Prevent Malware attacks with F5 WebSafe and MobileSafe. Alfredo Vistola Security Solution Architect, EMEA

Transcription

1 Prevent Malware attacks with F5 WebSafe and MobileSafe Alfredo Vistola Security Solution Architect, EMEA

2 Malware Threat Landscape Growth and Targets % 25 Of real-world malware is caught by anti-virus Malware % 50 Of malware code is logic to bypass defenses % 79 Existing malware strains are Trojans % 82 Of Institutions learned about fraud incidents from their customers PandaLabs Q1 Report -q1-report-trojans-account-for-80-of-malwareinfections-set-new-record/ Data sources: Dark Reading, PandaLabs, & ISMG F5 Agility

3 Malware Threat Landscape Phishing by Number of Attacks Phishing Attacks by Industry Finance, Government, Shopping, Online Auctions, and Multiplayer Games. McAfee Threats Report United States Amazon Blizzard Entertainment ebay Internal Revenue Service J.P. Morgan Chase PayPal Wells Fargo United Kingdom Barclays HM Revenue & Customs HSBC Lloyds TSB Natwest Royal Bank of Scotland Brazil Banco Bradesco Banco do Brasil Banco Itau Italy Intesa Sanpaolo Posteitaliane UniCredit Australia ANZ (Australia and New Zealand Banking Group) Westpac Bank F5 Agility

4 F5 s Security Services and Solutions One Platform Network Firewall Traffic Management Application Security Access Control DDoS Protection SSL DNS Security Anti-Fraud, Anti-Malware, Anti-Phishing EAL2+ EAL4+ (in process) F5 Agility

5 Our unique solution Offers protection to cover the gaps with most security solutions Site Visit Site Log In User Navigation Transactions Transaction Execution Device Fingerprinting Geo-location Brute Force Detection Behavioral Analysis Behavioral and Click Analysis Abnormal Money Movement Analysis Customer Fraud Alerts Phishing Threats Credential Grabbing Malware Injections PII and CC Grabbing Automatic Transactions F5 Networks, Inc 5

6 F5 Web Fraud Protection Fraud, phishing & malware protection Simple deployment & supports any device Application level encryption Healthcare Device and behavioral analysis End-user and application transparency Retail Bank 24x7 SOC research, investigation & site take down The knowledge that our online users are protected from fraudsters, wherever they are and at any time, enables our team to focus on developing new products and services. Anti-Fraud Manager, Leumi Bank F5 Agility

7 WebSafe in Action

8 WebSafe Clientless and Transparent Anti-Fraud Solution Only fully transparent Anti-Fraud solution that reduces banking fraud loss Fraud Detection and Protection Detection of targeted malware, BOTs, MITM/B, form grabbing, Zero-day, Monitors and alerts when website is copied and uploaded to a spoofed domain (phishing) Clientless application-layer encryption of sensitive user data with sessioninitiated randomly rotating keys Transaction Protection Real-time transaction analysis for automated or human behavior Transaction integrity Comprehensive request analysis Security Operations Research Center 24X7 security reports and alerts Identifies and investigates attacks in real-time Researches and investigates new global fraud technology & schemes Provides detailed incident reports Optional site take-down F5 Agility

9 WebSafe Implementation Options A Online Customers Man-in-the- Browser Attacks Copied Pages and Phishing Local alert server and/or SIEM B Online Customers Web Fraud Protection Network Firewall Application C Account Amount Transfer Funds Online Customers F5 Security Operations Center Customer Scenarios A Malware Detection and Protection Automated Transactions and Transaction integrity Easily deployed Deploys with no change to applications Leverages existing F5 resources & knowledge Enables IT consolidation Integrated into BIG-IP GUI in 11.6 B C Anti-Phishing Transaction Analysis Strategic Point of Control F5 Agility

10 Advanced Phishing Attack Detection and Prevention Identifies phishing threats early-on and stops attacks before s are sent Alerts upon usage of copy site on local computer Alerts upon login and testing of phishing site Phished user names are sent to the SOC 4. Test spoofed site Web Application 1. Copy website F5 SOC shuts down identified phishing websites 2. Save image to computer Internet 3. Upload image to spoofed site Alerts at all stages of phishing site development F5 Networks, Inc 10

