Thing

It means attackers have been met with sufficient resistance that it's no longer worth their trouble and have moved on

In comic books, hero Wade Wilson realizes he has landed on the "Deadpool" list and may never get off because of his continual healing properties. When we think about the cat-and-mouse game played between bad actors and security practitioners, achieving Deadpool status can be viewed as a good thing because it means attackers have found more attractive targets.

Bad actors regularly target products and services of value with automated attacks as a means of committing theft or fraud as the end goal. An automated attack (i.e., account takeover, fake account creation, etc.) is typically well-planned, with bad actors doing their homework to prepare and execute the attack. Let's go through the steps a bad actor may follow using the commercial tools available, to understand better how a security practitioner can stop the attack and achieve Deadpool status.  

It's no secret that streaming services are one of the top targets for automated attacks – apparently no one wants to pay for these services anymore. So, when Disney+ launched, it was inevitable that it would be targeted by attackers and they would soon understand what sort of security precautions would be taken to prevent automated attacks. Disney, with a huge budget, will obviously protect their users with airtight security. 

The first step attackers will likely take is to understand normal behavior by signing up for a legitimate account. Boring, right? Not really, when the success of an attack is based on knowing what is going to happen in normal behavior. Attackers take copious notes; they may record several transactions and perform tests like putting in the wrong password, putting in the wrong username, changing parts of the login to make error messages show up. The goal is reconnaissance. In the epic search for Francis (the evil villain who created Deadpool), the occasional enforcer must be defeated; let's just hope the intended victims are carrying their ammo bags.

Rather than starting from scratch, bad actors will turn to forums and the hacker community to find predefined tools that will help simplify attacks against popular products and services, enabling password resets for account takeovers, to uncover personal user information for later use, or to just use the service for free. 

Finding these commercially available tools is simple, if the tool name is known; for Sentry.MBA or SNIPR, for example, you can use a search engine to find it. They are commercially available, typically only accept bitcoin, and are community supported, allowing bad actors to modify them based on the recon work done on the attack target. For example, it might be possible to get information about how to defeat Disney's CAPTCHA, or you might learn that someone has already automated some part of the attack that can be used as part of the tool configuration. 

If this site is popular, there is likely a group of configs already available to set up the tools. Though the config might not do exactly what the attacker wants, it's easy to copy the parts needed and supplement with whatever is missing in the configuration's functionality. Over time, the best configs become part of the base tool. The base configuration list in the tools is the result of multiple people collaborating and making the tool better and better. Going back to the Deadpool analogy, it's akin to the process Francis was going through as he continually tested his victims.

There are numerous, readily available streaming service attack tool kits with predefined configurations that could likely be modified for a Disney+ attack. What the configurations typically show is that there is a common framework to build these attack engines, and a common configuration mechanism allowing for collaborative development of configurations. Anyone can participate making the configurations better over time, or they can be fixed quickly to respond to the company making changes to their applications. 

After the security team realizes it's being attacked and begins preventative measures, the predefined configuration will be changed by the attack toolkit community. In some cases, the changes to the attack configuration toolkit have been made in as little as two hours to overcome the new preventative measures. As fast as the defenders can work, the attackers work as well. Effective prevention is definitely possible but requires a solution with the intelligence and automation necessary to adjust to the attacks as they come in and are modified. When these adjustments are successful, the attackers cannot defeat the new security mechanisms and are stumped as to what to do.

Welcome to the Deadpool. When the attack tool configurations stop working altogether, either because the attack endpoints change or the defense strategies are all working, the config ends up listed as a DEAD configuration until the config is updated and working again or will stay this way if it never works again.

Will the config maintain Deadpool status? Not likely. Just like Wade's immune system began defeating his cancer, defenders must constantly adjust to the next creative attacker that improves the config. Luckily, the cancer of attacks is playing catchup once it has been put down; each subsequent attack must increase in sophistication. Calling in the Colossus when things get more difficult isn't always an option. The attackers use their collaboration superpowers , and organizations need to maintain vigilance by any means necessary to maintain Deadpool status.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Election Security in the Age of Social Distancing."

For over the last 20 years, Jason has been ethically peering into client behavior, wireless networks, web applications, APIs, and cloud systems, helping organizations secure their assets and intellectual property from unauthorized access.  As a consultant he's taken ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/1/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
The Threat from the Internet--and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-01
The Journal theme before 3.1.0 for OpenCart allows exposure of sensitive data via SQL errors.
PUBLISHED: 2020-07-01
SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to perform a log injection into the trace file, due to Incomplete XML Validation. The readability of the trace file is impaired.
PUBLISHED: 2020-07-01
In nDPI through 3.2, the packet parsing code is vulnerable to a heap-based buffer over-read in ndpi_parse_packet_line_info in lib/ndpi_main.c.
PUBLISHED: 2020-07-01
In nDPI through 3.2, the H.323 dissector is vulnerable to a heap-based buffer over-read in ndpi_search_h323 in lib/protocols/h323.c, as demonstrated by a payload packet length that is too short.
PUBLISHED: 2020-07-01
In nDPI through 3.2, the OpenVPN dissector is vulnerable to a heap-based buffer over-read in ndpi_search_openvpn in lib/protocols/openvpn.c.