Prevent Malware attacks with F5 WebSafe and MobileSafe Alfredo Vistola Security Solution Architect, EMEA
Malware Threat Landscape Growth and Targets % 25 Of real-world malware is caught by anti-virus Malware % 50 Of malware code is logic to bypass defenses % 79 Existing malware strains are Trojans % 82 Of Institutions learned about fraud incidents from their customers PandaLabs Q1 Report http://press.pandasecurity.com/usa/news/pandalabs -q1-report-trojans-account-for-80-of-malwareinfections-set-new-record/ Data sources: Dark Reading, PandaLabs, & ISMG F5 Agility 2014 2
Malware Threat Landscape Phishing by Number of Attacks Phishing Attacks by Industry Finance, Government, Shopping, Online Auctions, and Multiplayer Games. McAfee Threats Report 2013 http://www.mcafee.com/us/resources/reports/rpquarterly-threat-q1-2013.pdf United States Amazon Blizzard Entertainment ebay Internal Revenue Service J.P. Morgan Chase PayPal Wells Fargo United Kingdom Barclays HM Revenue & Customs HSBC Lloyds TSB Natwest Royal Bank of Scotland Brazil Banco Bradesco Banco do Brasil Banco Itau Italy Intesa Sanpaolo Posteitaliane UniCredit Australia ANZ (Australia and New Zealand Banking Group) Westpac Bank F5 Agility 2014 3
F5 s Security Services and Solutions One Platform Network Firewall Traffic Management Application Security Access Control DDoS Protection SSL DNS Security Anti-Fraud, Anti-Malware, Anti-Phishing EAL2+ EAL4+ (in process) F5 Agility 2014 4
Our unique solution Offers protection to cover the gaps with most security solutions Site Visit Site Log In User Navigation Transactions Transaction Execution Device Fingerprinting Geo-location Brute Force Detection Behavioral Analysis Behavioral and Click Analysis Abnormal Money Movement Analysis Customer Fraud Alerts Phishing Threats Credential Grabbing Malware Injections PII and CC Grabbing Automatic Transactions F5 Networks, Inc 5
F5 Web Fraud Protection Fraud, phishing & malware protection Simple deployment & supports any device Application level encryption Healthcare Device and behavioral analysis End-user and application transparency Retail Bank 24x7 SOC research, investigation & site take down The knowledge that our online users are protected from fraudsters, wherever they are and at any time, enables our team to focus on developing new products and services. Anti-Fraud Manager, Leumi Bank F5 Agility 2014 6
WebSafe in Action
WebSafe Clientless and Transparent Anti-Fraud Solution Only fully transparent Anti-Fraud solution that reduces banking fraud loss Fraud Detection and Protection Detection of targeted malware, BOTs, MITM/B, form grabbing, Zero-day, Monitors and alerts when website is copied and uploaded to a spoofed domain (phishing) Clientless application-layer encryption of sensitive user data with sessioninitiated randomly rotating keys Transaction Protection Real-time transaction analysis for automated or human behavior Transaction integrity Comprehensive request analysis Security Operations Research Center 24X7 security reports and alerts Identifies and investigates attacks in real-time Researches and investigates new global fraud technology & schemes Provides detailed incident reports Optional site take-down F5 Agility 2014 8
WebSafe Implementation Options A Online Customers Man-in-the- Browser Attacks Copied Pages and Phishing Local alert server and/or SIEM B Online Customers Web Fraud Protection Network Firewall Application C Account Amount Transfer Funds Online Customers F5 Security Operations Center Customer Scenarios A Malware Detection and Protection Automated Transactions and Transaction integrity Easily deployed Deploys with no change to applications Leverages existing F5 resources & knowledge Enables IT consolidation Integrated into BIG-IP GUI in 11.6 B C Anti-Phishing Transaction Analysis Strategic Point of Control F5 Agility 2014 9
Advanced Phishing Attack Detection and Prevention Identifies phishing threats early-on and stops attacks before emails are sent Alerts upon usage of copy site on local computer Alerts upon login and testing of phishing site Phished user names are sent to the SOC 4. Test spoofed site Web Application 1. Copy website F5 SOC shuts down identified phishing websites 2. Save image to computer Internet 3. Upload image to spoofed site Alerts at all stages of phishing site development F5 Networks, Inc 10
