When Achieving Deadpool Status Is a Good Thing

It means attackers have been met with sufficient resistance that it's no longer worth their trouble and have moved on

Jason Kent, Hacker in Residence, Cequence Security

May 6, 2020

5 Min Read

In comic books, hero Wade Wilson realizes he has landed on the "Deadpool" list and may never get off because of his continual healing properties. When we think about the cat-and-mouse game played between bad actors and security practitioners, achieving Deadpool status can be viewed as a good thing because it means attackers have found more attractive targets.

Bad actors regularly target products and services of value with automated attacks as a means of committing theft or fraud as the end goal. An automated attack (i.e., account takeover, fake account creation, etc.) is typically well-planned, with bad actors doing their homework to prepare and execute the attack. Let's go through the steps a bad actor may follow using the commercial tools available, to understand better how a security practitioner can stop the attack and achieve Deadpool status.  

It's no secret that streaming services are one of the top targets for automated attacks – apparently no one wants to pay for these services anymore. So, when Disney+ launched, it was inevitable that it would be targeted by attackers and they would soon understand what sort of security precautions would be taken to prevent automated attacks. Disney, with a huge budget, will obviously protect their users with airtight security. 

The first step attackers will likely take is to understand normal behavior by signing up for a legitimate account. Boring, right? Not really, when the success of an attack is based on knowing what is going to happen in normal behavior. Attackers take copious notes; they may record several transactions and perform tests like putting in the wrong password, putting in the wrong username, changing parts of the login to make error messages show up. The goal is reconnaissance. In the epic search for Francis (the evil villain who created Deadpool), the occasional enforcer must be defeated; let's just hope the intended victims are carrying their ammo bags.

Rather than starting from scratch, bad actors will turn to forums and the hacker community to find predefined tools that will help simplify attacks against popular products and services, enabling password resets for account takeovers, to uncover personal user information for later use, or to just use the service for free. 

Finding these commercially available tools is simple, if the tool name is known; for Sentry.MBA or SNIPR, for example, you can use a search engine to find it. They are commercially available, typically only accept bitcoin, and are community supported, allowing bad actors to modify them based on the recon work done on the attack target. For example, it might be possible to get information about how to defeat Disney's CAPTCHA, or you might learn that someone has already automated some part of the attack that can be used as part of the tool configuration. 

If this site is popular, there is likely a group of configs already available to set up the tools. Though the config might not do exactly what the attacker wants, it's easy to copy the parts needed and supplement with whatever is missing in the configuration's functionality. Over time, the best configs become part of the base tool. The base configuration list in the tools is the result of multiple people collaborating and making the tool better and better. Going back to the Deadpool analogy, it's akin to the process Francis was going through as he continually tested his victims.

There are numerous, readily available streaming service attack tool kits with predefined configurations that could likely be modified for a Disney+ attack. What the configurations typically show is that there is a common framework to build these attack engines, and a common configuration mechanism allowing for collaborative development of configurations. Anyone can participate making the configurations better over time, or they can be fixed quickly to respond to the company making changes to their applications. 

After the security team realizes it's being attacked and begins preventative measures, the predefined configuration will be changed by the attack toolkit community. In some cases, the changes to the attack configuration toolkit have been made in as little as two hours to overcome the new preventative measures. As fast as the defenders can work, the attackers work as well. Effective prevention is definitely possible but requires a solution with the intelligence and automation necessary to adjust to the attacks as they come in and are modified. When these adjustments are successful, the attackers cannot defeat the new security mechanisms and are stumped as to what to do.


Welcome to the Deadpool. When the attack tool configurations stop working altogether, either because the attack endpoints change or the defense strategies are all working, the config ends up listed as a DEAD configuration until the config is updated and working again or will stay this way if it never works again.

Will the config maintain Deadpool status? Not likely. Just like Wade's immune system began defeating his cancer, defenders must constantly adjust to the next creative attacker that improves the config. Luckily, the cancer of attacks is playing catchup once it has been put down; each subsequent attack must increase in sophistication. Calling in the Colossus when things get more difficult isn't always an option. The attackers use their collaboration superpowers , and organizations need to maintain vigilance by any means necessary to maintain Deadpool status.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Election Security in the Age of Social Distancing."

About the Author(s)

Jason Kent

Hacker in Residence, Cequence Security

For over the last 20 years, Jason has been ethically peering into client behavior, wireless networks, web applications, APIs, and cloud systems, helping organizations secure their assets and intellectual property from unauthorized access.  As a consultant he's taken hundreds of organizations through difficult compliance mine fields, ensuring their safety.  As a researcher he's found flaws in consumer IoT systems and assisted in hardening them against external attacks.  At Cequence Security, Jason does research, community outreach, and supports efforts in identifying automated attacks against web, mobile, and API-based applications to keep Cequence's customers safe.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights