Page 300 - Cyber Defense eMagazine September 2025
P. 300

•  Although attackers can use AI to evade MFA prompts, IAM can enforce strong authentication.
               •  Although IAM can centralize identities, APIs and shadow apps introduce vulnerabilities.
               •  Although AI-driven bots produce noise that appears to be human logs, IAM offers audit logs.

            IAM is reactive, which is a painful reality. Layered defenses and proactive detection are necessary for
            credential stuffing.



            How AI Enhances Credential Stuffing

            Attackers use AI as a weapon in the following ways:

               1.  Behavioral Mimicry: By recording actual user sessions, bots teach machine learning models to
                   imitate mouse motions, geolocation switching, and typing rhythm.
               2.  Learning that Adapts: Bots use residential proxies to route if IPs are blocked; they learn from
                   unsuccessful login attempts. They target distinct accounts if MFA is activated.
               3.  Changes  to  Passwords:  Passwords  that  have  been  stolen  are  transformed  into  dozens  of
                   different variations by generative models ("Summer2023!" → "$umm3r2023!!").
               4.  Getting around CAPTCHAs: The majority of CAPTCHAs are broken at scale by computer vision
                   and LLM-powered solvers.
               5.  Abuse of APIs: Bots circumvent web defenses by directly exploiting login APIs.

            Case Study: In order to evade fraud detection, a financial services company found that attackers were
            utilizing  reinforcement  learning bots  that  modified  login  attempts  in  real  time.  Before  the  attack  was
            lessened, it took six months and a new bot defense solution.




            Developing a Defense Outside of IAM

            1. Feeds of Credential Intelligence

               •  Incorporate threat intelligence that keeps an eye on dark web dumps and sends out alerts when
                   user credentials show up.
               •  For instance, businesses that use these feeds proactively reset exposed accounts following the
                   LinkedIn leak.

            2. AI-Powered Bot Detection


               •  Use anomaly detection at the edge (WAF/CDN), which examines behavioral patterns such as
                   device fingerprinting, velocity, and mouse movement entropy.
               •  Best practice: Integrate in-house tuning with vendor solutions (like PerimeterX and Akamai Bot
                   Manager).

            3. Authentication that Adapts

               •  Get rid of static MFA. Make use of risk-based policies:





            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          300
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
   295   296   297   298   299   300   301   302   303   304   305