WHITE PAPER

Norse IPViking Technical Overview

2

Introduction

Gathering Dark Intelligence

Global Coverage and Sample Rate

Strategically Located High Performance Infrastructure

Big Data and Big Context

Breadth and Depth of Data Collection

Integrating With Existing Security Infrastructure

Integration

IPViking API Response

The Norse Global High Speed Delivery Platform

Example IPViking Use Case: Account Takeover Fraud Prevention

The IPViking IPQ score

Calculating the IPQ Score

Norse GeoMatch™

Summary

IPViking Features and Benefits Summary

About Norse

Table of Contents

3

4

4

5

5

6

7

7

8

8

9

10

10

12

14

14

15

3

IntroductionThe Norse Live Threat Intelligence™ platform is a patent-pending infrastructure-based technology that continuously collects and analyzes vast amounts of live high-risk Internet traffic to identify compromised hosts, botnets, Advanced Persistent Threats (APTs), and other sources of cyber attack and online fraud. Using Norse’s proprietary big data analytics platform, over 1,500 different threat and risk factors are used to deliver a live risk score and deep contextual information providing visibility into the threat profile of any public IP address.

Delivered in milliseconds via Norse’s global high-speed delivery platform, Norse IPViking provides a proprietary IP address risk grading – the IPQ score – and detailed threat context that enable highly effective solutions for online fraud prevention and protection from cyber attacks including zero-day exploits and APTs. In this paper we examine the architecture and design considerations of the Norse platform and IPViking and how it enables the delivery of threat intelligence that is live, contextual, and actionable.

The Norse platform continuously collects and analyzes live high risk Internet traffic identifying the sources of cyber attacks and fraud.

4

Gathering Dark IntelligenceThere are a growing number of threat intelligence vendors in the market, but most focus on traffic they see on their own and their customers’ networks. Norse, on the other hand, focuses on network traffic from places on the Internet where bad actors are found. TOR proxies, botnets, IRC chat rooms and many other areas are a haven for attackers with ill intentions, and it is from these sources that Norse gathers its most useful intelligence. IPViking uses big data analytics to provide context to the dark intelligence it aggregates, and delivers a simple, configurable score that enables organizations to make allow, block, or quarantine decisions at wire speeds.

Global Coverage and Sample RateGaining live contextual insight into the activity of bad actors on the Internet with the ability to provide full global IP space coverage is dependent on attaining broad Internet coverage and a high sample rate. The key to this is how much geographically representative threat data the platform is able to collect and how fast is it able to process and analyze the data in order to make it rapidly available to customers as actionable intelligence. Norse achieves this via a massive globally distributed network infrastructure capable of continuously collecting and analyzing tens of terabytes of live cyber attack and high-risk network traffic every day.

Customer Traffic

VendorTraffic

Good Traffic

Internet Traffic

Infrastructure

ExistingSecurityVendors

Bad TrafficGeo Mismatch

Compromised Web Servers

Piracy

Explicit Content

Compromised CCTVs/DVRs/Servers

Bogons

Anon ProxiesTor Unidentified Bots

Bot CnCP2P

Pastebin

IRC

Pre-Login Credential Hijack (Zeus)

Compromised Web Servers

Fraudulent Payments

The Norse platform continuously collects and analyzes live high risk Internet traffic identifying the sources of cyber attacks and fraud.

5

However, not all data is created equal. The types of data collected and sources from which it is collected can be the difference between relevant and irrelevant data. Simply analyzing large amounts of Internet data is not particularly valuable for providing threat intelligence. It is actually counter-productive if the data is largely “good.” Consequently the Norse platform was designed and architected to find, collect, and analyze the Internet’s “bad” and high-risk data and traffic.

Strategically Located High Performance InfrastructureA portion of the Norse platform includes 16 core routers that sit on Tier 1 long haul fiber network rings. Norse owned infrastructure in over 150 strategically located locations spread across more than 40 countries is used to collect the widest possible breadth of high risk data types and network traffic. This unique approach and platform architecture achieves massive global coverage including the places where much of the new malware is created and first detected.

The platform has access to approximately 16 million IP addresses spread across every aspect of the IPV4 space to facilitate the collection of threat data in real time. Threat data is then fed to GPU calculation clusters in 40 global NOCs enabling data collection, analysis, and delivery of intelligence in approximately 5 seconds or less. The extremely fast infrastructure and high sample rate enables the platform to re-sample and risk-assess the entire IP range every few minutes.

Big Data and Big ContextFor threat intelligence to be truly actionable and valuable and to minimize the risk of false positives requires rich contextual data about the threat profile of an IP address. This is achieved at scale via the collection and real-time analysis of large amounts of live high risk Internet traffic, as well as analysis of a wide variety of data types and live monitoring of many different communications protocols and networks. The Norse platform was architected to enable the automated collection and analysis of all relevant types of threat data from a wide spectrum of sources. This comprehensive approach to breadth and depth of threat data collection enables Norse to provide enterprises with a highly accurate and effective risk score and threat profile with the rich contextual data organizations need to design more granular rules and policies than is possible from today’s IP blacklists and feeds.

