RSA Web Threat Detection Online Threat Detection in Real Time Matthew Joseff, Sr. Technology Evangelist, RSA 2
RSA Web Threat Detection Online Threat Detection in Real Time Matthew Joseff, Sr. Technology Evangelist, RSA 3
The Online Threat Environment 4
Web Threat Landscape In the Wild Begin Session Login Transaction Logout Web Threat Landscape Phishing Site Scraping Vulnerability Probing Layer 7 DDoS Attacks InfoSec Pre-Authentication Threats Password Cracking/Guessing Parameter Injection New Account Registration Fraud Advanced Malware (e.g. Trojans) Promotion Abuse Man in the Middle/Browser Account Takeover New Account Registration Fraud Unauthorized Account Activity Fraudulent Money Movement Fraud Post-Authentication Threats 5
Business & Customer Challenges Security is a Balancing Act Business Challenge Information Sprawl Mobility of End Users More Threats More Regulations Protect Information Mitigate Emerging Threats Meet Regulations Secure Account Access and Use Ease of Use Self-Service Business Requirements End-User Requirements 6
Services for Customers Opportunity for Criminals Next-day shipping Express wire transfers My shipping mule will have it before your fraud team knows its gone I ll cash out before your customer calls about a weird transaction $10 for new accounts promotion One sounds good- 6,000 sounds great Forgot my password link Account locks after 5 failed logins View your statement online If only there was a way to validate accounts Good luck making money when I lock all of your user accounts. Thanks for the identity theft one-stopshop! 7
RSA Fraud & Risk Intelligence Solutions Securing Online User Life Cycle Fraud Action & CyberCrime Intelligence Adaptive Authentication SilverTail Transaction Monitoring In the Wild Begin Session Login Transaction Logout Web Threat Landscape 8
Web Threat Detection Overview Distinguishing Customers from Criminals 9
How are Websites Protected Today? User 2 Factor Authentication Device ID Network Firewall IPS/IDS Application WAF Penetration Testing Dynamic Scanning Log Analysis/SIEM Source Code Analysis 10
Lack of Visibility into Online User Behavior What ARE users doing on your site? Are they browsing? Are they banking? Are they shopping? Are they being disruptive or criminal? Copyright 2011 EMC Corporation. All rights reserved. 11
With Total Visibility into Online Behavior You Can Reduce fraud losses and their additional associated costs Maintain positive corporate reputation Keep a competitive edge prevent competitors from accessing proprietary or other valuable information Significantly reduce chances of site downtime resulting from a successful attack Avoid financial penalties and other negative consequences associated with failing to prevent access to credit card or other personal data Reduce financial and other negative consequences stemming from business logic abuse 12
Mitigating Online Threats with Real- Time Detection What do you need to tell the difference between legitimate and disruptive or criminal use of your web site? Total visibility into web sessions Ability to identify behavioral patterns for crowds and individual users Ability to process this information and draw meaningful conclusions Ability to act on these conclusions and you need to be able to do this in real time 13
Distinguishing Online Customers from Cyber Criminals Through Total Visibility into the Web Session 01101001001010010000110101010101001110010001 0101001001110010101001001001010010110010 1 01010010011100100100101101011001010100101 01101001001010010000110101010101001110 1 1 Providing Continuous Monitoring for Total Visibility into Web Sessions Leveraging Big Data Analytics and Visualization Building Dynamic Behavioral Profiles for the Population and Individuals Calculating Real-time Threat Scores for Use in Rules Copyright 2011 EMC Corporation. All rights reserved. 14
Stream Analytics Threat Scores Velocity Behavior Parameter Injection Man in the Middle Man in the Browser 15
Anomalous Behavior Detection Cyber Criminals Look Different than Online Customers Velocity Page Sequence Origin Contextual Information Sign-in Add Bill Payee Bill Pay Home Select Bill Payee Enter Pay Amount My Account Submit Homepage View Checking Checking Account 16
A Typical Online Bank Transaction Add Bill Payee Enter Payment Amount Sign-In Bill Pay Home Select Bill Payee My Account Submit Homepage View Click Checking Account 17