Generic and Targeted Malware Detection With real-time analysis and a variety of checks WebSafe identifies compromised sessions, malicious scripts, phishing attacks and malware including MITM/B, BOTs, fraudulent transactions Analyzes browser for traces of common malware (i.e., Zeus, citadel, Carberp, etc) Detects browser redressing Performs checks on domain and other components F5 Networks, Inc 11
Malware Detection Web Injection Examples F5 Agility 2014 12
Malware Detection Web Injection Examples Targeted malware web injection F5 Agility 2014 13
Malware Detection Web Injection Examples Targeted malware web injection F5 Agility 2014 14
Malware Detection Web Injection Examples F5 Agility 2014 15
Malware Detection Web Injection Examples F5 Agility 2014 16
Clientless Application-Level Encryption WebSafe secures credentials and other valuable data submitted on web forms F5 Networks, Inc 17
Clientless Application-Layer Encryption WebSafe secures credentials and other valuable data submitted on web forms Any sensitive information can be encrypted at the message level User credentials & information is submitted & encrypted with public key Data is decrypted on BIG-IP WebSafe using the private key Intercepted information rendered useless to attacker F5 Networks, Inc 18
WebSafe BIG-IP GUI Integration
WebSafe : BIG-IP Integration 11.6 Easily turn on WebSafe anti-fraud protection from BIG-IP Define anti-fraud profile for each domain Configure alert server Enable and disable individual detection/protection modules o o o o Phishing detection Malware detection Application layer encryption Automated transaction protection F5 Networks, Inc 20
Anti-Fraud Profiles F5 Agility 2014 21
Virtual Server Security Policy Configuration F5 Agility 2014 22
MobileSafe In Action
Attack Mitigations (1 of 2) Man in the middle DNS spoofing The target domain is checked against a pre-loaded list of known IPs Certificate forging The target certificate is compared against a pre-loaded certificate Jailbreak / rooted devices Detection of a jailbreak and rooted device F5 Agility 2014 24
Attack Mitigations (2 of 2) OS security Unpatched version with known vulnerabilities will raise the device risk score (sent when the app is loaded) App integrity Android - MobileSafe will check the application signature (Checksum) IOS this check is disabled Keyloggers virtual keyboard Network sniffing at the OS level (before the SSL) vcrypt F5 Agility 2014 25
MobileSafe Architecture / Data Flow Download app F5 SOC (Cloud) User Device to application communication F5 Configuration Server F5 SOC Data Center Alerts BIG-IP (message encryption) servers F5 Agility 2014 26
F5 Security Operations Center
F5 Security Operations Center Always on the watch 24x7x365 fraud analysis team that extends your security team Researches and investigates new global fraud technology & schemes Detailed incident reports Provides detailed threat analysis & incident reports Real-time alerts activated by phone, sms and email Optional site take-down: Phishing sites F5 Networks, Inc 28
F5 SOC: Phishing Site Take-Down Service Quickly identify and shut down brand abuse websites Always available F5 monitoring and response team Complete attack assessment & postpartum attack report Leverage relationships with ISPs, anti-phishing groups and key international agencies Malicious site take-down in minimal time Recommendations for counter security measures F5 Networks, Inc 29
Real-Time Alerts Dashboard F5 Agility 2014 30
F5 s Anti-Fraud Solutions Prevent Fraud Protect Online User On All Devices Full Transparency In Real Time Targeted malware, MITB, zero-days, MITM, phishing, automated transactions Clientless solution, enabling 100% coverage Desktop, tablets & mobile devices No software or user involvement required Alerts and customizable rules If I can be of further assistance please contact me: a.vistola@f5.com
Demo
Demo of Clientless Application-Level Encryption Login Information Username + password Web application Infected PC Login Information Username + password Internet Dropzone and C&C on the server at the ISP F5 Agility 2014 33
Questions? F5 Agility 2014 34