6

Breadth and Depth of Data Collection

The following are some of the data types and collection methods used by the Norse platform to achieve its objectives.

Next Generation Honeypots. Norse Honeypots support the emulation of thousands of networks and applications that appear as desirable targets for malware, bots, and hackers. Supporting both low and high interaction, server and client based configurations, Norse honeypots are continually accessed and attacked by compromised hosts, networks, and network connected devices. Client-based honeypots emulate browser-based actions causing compromised websites to reveal their malware. Emulating many different types of network infrastructure, protocols, and services, the platform creates 6-7 million concurrent transactions at any given time.

IRC. Internet Relay Chat is a popular method for exchanging ideas and plans among bad actors. By participating in these chats, the Norse platform is able to quickly gain intelligence on new and modified attack vectors.

BGP-IANA. Border Gateway Protocol is the routing protocol of the Internet. The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. By maintaining current copies of this information the Norse platform detects if an IP address is valid or bogus (bogon) or if a valid IP address has been hijacked or is being spoofed—all clear indicators of risk.

P2P. Peer-to-Peer connections are created without the need for a central server. P2P networks can be set up within the home, a business, or over the Internet. Participants who are interested in communicating without detection often set these up between interested parties. The Norse platform gains valuable information through its active participation in these P2P networks.

7

SEO. Search Engine Optimization is a technique to gain rankings for specific criteria. By managing websites that score highly when people are executing suspicious searches, they expose themselves as bad actors to the Norse platform.

Crawlers. Norse’s proprietary dark-net crawlers search for a wide range of clear text or documents that are indicators of potential malicious behavior or leaked confidential information including data indicating threat or compromise.

NetFlow. The NetFlow protocol enables the Norse platform to see who is talking to whom across a network. By scoring the risk of the IP addresses at both ends of the connection, it is possible to identify bad actors and compromised hosts.

Anonymous Proxies. Anonymous proxies are used to hide the identity of the participant. While originally designed to protect the innocent, networks like TOR are now widely used to launch and mask cyber attacks, fraud, and malware command and control traffic. Norse does real-time monitoring and detection of new un-published Tor exit nodes providing customers with comprehensive live protection against TOR based attacks.

Open source. By running popular open source applications within the Norse platform’s Honeypot network, it is possible to emulate applications that are used by many and secured by none. This attracts bad actors that end up divulging their tools and techniques. Also by offering free DNS services that do not log, the Norse platform is able to attract users who obviously do not want to be detected. When bad actors use these Norse hosted services, they add to our live intelligence.

Integrating With Existing Security InfrastructureIntegrating with the Norse platform is both simple and elegant. With just a few lines of code an enterprise or developer can begin to integrate IPViking’s live threat intelligence into their IT infrastructure, websites, account login-forms, and business processes. The delivery method may vary but IPViking is capable of being delivered in most common forms such as an API, as a service or via an appliance.

IntegrationThe deployment of the IPViking service is as simple as creating an API integration point into the existing customer application where risk assessment of the IP address of a connecting party would enable the application to mitigate risk. These integration points could include: the initial connection, a login page, a payment/checkout page. Where other applications require extensive integration efforts, observed behavior for learning, or payload analysis, IPViking can score risk based solely on the source IP address. The API integration will also accept additional information related to geo-filtering and geo-matching of billing/shipping addresses with the IP geographical location, unique transaction identifiers, and other reference points such as unique merchant ID or other reference number. These additional fields are contained within the API so only one point of integration is necessary. It is up to the customer to determine what data is to be sent along with the IP address and date/time stamp.

IPViking API ResponseThe IPViking API response to a risk query is a dataset that provides both the risk value and specific factors and context supporting the risk value returned. The IPQ score, or risk value return, will be a numeric value between 0 (No Risk) and 100 (Extreme Risk).

For straight-forward consumption and action, the risk value can be used to determine policy handling and action across a variety of integration points including the business application outward to perimeter devices. The supporting factors and context can be used by the customer to better understand the transactional activities being reviewed for risk, or in advanced scenarios can be used to optimize policies, e.g. IPs involved with any Explicit Content should be prevented from account creation regardless of overall risk score.

8

The Norse Global High Speed Delivery PlatformDesigned to be integrated with high volume network infrastructure and critical business processes such as routers, firewalls, load balancers, websites, customer login forms, and eCommerce systems, the Norse platform is architected with a highly redundant and scalable high-speed delivery infrastructure that ensures extremely fast and reliable delivery of data with no latency from calculations. Response time against the Norse platform is measured in microseconds with the ability to support hundreds of thousands of queries per second. Dynamic DNS ensures that customers connect to the geographically closest resource to minimize network latency.

A scalable high-speed delivery infrastructure ensures extremely fast and reliable delivery of data.

