F5 (Security) Web Fraud Detection Keiron Shepherd Security Systems Engineer
The 21 st century application infrastructure (Trends) Users are going to access applications Mobile/VDI/XaaS/OS Security goes beyond the perimeter Every application is a Web application HTTP is the new TCP F5 Networks, Inc 2
Who should deliver your Application Security? Clients Infrastructure Applications Storage Network Engineering services Developers DBA F5 Networks, Inc 3
Who can deliver your Application Security? Clients Infrastructure Applications Storage Engineering services Developers DBA Network security F5 Networks, Inc 4
A Security Company?
Gartner Advance Platform (Real time protocol manipulation) ADC - 2013 F5 Networks, Inc 6
F5 Security Products BIG-IQ Device BIG-IQ Security BIG-IQ Cloud BIG-IP Local Traffic Manager (LTM) BIG-IP Global Traffic Manager (GTM) BIG-IP Application Acc. Manager (AAM) BIG-IP Application Security Manager (ASM) BIG-IP Advanced Firewall Manager (AFM) BIG-IP Access Policy Manager (APM) F5 IP Intelligence Services (IPI) F5 WebSafe and MobileSafe (WFD) F5 Secure Web Gateway (SWG) BIG-IP Carrier Grade NAT (CGNAT) BIG-IP Policy Enforcement Manager (PEM) Future Modules irules, iapps, icontrol, and icall TMOS F5 Networks, Inc 7
Application Delivery Security Bringing deep application fluency to security One Platform Network Firewall Traffic Management Application Security Access Control DDoS Protection SSL Security DNS Security Web Fraud Protection EAL2+ EAL4+ (in process) DC FW (in process) WAF (Delivered) DDoS (pending) F5 Networks, Inc 8
Gartner MQ SSL-VPN - 2011 Network FW - 2014 WAF - 2014 F5 Networks, Inc 9
Full Proxy Security
Full-proxy architecture WAF WAF Slowloris attack XSS HTTP irule irule HTTP Data leakage SSL renegotiation SSL irule irule SSL SYN flood ICMP flood TCP irule irule TCP Network Firewall F5 Networks, Inc 11
F5 provides comprehensive application security Virtual Patching Network DDoS Protection Web Application Firewall Network Access DNS DDoS Protection Application Access Network Firewall SSL DDoS Protection Application DDoS Protection Web Fraud Protection F5 Networks, Inc 12
Web Fraud Protection
Securing Against Online Fraud Can Be Complex Ownership Customers expect the banks to secure against all forms of fraud regardless of devices used or actions taken Browser the weakest link Trojans, MitB attack the client browser or device where the bank has no security footprint Changing threats Increasing in complexity requiring full threat reconnaissance Compliance Ensuring compliance with regulations and FFIEC requirements Attack visibility Often lacking details to truly track and identify attacks and their source Endless customer devices Desktop, laptop, tablet, phone, internet café, game consoles, smart TVs F5 Networks, Inc 14
Online Anti- Fraud & Malware Protection The knowledge that our online users are protected from fraudsters, wherever they are and at any time, enables our team to focus on developing new products and services. Executive Vice President, Leumi Bank F5 2013 Networks, Versafe Inc Ltd. All rights reserved. Confidential Information 15
Anti-fraud solutions for web applications Only fully transparent Anti-Fraud solution that reduces banking fraud loss Fraud Detection Detection of targeted malware, BOTs, MITM/B, Zero-day, credential grabbers, session hijacking and more Identifies extensive scans & searches Monitors/alerts when site copy is loaded to spoofed sites Transaction Protection Real-time transaction analysis Comprehensive request analysis Clientless layer 7 encryption Session initiated, one-time encryption key Security Operations Research Center 24X7 security reports and alerts Identifies and investigates attacks in real-time Researches and investigates new global fraud technology & schemes Provides detailed incident reports Optional site take-down F5 Networks, Inc 16
WebSafe Implementation Internet Organization s DMZ Web Application Online Users Internet Websafe Components Injected On-Premise F5 SOC Alerts In the Cloud Alerts Hosted in DMZ (no data visible to F5.com) F5 Networks, Inc 17
Malware Detection: Web Inject Web application with Malware Detection module (1) User submits request for web page (2) Page is transmitted to user with hidden, obfuscated code that detects any changes to the HTML or page (3) Malware injects malicious code, additional fields into page (4) Hash is checked for malicious URLs in the page REAL-TIME ALERT WebSafe Malware Detection: User John_Smith is infected with generic malware, Zeus 1.2 (5) Real-time alert is issued if any page modifications or injections are detected F5 Networks, Inc 18
Malware Detection: Web Inject Targeted malware web injection F5 Networks, Inc 19
Malware Detection: Targeted Malware REAL-TIME ALERT WebSafe Malware Detection: Malicious Script: https://www.hacker.com/autotransfe r.js F5 Networks, Inc 20
Malware Detection: Web Inject to Bypass OTP or TAN Automated Malicious Transaction: Bypassing One-Time Password F5 Networks, Inc 21
Malware Protection: Application-level Encryption Web application with Malware Protection encryption component (1) User sends request for login page (2) WebSafe generates the Public and Private keys 01010101010101 10101010101010 (3) Login HTML code is returned with the one-time Public key (4) User submits credentials, which are encrypted using the one-time Public Key from the application **** (6) Malware sends encrypted credentials to the drop zone server, which have been rendered useless Malware drop zone (5) Credentials are decrypted using the Private key, available only to F5 and the organization F5 2013 Networks, VersafeInc Ltd. All rights reserved. Confidential Information 22
Malware Protection: Application-level Encryption F5 Networks, Inc 23
Malware Protection: Application-level Encryption F5 Networks, Inc 24
Malware Protection: Application-level Encryption F5 Networks, Inc 25
Transaction Protection: Real-time transaction analysis Device ID Clicks Events Stream Timing Positions Mouse Keyboard Browser Transaction Process And more 819379 [0,0] $32,459 1.) Highly-suspect mouse position at the [0,0] pixel location 2.) Automated stream detected in Amount field 3.) Transaction submitted without pressing Make Transaction button REAL-TIME ALERT WebSafe Transaction Protection: user John_Smith, Transaction ID: 21394; 100% automated F5 Networks, Inc 26
Advanced Phishing Detection: Site copying, loading and attacker information Definitive, pre-launch detection of impending phishing attacks: Detection of website copying and uploading Monitoring for spoofed domains, sites Genuine Site (1) Attacker downloads genuine site (2) Copy of site is uploaded to spoofed domain (3) Identification of attacker s IP address, drops zones, and any compromised credentials Hidden, obfuscated code REAL-TIME ALERT WebSafe Advance Phishing Detection: Site copy loaded to www.demobankonline.com 27 F5 Networks, Inc 27
F5 Security Operations Center Don t fight fraud alone! 24x7x365 Security Operation Center & Malware Analysis Team identifies and investigates attacks in real-time Researches and investigates new global fraud technology & schemes Detailed incident reports Optional site take-down: Phishing sites Malicious, brand abuse sites F5 Networks, Inc 28
F5 Vision To offer fully transparent, advanced, real-time protection against online-fraud for every user, every device, every browser F5 Networks, Inc 29