A penny per visit adds up real fast: designing effective defenses against an adversary that makes more money than your entire company does

Michael Tiffany
White Ops

Ad fraud yields a higher lifetime value per infection than anything else you can do with a botnet. As a result, top tier operators have gone to extraordinary lengths to make bots as lifelike as possible to evade detection. In this talk, we will review:

• The state of the art in bot behavior, evasion, and anti-forensics. Hint: the adversary can use machine learning, too, and they have lots of real people to clone, emulate, or train off of
• Why even well-studied malware families like Kovter are still alive and kicking
• Breakthrough techniques in running an arms race against an adversary you must model as at least as smart as you and almost certainly better resourced than you
• Deception and strategic indeterminacy: Getting inside the OODA loop of an adaptive adversary by denying immediate success/fail feedback
• Corollary: put security through obscurity back in your playbook
• Cui bono? Playable moves when you can detect an adversary, they can’t tell they’ve been detected, and you can see which bank accounts benefit from what they attempted

References

• The Methbot Operation (2016)
• The Business of Hacking (2016)

Presenter

• How Pseudonymous Reputation and the Dark Web Have Made Cybercrime Easier Than Ever (2018)
• Ads.txt: a simple, elegant solution to the insidious problem of domain spoofing (2018)

Related

• OODA Loop
• Obscurity is a Valid Security Layer (2009)
• Obfuscation in Deployed Systems (2018)