CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a standard security measure to protect IT systems from bots and other automated attacks. It presents a challenge to the end-user which cannot be solved by computers and distinguishes a genuine human from a computer by checking if the answer is correct or not. Its existence discourages the adversary to execute simple brute-force and dictionary attacks but also deteriorates user experience at the same time.
Unlike CAPTCHA, Verimatrix envisions a ‘friendly security design’ through its Extended Threat Defense (XTD) product line. Verimatrix XTD equips the mobile apps with smart sensing and actuating capabilities against security threats. Mobile apps can autonomously detect the threat and contain adversaries instantly without interrupting the ordinary users, who certainly make up the vast majority. This way XTD transforms the traditional passive threat defense strategies to a proactive one.
Adi Shamir’s famous third law of security states that cryptography is typically bypassed, not penetrated. In line with his rule, there are websites which turn people in low-income regions into real-time low-cost CAPTCHA solvers and advertise this service online. If an adversary has the motivation to pay a small fee and tackle the CAPTCHA obstacle, an off-the-shelf solution is already available. This is a good example to show how clever and organized attackers could be and how passive defense strategies are usually defeated.
XTD relies on the fact that an adversary cannot hide all the traces while imitating the ordinary user like Bob from the human resources or Alice from the finance department. Continuous monitoring and assessment of the mobile device and app status gather invaluable intelligence to identify the threat actor which significantly varies from a script kiddie to criminal groups backed by rogue states. Many known adversary techniques (e.g. Root/Jailbreak, Debugging, Hooking, Tampering) are detected by XTD and it can shed light on unknown exploits in the wild. XTD fulfills the MITRE ATT&CK mobile mitigation techniques Attestation and Deploy Compromised Device Detection Method.
Another notable design consideration of XTD is being able to integrate it into the customers’ product ecosystems with minimal effort. This is a key factor for a security solution to be vastly adopted and plays a significant role in our friendly security approach. For instance, our zero-code technology embeds the App Shield security solution for Android and iOS apps. It means you can transfer our security expertise into your mobile apps and establish an alliance against various threat actors within minutes.
Recently at the Apple Worldwide Developer Conference 2022, Apple announced a new security feature called Private Access Token (PAT) which is going to replace the existing not-so-user-friendly CAPTCHA checks. This new approach is based on an assessment of the user device and account, and it is completely transparent to the end-user. XTD has been built upon similar principles, but it goes deeper to solve a complicated problem of active defense than only blocking bots.
Today, proactive threat defense is not just a nice-to-have, but it is rather a necessity considering the sophistication of the adversary, easy access to tools and complexity of the modern systems. Verimatrix Extended Threat Defense fills
