Detecting human hackers in your app with Sqreen

If you’re a developer, a CTO or a DevOps, how can you identify attackers in your user base before they exploit a vulnerability in your application?
As soon as you plug a server on the Internet, it gets instantly scanned by a dozen of security bots. Chances to get breached with them is pretty low. Your Rails, Node or Python application, are likely not at risk with automated security scanners looking for vulnerabilities in WordPress, right?

As discussed in our previous post about attack surface, the most important threats – those you should carefully monitor – are triggered by skilled and motivated attackers.

Signs an attacker is in your application

Let’s see how you can easy identify (human) attackers digging into your app with Sqreen.

Fingerprinting your application

The scenario of a targeted attack is pretty standard. A (human) attacker usually starts by creating a user account on your application. Before going further manually, the good practice is to perform an authenticated security scan to discover the different endpoints, get first insights about potential weaknesses and gather other information. This phase is called fingerprinting.

Authenticated Security Scan in Sqreen

This activity is detected by Sqreen with the corresponding user account performing the scan.

Generating security errors in your application

Hacker testing the security on an applicationThe next step consists of performing manual investigations to locate unexpected behaviors in your application. This step will generate specific errors (e.g. exceptions) and logs in your application.

Exploiting the vulnerability

Authenticated XSS attack in Sqreen

Finally, when the vulnerability is identified an attacker will try to exploit it. Sqreen will block the attack immediately and notify the users via Slack or email.

Other signs of malicious activity

Known Attackers

Sqreen leverages the collective intelligence gathered across all its clients to flag known attackers / IPs. It doesn’t mean that a real hacker is necessarily behind that IP. But it’s an additional sign that can help you identify real hackers before it’s too late.

Connecting via Tor

Authenticated Connection from TOR

On a blog post about TOR, we described how attackers often use the TOR network to hide their identity and perform attacks on an application. Sqreen will identify user accounts with suspicious behaviors, such as those connecting from TOR.

Should you care?

When a skilled and motivated attacker is looking into your app to find vulnerabilities, you really want to react fast. Every signal counts to identify insider threats early and avoid a breach.

Keep your app protected with Sqreen!


Image credits © Classic Media Distribution Limited