Add Bill Payee Enter Payment Amount Session determined Sign-In Bill Pay Home Select Bill Payee My Account Submit Homepage Checking Account View Click Behind the User Experience 18
Add Bill Payee Enter Payment Amount Sign-In Bill Pay Home Select Bill Payee My Account Submit Homepage Checking Account View Click Behind the User Experience 1. Data is broken apart into several pieces under a lens. 2. Data is sessionized. 19
Add Bill Payee Enter Payment Amount Sign-In Bill Pay Home Select Bill Payee My Account Submit Homepage Checking Account View Click Behind the User Experience Inspects all Scrubs data Data is compressed, indexed, and stored 20
Add Bill Payee Enter Payment Amount Sign-In Bill Pay Home Select Bill Payee My Account Submit Homepage Checking Account View Click Behind the User Experience Scoring Engine Send API SysLog Incident Create email report 3 rd Party Systems Web Session Traffic Rules Engine 21
Summary of clickstream Interactive clickstream Table display Humanreadable click details 22
Page Request Arguments POST/GET HTTP Headers User ID Cookie IP Web Threat Detection Threat Score 0-100 Man in the Middle Man in the Browser Behavior Velocity Parameter Sessionize and Visualize Click Stream Web Threat Detection Rules Engine Forensic Dashboard One Click Investigation Deep Inspection IP User Page Real Time Alerts Hourly Alerts IP User Page Web Threat Detection Action Server SIEM CM Email LB WAF Web Threat Detection User Interface Web Threat Detection Workflow 23
Visibility into Third Party Sites Monitoring Embedded Functionality 24
Web Session Blind Spot Third Party Embedded Applications leave organizations with a blind spot High risk transactions, and threats, are likely to occur in blind spot Session Begins Login Home Page Online Bill Pay Logout 25
Before With Third Party Visibility 26
Web Threat Detection Use Cases 27
Typical Use Cases Information Security Threats Fraud Threats Business Intelligence Infrastructure Utilisation 28
Information Security Case examples 29
Site Scraping Overview Example of the Web Scraping process Hypothetical example only! Hotel reviews posted on customer site Bot pulls content from site within minutes of posting Potential traveller searches Google & clicks to travel review site (not trip advisor) Customer clicks link to hotel booking site Hotel booked & travel plans complete! Travel hotel chosen based on reviews from the original site without the customer actually visiting the original content website Key impacts to the travel review website? 1. Missed web traffic equals missed advertising revenue 2. Travel booking referral to hotel based on original site content but claimed by third party review site 3. Increased market competition from competitors with minimal operational cost overheads 30
Information Security Example #1 Site scraping Type #1 the Search + Scrape Hong Kong IP IP address only hitting 3 page types (1) List here the 3 page types Human-like click velocity - between 1 to 5 seconds 31
Information Security Example #1 Site scraping Type #2 content cycling - the direct approach Brisbane based IP 233 clicks in 1 hour each click to a unique page content number URL 1746 clicks in 1 hour Human-like click velocity - between 1 to 5 seconds Identified via a Web Threat Detection site scraping rule alert 32
Information Security Example #2 Architecture probing Scripted website probing attack against bank domain Threat Summary Customer typically only has ~150 unique URLs which are actively accessed by customers This attack targeted over four thousand URLs the majority of the page requests were invalid but were still received by their web server Invalid page requests (e.g. 404 errors) are common when identifying website attacks which are looking to map the site or locate vulnerable pages 10945 clicks within 1 hour, to 4484 unique URLs from single US based IP 95% clicks sub-0.5 seconds 33
Information Security Example #3 Password guessing Attempted account takeover via scripted attacks Do you have visibility of brute force attacks on your login pages? RSA Web Threat Detection is very effective at both types of password guessing: Vertical. Same user ID, guess the password Horizontal. Same password, guess the user ID Often banks & other online organisations allocate user IDs based on number. If you run a script with a common password (e.g. P@ssword1), then it is simply a matter of time until an account logon is compromised as the script cycles through sequential login numbers Analysis of header data detects Linux operating system which is very common for scripted attacks Single user ID, multiple password attempts. Note: Password has one-way encryption which still allows for value profiling 34
