RSA ADVANCED FRAUD INTELLIGENCE

Transcription

1 RSA ADVANCED FRAUD INTELLIGENCE Service Description AT A GLANCE RSA s Advanced Fraud Intelligence is a service that provides organizations with the actionable intelligence they need to better understand and counteract today s cyber-fraud threats. The service can help organizations: Identify Threat Clusters across phishing and malware attacks Identify Threat Vectors - potential weaknesses in processes and procedures that are leveraged by fraudsters in their attacks Identify the criminals behind the attacks Carry out Targeted Research by leveraging RSA s team of experienced threat researchers and investigators RSA FRAUDACTION Cybercrime, fraud, and online attacks are becoming increasingly sophisticated every day. What is your plan to best mitigate the threats they pose to your organization? RSA FraudAction is a proven suite of services geared toward preventing and mitigating online threats. RSA FraudAction enables organizations to minimize resource investment while deploying an efficient solution quickly. FraudAction offers fraud protection from phishing, Trojan, and mobile rogue app attacks, with its intelligence service being the advanced choice for financial institutions and large organizations that provide web-based services and are therefore exposed to fraud through the online channel. In 2014, FraudAction Services have: Detected nearly 500,000 phishing attacks globally (~1 attack/minute) Analyzed over 20 billion malware samples (~400k/week) Recovered over 10 million actionable intelligence findings from the deep web RSA ADVANCED FRAUD INTELLIGENCE The online channel has never before experienced such a sophisticated and globallyintegrated technological crime network as it faces today. Cybercriminals have new tools at their disposal, and are becoming more adaptive than ever. Phishing continues to be one of the fastest growing types of online fraud. Each month, there are tens of thousands of unique phishing attacks targeting organizations of all types and sizes. And while financial institutions have traditionally been the primary focus, fraudsters are now waging attacks in other industries such as government, healthcare, retail, insurance, and education. Given the many channels that fraudsters use to carry out their attacks, gaining a wide-angle perspective on the threat has become a necessity. To do this, organizations must collect, consolidate and correlate threat data from many different sources a task that could prove to be extremely resource intensive. RSA s Advanced Fraud Intelligence (AFI) is a service that provides organizations with actionable intelligence that they need to better understand and counteract today s advanced cyber-fraud threats. AFI can help organizations: Identify Threat Clusters across phishing and malware attacks Identify Threat Vectors: potential weaknesses in processes and procedures that are being leveraged by fraudsters in their attacks Identify the criminals or groups behind the attacks AFI Service Description H14126

2 The service leverages various sources of intelligence, including forensic data from hundreds of thousands of online attacks (SIGINT), and from human intelligence (HUMINT) operations monitoring online forums within the criminal underground. These venues serve fraudsters as platforms and/or hubs for exchanging and sharing their criminal tools, including phishing kits know-how, trade craft, selling fraud-related services, and trading compromised information such as payment card and bank account details. Leveraging highlyskilled expertise and nearly a decade of knowledge of the fraud underground environments, the dedicated RSA team is very adept at maintaining a longstanding and watchful presence in the different cybercrime communities it monitors. The vast quantities of data amassed is then consolidated and correlated by the dedicated RSA team to provide unique insight into the criminal activities and the methods used to commit fraud. These insights are translated into a monthly ThreatTracker report one of our many service deliverables that tracks the different aspects of attacks targeting your organization. OUR INTELLIGENCE OPERATION RSA s team monitors the fraud underground to gather intelligence and deliver it to your organization. A dedicated RSA team (whose members have military experience and are multilingual), monitors cyber-criminal web forums, IRC chat rooms, Twitter feeds, open source intelligence (OSINT), and other communication channels. Often, direct encounters with the fraudsters lead to uncovering specific methods of operation, and reveal emerging fraud trends. The RSA team works to: Report on a wide range of underground services that facilitate identity-theft and cybercrime, and recognize emerging threats and fraud trends Identify cashout and cross-channel exploits targeting your organization(s) worldwide Uncover mule accounts and item drops Reveal underground stores selling compromised online banking and payment card accounts Enable coordination of sting operations to reveal the fraudster s infrastructure (including insiders) Collaborate with law enforcement agencies worldwide to provide intelligence conducive to investigations, and indictments of fraud perpetrators and their accomplices Leveraging RSA highly-skilled expertise and nearly a decade of knowledge about fraud and the fraudsters underground involvement, the RSA Team is very adept at maintaining a longstanding and watchful presence in the different cybercrime communities it monitors. One of the benefits of choosing RSA is the ability to leverage other RSA products for deeper fraud investigations. The efraudnetwork, VBV/MCSC registrations and transactions, and the 24/7 Anti-Fraud Command Center (AFCC) data repository are only a few of the RSA resources leveraged by our intelligence operation to offer unparalleled quality of service. AFI SERVICE DELIVERABLES The following are the deliverables provided by the Advanced Fraud Intelligence: THE THREATTRACKER REPORT A monthly report that provides a holistic and insightful view into the threat your organization faces, including attack clusters, threat vectors, and the actors behind the attacks. TARGETED INTELLIGENCE As findings are made that relate directly to your organization(s), notifications are immediately sent out to alert you to the threat, providing as much info and actionable intelligence as possible.