11 Generic and Targeted Malware Detection With real-time analysis and a variety of checks WebSafe identifies compromised sessions, malicious scripts, phishing attacks and malware including MITM/B, BOTs, fraudulent transactions Analyzes browser for traces of common malware (i.e., Zeus, citadel, Carberp, etc) Detects browser redressing Performs checks on domain and other components F5 Networks, Inc 11

12 Malware Detection Web Injection Examples F5 Agility

13 Malware Detection Web Injection Examples Targeted malware web injection F5 Agility

14 Malware Detection Web Injection Examples Targeted malware web injection F5 Agility

15 Malware Detection Web Injection Examples F5 Agility

16 Malware Detection Web Injection Examples F5 Agility

17 Clientless Application-Level Encryption WebSafe secures credentials and other valuable data submitted on web forms F5 Networks, Inc 17

18 Clientless Application-Layer Encryption WebSafe secures credentials and other valuable data submitted on web forms Any sensitive information can be encrypted at the message level User credentials & information is submitted & encrypted with public key Data is decrypted on BIG-IP WebSafe using the private key Intercepted information rendered useless to attacker F5 Networks, Inc 18

19 WebSafe BIG-IP GUI Integration

20 WebSafe : BIG-IP Integration 11.6 Easily turn on WebSafe anti-fraud protection from BIG-IP Define anti-fraud profile for each domain Configure alert server Enable and disable individual detection/protection modules o o o o Phishing detection Malware detection Application layer encryption Automated transaction protection F5 Networks, Inc 20

21 Anti-Fraud Profiles F5 Agility

22 Virtual Server Security Policy Configuration F5 Agility

23 MobileSafe In Action

24 Attack Mitigations (1 of 2) Man in the middle DNS spoofing The target domain is checked against a pre-loaded list of known IPs Certificate forging The target certificate is compared against a pre-loaded certificate Jailbreak / rooted devices Detection of a jailbreak and rooted device F5 Agility

25 Attack Mitigations (2 of 2) OS security Unpatched version with known vulnerabilities will raise the device risk score (sent when the app is loaded) App integrity Android - MobileSafe will check the application signature (Checksum) IOS this check is disabled Keyloggers virtual keyboard Network sniffing at the OS level (before the SSL) vcrypt F5 Agility

26 MobileSafe Architecture / Data Flow Download app F5 SOC (Cloud) User Device to application communication F5 Configuration Server F5 SOC Data Center Alerts BIG-IP (message encryption) servers F5 Agility

27 F5 Security Operations Center

28 F5 Security Operations Center Always on the watch 24x7x365 fraud analysis team that extends your security team Researches and investigates new global fraud technology & schemes Detailed incident reports Provides detailed threat analysis & incident reports Real-time alerts activated by phone, sms and Optional site take-down: Phishing sites F5 Networks, Inc 28

29 F5 SOC: Phishing Site Take-Down Service Quickly identify and shut down brand abuse websites Always available F5 monitoring and response team Complete attack assessment & postpartum attack report Leverage relationships with ISPs, anti-phishing groups and key international agencies Malicious site take-down in minimal time Recommendations for counter security measures F5 Networks, Inc 29

30 Real-Time Alerts Dashboard F5 Agility

31 F5 s Anti-Fraud Solutions Prevent Fraud Protect Online User On All Devices Full Transparency In Real Time Targeted malware, MITB, zero-days, MITM, phishing, automated transactions Clientless solution, enabling 100% coverage Desktop, tablets & mobile devices No software or user involvement required Alerts and customizable rules If I can be of further assistance please contact me: [email protected]

32 Demo

33 Demo of Clientless Application-Level Encryption Login Information Username + password Web application Infected PC Login Information Username + password Internet Dropzone and C&C on the server at the ISP F5 Agility

34 Questions? F5 Agility

35