Information Security Example #4 Account aggregators Third party aggregator sites (e.g. Mint, Yodlee) utilising disclosed login credentials to scrape sensitive customer data Why is it important to know the aggregators? Customer data do you know which third parties have your customer login data? Data breach how would you manage if an aggregator had a data breach with thousands of your customer credentials? Liability for Fraud cases may change given customers have disclosed their login credentials Customer terms and conditions. Do you wish to update based on aggregator risk? 40 user details scraped by single account aggregator IP in 1 hour 35
Fraud Threats Case examples 36
Fraud Threats Example #5 - Credential Testing Account peeking. Multiple test logins from Nigerian IP address Early Detection = Reduced impact Detection of account peeking via Web Threat Detection allows for at-risk user accounts to be identified & treated before the customer or business is impacted Account peeking is a very common behaviour by Fraudsters as it allows them to: 1. Validate the login credentials 2. Identify higher value accounts 3. Understand the controls which must be defeated to complete future unauthorised transactions Single login test click for each account Multiple users from single Nigerian IP within 1 hour 37
Fraud Threats Example #6 Account Takeover Malware on customer s device attempting account takeover Malware driven password guessing against single user ID 50% clicks in sub 0.5 seconds The user agent for this particular IP contains SIMBAR. This is a characteristic of adware known to be used by malware for account takeover purposes 38
Fraud Threats Example #7 Fraudulent Payments High frequency, high velocity spend by single IP Web traffic spike to paycomplete page 30 transactions within 15 minutes to paycomplete page All transactions identical. Item, value & payment type Individual transactions were all of a lower value to decrease probability of detection 39
Business Logic Abuse Case examples 40
Business Logic Abuse Example #8 - Content Click Fraud Inflation of page traffic via automated views Identified as High Risk Users by elevated Behaviour Score Repetitive page view behaviour Human-like click velocity 41
Business Logic Abuse Example #8 - Content Click Fraud Inflation of page traffic via automated views Single User Id = username@domain.com Single user cycling through 18 different IP addresses within 24 hours across multiple states/cities Repetitive clickstream behaviour. (1) Login (2) Search (3) View Page (4) Logout (5) Repeat above 42
Business Logic Abuse Example #9 User rating inflation False sales between common parties to inflate user rating 10 identical orders (same buyer/seller) placed within 9 minutes 21 orders from single user within 1 hour at 5am Each order value ~$1,000 USD 43
Business Logic Abuse Example #10 Coupon testing Scripted attacks to find valid coupon codes Impact of coupon abuse can include: Genuine customer impact due to unauthorised use of coupon offers Decreased revenue due to offer abuse Increased website overhead due to scripted attacks Site scraping by resellers or coupon aggregator sites Single IP driving 95%+ of all coupon code page traffic 44
Business Intelligence Case examples 45
Business Intelligence Example #11 - Robotic Click Traffic Google & Microsoft (Bing) driving material % of site click traffic Microsoft IP NN% to XYZ page 1746 clicks in 1 hour 46
Business Intelligence Example #11 - Robotic Click Traffic Google & Microsoft (Bing) driving material % of site click traffic User Agent = Microsoft bingbot 47
Business Intelligence Example #11 - Robotic Click Traffic Google & Microsoft (Bing) driving material % of site click traffic Traffic to content search URL Google, Microsoft or site scrapers generated 100% of traffic for top 100 IPs to content search page (early morning) 48
Business Intelligence Example #12 Page transition statistics User behaviour intelligence from macro to micro level 68% of users click search page again after first search result 49