3 TARGETED DATA FEEDS Machine-readable intelligence feeds providing intelligence that may be directly associated with your organization. TARGETED RESEARCH With the continued strain placed on security teams, the ability to carry out research requests and investigations is limited. Targeted Research provides you with the ability to request research and investigations into different indicators - on demand. THE THREATTRACKER REPORT The ThreatTracker report provides a holistic and insightful view into the threat your organization faces by consolidating data gathered from our Phishing, malware, and cybercrime intelligence operations. The data is correlated and contextualized to deliver insight into three key areas: Threat Clusters With Phishing and malware attack volumes constantly rising (in 2014 the AFCC detected nearly 500,000 attacks worldwide, signifying an 11% increase over the previous year), it becomes increasingly difficult to assess the risk associated with each attack. Does each Phishing attack carry the same level of risk? Is a specific Trojan attack considered a more significant threat than another? With the increase in attack volumes, more noise is generated in the system and assessing risk becomes challenging. RSA AFI takes a holistic approach to assessing the threat (or risk) level by gathering and correlating data points from across the different attacks, identifying commonalities, and connecting attacks together based on numerous similarities and advanced corrolation algorithms into a Threat Cluster. The Threat Cluster represents an attack campaign targeting your organization. By clustering attacks together, we can better understand the severity of a single attack and of the entire cluster. The ThreatTracker report will provides insight into specific clusters, as well as graphs showing cluster trends over time. Figure 1. THREAT CLUSTER MAP A Threat Cluster map showing the relationships between different attacks and the actor behind them.

4 Threat Vectors After identifying the Threat Clusters, we further analyze each attack, and the entire cluster itself, to better understand the method(s) by which the threat actor will attempt to defraud your organization. By analyzing the data elements requested in phishing and malware attacks, and correlating them with our underground intelligence, we are able to indicate the probable vector (online banking, telephone/call center, ATM, etc.) the attacker will leverage to complete his attack. The ThreatTracker is a powerful tool that can allow your organization, at a glance, to better understand the threats they face, assess them, and plan mitigation steps accordingly. Furthermore, Threat Vectors will alert you to anomalous data elements requested in attacks, which can provide insight into new attack tactics being tested by fraudsters. Figure 2. THREAT VECTORS Analysis of Threat Vectors over time Threat Actors Through our detailed analysis of attacks, and by leveraging our human intelligence operations, we work to identify the actors behind the attacks targeting your organization. As we piece the evidence together, we create actor profiles and attribute attacks to specific attackers. Once identified, we continue to track and monitor the actor s activity, and report on any new findings we come across. The ThreatTracker is a powerful tool that can allow organizations, at a glance, to better understand the threats they face, assess them, and plan mitigation steps accordingly.

5 TARGETED INTELLIGENCE Beyond correlating data points collected from phishing and malware attacks targeting your organization, the RSA team continuously monitors cybercriminal communication chatter for specific mention of your organization and/or brands. Once such chatter is identified, we send out an alert, and depending on its severity and credibility, investigate further to provide you with as much information as possible on the threat. The alerts will provide classification information including severity and credibility as well as the targeted channel, geography, and indicators when they are available. Figure 3. CYBERCRIME FORUM POST A forum post discussing a compromised account within a specific financial institution TARGETED DATA FEEDS Targeted data feeds are structured intelligence feeds that your organization can leverage to prevent future fraud attempts as well as confirm past fraud incidents. The following feeds are offered: CC Feed: A daily report of compromised Credit/Debit card numbers traced in the underground CC Preview Feed: Contains previews of automated Credit Card stores Mule Feed: The Mule Feed is a list comprised of mule accounts recovered by the Intelligence team IP Feed: A daily report comprised of IP-addresses of interest, including IP addresses of proxies/socks, RDPs, open source proxies, bad IPs, and fraudster IPs - mostly found in cybercrime and fraudster-published lists Feed: Contains hacked accounts, spam lists, and proprietary corporate s Item Drop Feed: Contains physical mailing addresses used for the receipt of fraudulently purchased merchandise

6 TARGETED RESEARCH Targeted Research provides you with the ability to request cybercrime research or investigations - on demand. Whether it is an IP address, an actor s handle, or a specific Anonymous op, our team of experienced researchers will leverage proprietary technology to search a variety of data sources for further intelligence. We can also maintain an active monitor that will send an alert whenever a finding is made. SUMMARY Today s landscape requires a much wider view of the threat facing your organization. Being able to collect and correlate data from different sources will be a key factor to successfully assessing risk and prioritizing response. Understanding the links between phishing and malware attacks and correlating that data with underground intelligence is exactly what RSA s Advanced Fraud Intelligence is designed to do. RSA Advanced Fraud Intelligence offers you a single external threat management service with proactive detection and mitigation of online threats such as phishing, Trojans and mobile rogue apps, and we continue to monitor and track threats and threat actors as long as it takes to make your business safe from intrusion. EMC 2, EMC, the EMC logo, RSA, the RSA logo, Advanced Fraud Intelligence, AFI, FraudAction, and ThreatTracker are registered trademarks or trademarks of EMC Corporation in the United States and other countries. VMware is a registered trademark or trademark of VMware, Inc., in the United States and other jurisdictions. Copyright 2015 EMC Corporation. All rights reserved. Published in the USA. 4/2015 AFI Service Description - H14126 RSA believes the information in this document is accurate as of its publication date. The information is subject to change without notice.