Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Jason Kent
Jason Kent
Connect Directly
E-Mail vvv

When Achieving Deadpool Status Is a Good Thing

It means attackers have been met with sufficient resistance that it's no longer worth their trouble and have moved on

In comic books, hero Wade Wilson realizes he has landed on the "Deadpool" list and may never get off because of his continual healing properties. When we think about the cat-and-mouse game played between bad actors and security practitioners, achieving Deadpool status can be viewed as a good thing because it means attackers have found more attractive targets.

Bad actors regularly target products and services of value with automated attacks as a means of committing theft or fraud as the end goal. An automated attack (i.e., account takeover, fake account creation, etc.) is typically well-planned, with bad actors doing their homework to prepare and execute the attack. Let's go through the steps a bad actor may follow using the commercial tools available, to understand better how a security practitioner can stop the attack and achieve Deadpool status.  

It's no secret that streaming services are one of the top targets for automated attacks – apparently no one wants to pay for these services anymore. So, when Disney+ launched, it was inevitable that it would be targeted by attackers and they would soon understand what sort of security precautions would be taken to prevent automated attacks. Disney, with a huge budget, will obviously protect their users with airtight security. 

The first step attackers will likely take is to understand normal behavior by signing up for a legitimate account. Boring, right? Not really, when the success of an attack is based on knowing what is going to happen in normal behavior. Attackers take copious notes; they may record several transactions and perform tests like putting in the wrong password, putting in the wrong username, changing parts of the login to make error messages show up. The goal is reconnaissance. In the epic search for Francis (the evil villain who created Deadpool), the occasional enforcer must be defeated; let's just hope the intended victims are carrying their ammo bags.

Rather than starting from scratch, bad actors will turn to forums and the hacker community to find predefined tools that will help simplify attacks against popular products and services, enabling password resets for account takeovers, to uncover personal user information for later use, or to just use the service for free. 

Finding these commercially available tools is simple, if the tool name is known; for Sentry.MBA or SNIPR, for example, you can use a search engine to find it. They are commercially available, typically only accept bitcoin, and are community supported, allowing bad actors to modify them based on the recon work done on the attack target. For example, it might be possible to get information about how to defeat Disney's CAPTCHA, or you might learn that someone has already automated some part of the attack that can be used as part of the tool configuration. 

If this site is popular, there is likely a group of configs already available to set up the tools. Though the config might not do exactly what the attacker wants, it's easy to copy the parts needed and supplement with whatever is missing in the configuration's functionality. Over time, the best configs become part of the base tool. The base configuration list in the tools is the result of multiple people collaborating and making the tool better and better. Going back to the Deadpool analogy, it's akin to the process Francis was going through as he continually tested his victims.

There are numerous, readily available streaming service attack tool kits with predefined configurations that could likely be modified for a Disney+ attack. What the configurations typically show is that there is a common framework to build these attack engines, and a common configuration mechanism allowing for collaborative development of configurations. Anyone can participate making the configurations better over time, or they can be fixed quickly to respond to the company making changes to their applications. 

After the security team realizes it's being attacked and begins preventative measures, the predefined configuration will be changed by the attack toolkit community. In some cases, the changes to the attack configuration toolkit have been made in as little as two hours to overcome the new preventative measures. As fast as the defenders can work, the attackers work as well. Effective prevention is definitely possible but requires a solution with the intelligence and automation necessary to adjust to the attacks as they come in and are modified. When these adjustments are successful, the attackers cannot defeat the new security mechanisms and are stumped as to what to do.

Welcome to the Deadpool. When the attack tool configurations stop working altogether, either because the attack endpoints change or the defense strategies are all working, the config ends up listed as a DEAD configuration until the config is updated and working again or will stay this way if it never works again.

Will the config maintain Deadpool status? Not likely. Just like Wade's immune system began defeating his cancer, defenders must constantly adjust to the next creative attacker that improves the config. Luckily, the cancer of attacks is playing catchup once it has been put down; each subsequent attack must increase in sophistication. Calling in the Colossus when things get more difficult isn't always an option. The attackers use their collaboration superpowers , and organizations need to maintain vigilance by any means necessary to maintain Deadpool status.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Election Security in the Age of Social Distancing."

For over the last 20 years, Jason has been ethically peering into client behavior, wireless networks, web applications, APIs, and cloud systems, helping organizations secure their assets and intellectual property from unauthorized access.  As a consultant he's taken ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
GDPR Enforcement Loosens Amid Pandemic
Seth Rosenblatt, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: ...
PUBLISHED: 2020-05-29
IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege escalation attack when running in restricted mode. IBM X-Force ID: 178427.
PUBLISHED: 2020-05-29
IBM Business Automation Workflow 18 and 19, and IBM Business Process Manager 8.0, 8.5, and 8.6 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a vitcim to a phishing site. IBM X-Force ID: 1...
PUBLISHED: 2020-05-29
Android App 'Mailwise for Android' 1.0.0 to 1.0.1 allows an attacker to obtain credential information registered in the product via unspecified vectors.
PUBLISHED: 2020-05-29
Android App 'kintone mobile for Android' 1.0.0 to 2.5 allows an attacker to obtain credential information registered in the product via unspecified vectors.