Business Intelligence Example #13 Decommissioned Pages 1 million hits per month to a decommissioned RSS feed page RSS feed officially disabled however content still being posted & still receiving ~1 million hits per month Google bots requesting RSS page 769 times in single hour (typical) which is 64% of all requests to RSS pages 50
Account Takeover via Scripted Attack Large Financial Institution The Threat Script attempting multiple log in attempts How Web Threat Detection Identified the Threat Anomalous click behavior almost 4,000 clicks in just over 7 and a half minutes Excessive log in attempts for a single IP in a single session over 2,600 login attempts How We Used The Information Redirect IP to Contact Customer Service page Send IP to SIEM for correlation Temporarily block IP 51
Account Takeover via Man-in-the-Middle Large Financial Institution The Threat A classic Man-in-the-Middle attack How Web Threat Detection Identified the Threat Anomalous web session activity a second IP address from Africa had joined a session initiated by a US IP address associated with the account Ongoing anomalous behavior over two weeks the IP from Africa had accessed 60 different user accounts How We Used The Information Force re-authentication Place IP associated with account on grey list 52
Robotic Money Movement Behavior indicating robotic money movement Elevated behavior threat score Hits to the money movement page per session were outside of the norm Average: 5 This Case: 52 Indicators of robotic navigation IP hitting page almost exactly one minute apart multiple times (20:22:02, 20:23:01, 20:24:03, 20:25:02, etc). Session Executed with Linux operating system (a favorite for running scripts against web sites) 53
Distributed Denial of Service (DDoS) Attack Behavior indicating the onset of a DDoS Web Threat Detection identified a single page being hit 1.6 million times over the course of one hour without the activity being blocked normal peak traffic is 1.2 million hits IPs originating from high-risk countries Single IP executing 70,000 page requests in one hour 10 IP s executing 366,000 page requests in one hour Mitigation Categorized 10 IPs as a threat group and sent to firewall 54
Web Threat Detection and Adaptive Authentication Intelligent, Risk-based Layered Security 55
Web Threat Detection Complete Web Session Intelligence & Application Layer Threat Visibility Adaptive Authentication & Transaction Monitoring Risk-based Authentication & Transaction Monitoring Beginning of Web Session Login Financial Transaction Checkout and Logout Vulnerability Probing DDOS Attacks Site Scraping New Account Registration Fraud Promotion Abuse Parameter Injection Password Guessing Man In The Browser Access From High Risk Country Account Takeover Unauthorized Account Activity Man In The Middle High Risk Checkout Copyright 2011 EMC Corporation. All rights reserved. 56
Adaptive Authentication and Web Threat Detection AA/TM for AUTHENTICATION Risk-based, multi-factor authentication Web Threat Detection for ANOMALOUS BEHAVIOR DETECTION Real-time online threat detection Protects log-in and/or transactions Protects across online life cycle Mitigates via step up authentication incl. out of band Mitigates via API to send to step up, WAF, SIEM, etc AA/TM are controls that kick in at single points in time to determine if the person attempting to log in or initiate a transaction is who he says he is ST offers continuous monitoring and analysis to determine if the person is behaving in a way that suggests he is up to no good and requires a closer look 57
Web Threat Detection and Adaptive Authentication in Action $150K Fraudulent Transfer stopped at Large US Bank Adaptive Authentication raised an alert on a suspicious $150,000 transaction and triggered a step up authentication request Bank had deployed Challenge Questions as step up Fraudster had social engineered the answers and passed the challenge Web Threat Detection raised an alert on the IP initiating the transaction In response to high risk scores from both Adaptive Authentication and Web Threat Detection, Bank stopped the wire transfer 58
RSA Web Threat Detection Real-Time Online Threat Detection in Your Environment 59
Behavioral Analysis Detects Online Threats in Real Time No disruption customer experience or site performance Self learning risk engine continuously adapts to recognize new threats Real time detection allows real time response Almost immediate time to benefit Rapid deployment Highly scalable 60