Attackers often use sophisticated bots to conduct password spraying or credential stuffing in account takeover (ATO) attacks. With credential stuffing, credentials obtained from one service is used to access another service. In a password-spraying attack, the attacker/bot tries to gain access to a service by guessing the credentials repeatedly, in a short period of time.

In this blog post, we’ll look at how ATO attacks happen and how Citrix Application Delivery Management (ADM) service, with its advanced machine learning (ML) algorithms, can detect and prevent these attacks.

Protecting Application Login Pages Against ATO Attacks

Citrix ADC is uniquely positioned to protect the apps it front ends because it has a view of authentication successes and failures for app login pages. We send this data to the Citrix ADM service, and we can run ML models on this information to distinguish between legitimate login attempts and ATO attacks. Check out my blog post on how we detect content scraping violations.

Let’s consider an example involving an educational institution where students can log in to a web app to access information such as their attendance and grades. They can access the app, which also contains their personal information, via the internet by logging in with their student credentials. Because this is a public-facing login page, it can be vulnerable to ATO attacks. This isn’t a vulnerability you can patch, but rather a legitimate business use case attackers abuse using bots.

In this case, when there’s an ATO attack attempt, application and SecOps admins will see violation events on the Citrix ADM service and can take actions like dropping or rate limiting connections and provisioning a CAPTCHA page with Citrix ADC’s bot management capabilities. They can also see ATO violations through the revamped security violations page in Citrix ADM service, which has a violation view with an “app-first” focus.

To view security violations in the Citrix ADM service, just click on Analytics → Security → Security Violations. Select the application you want to view, then select the Bot Violation tab. You can also view the violations under the All Violations tab, under Security Violations.

Upon selecting Account Take Over violation, you can view :

  • The affected application
  • The graph indicating all violations
  • The violation occurrence time
  • The detection message for the violation, indicating total unusual failed login activity, successful logins, and failed logins
  • The bad bot IP address (You can click to view details such as time, IP address, total successful logins, total failed logins, and total requests made from that IP address.)
Account takeover detection on Citrix ADM service

The ability to protect against ATO attacks is also available for Citrix Gateway login pages. An on-prem solution that’s included with Citrix ADC licenses, Citrix Gateway provides unified access to Citrix Virtual Desktop infrastructure, web apps, and enterprise apps from any device. Citrix Gateway has rich authentication and device posture check capabilities, ensuring secure access to corporate networks. IT admins can view ATO attack attempts and violations on the Security Violations page in the Citrix ADM service.

The timeline graph below shows successful and failed logins. Whenever there’s a breach in the expected ratio, we identify it as a violation and mark it with a red dot in the timeline graph.

Account takeover for Citrix Gateway detection on Citrix ADM service

Admins can drill down further on each dot and get details on the client IP address, the number of successful and failed logins, and the total requests. They can also use Citrix’s bot management solution to take actions such as dropping connections, rate limiting, configuring CAPTCHAs, and more.

Learn More

Learn more about bot management in our Citrix ADC product documentation and look for future updates as we enhance our application security analytics and use machine learning to help you identify and protect against sophisticated attacks.

Please note, all application security use cases, including web app firewall, bot, and API security, are available with premium license on Citrix ADC.

Contact a Citrix sales expert if you have questions, comments, or feedback, or share them in the comments below. You can also learn more in our product documentation.