9

Example IPViking Use Case: Account Takeover Fraud Prevention Using the power of malware-based botnets, cyber-criminals have refined techniques of discovering and exploiting network and application layer-based vulnerabilities through which they steal consumers’ usernames, passwords, and private information. Using the stolen credentials and supporting information, cyber criminals hijack email, social media, banking, and other financial accounts. Armed with such information, they are then able to launch their attacks anonymously through zombie computers from behind proxy networks including Tor – or even the customer’s own compromised computer. Because the access attempts use the correct username and password, include other valid account details that make the request seem legitimate, and appear to be coming from the right device, organizations are challenged in their ability to ensure the true party is accessing the account.

With Norse Live Threat Intelligence, organizations can instantly assess the risk level and threat profile of the IP address of the web visitor initiating an account login. Using the powerful Norse IPQ score, and multiple risk factors such as whether the IP address is being spoofed or hijacked, whether it is a human or botnet, and the geo-location among others, organizations can build sophisticated and granular policies and rules that accurately identify fraudulent and high-risk logon attempts and block account takeover fraud before it can impact the business.

10

The IPViking IPQ scoreThe score returned by the IPViking API, called the IPQ score, is an aggregate level of risk associated with the IP address at the time of the query. The IPQ score is the value assigned by IPViking to reflect the actual observed behavior of the IP address. The IPQ score ranges from 0 (no or low risk) to 100 (extreme risk).

Calculating the IPQ ScoreThe foundation of the IPQ score is the more than 1,500 factors used to evaluate the IP address at the time of query. These factors roll up into several categories, which are described below. The following screenshot shows the IPViking IP search interface which can be used to manually investigate an IP or group of IPs and shows the main components of the IPQ score.

The IPViking search interface returns detailed information about an IP or group of IPs.

11

1—The IPQ score is listed here and represents the risk level of a particular IP address.

2—IPViking’s over 1,500 factors roll up into the fifteen categories listed above, which can further be grouped into the meta-categories in the chart below. The fifteen categories in the screenshot above are each assigned a score by IPViking, and the sum of those scores yields the IPQ score (1).

3—The context rationale is pulled directly from the IPViking Category Factor, which is based on the activity directly associated with a particular IP, such as a bot, bogon, TOR proxy/IP anonymizer, etc. This activity is a significant indicator to the risk score, and remediation rules should focus on the value of this factor.

GEOGRAPHY

ROUTING/REGISTRATION

IPRESOLUTION

SEARCHVOLUME

DATA AGEFACTOR

IPVIKINGCATEGORY

FACTOR

The number of hosts from a particular country or region participating in attacks at any given time will impact the score, as will the percentage of the county or region’s hosts that are attacking.

Assessment of the current and historical DNS reverse lookup for the IP address influences the score. If the IP won’t resolve correctly or consistently, resolves to a blacklisted IP, or the timeline indicates it’s resolving to different domains too often, the score will be adversely affected.

Search volume is a reflection of how often information about this IP is requested through the IPViking API. A high volume of requests in a short period of time can indicate fraud and will adversely affect the score.

This factor is based on the activity directly associated with a particular IP, such as a bot, bogon, TOR proxy/IP anonymizer, etc.

This factor is determined by how recently and how frequently bad activity occurs on a particular IP. Risk declines over time if additional malicious activity does not occur. See figure below for additional detail.

ASN to BGP ownership changes, the number of attacks within the ASN, IP spoofing, routability of the IP, and unregistered IP addresses will affect the score.

12

Norse GeoMatch™In response to the growing need of businesses that engage in eCommerce and Internet-based transactions and communications to accurately determine the real-time geo-location and associated risk of an IP address, Norse developed GeoMatch, an algorithmic solution to allow for real-time computation of a distance between two points in a high volume environment with a global reach.

Norse GeoMatch uses the last published US census data and equivalents from countries around the world. The data is constructed and calculated into SQL databases using polygons and spatial indexing for maximum efficiency and performance. The second source of the data reference points is a robust, real-time IPV4 database where each record reflects the actual address of the IP device location often with accuracy to within tens of feet.

When a transaction is submitted to Norse IPViking containing both the consumer-provided billing address and the remote IP address used to conduct the transaction, Norse calculates the distance in miles between the two data points with the derived value being the distance between the billing address and the device used on the internet. This provides the computational component of the analysis. The calculated distance and other parameters are used to derive a risk factor that partially drives the IP address risk score.

Risk score is chronologically dynamic, and can fluctuate based on numerous factors. Within several days, risk can decay dramatically. However, repeated behavior, the type of malevolent activity detected, and severity of the activity can keep scores elevated over time.

RISK TIMELINE

TIME

24h

36h

72h

1 WK

2WK

4WK

RISK DECAY

90-100

80-90

50-60

Timeline AlgorithmEvents ~ Severity Recidivism

60

50

13

Additional enrichment to IP location data, unique to GeoMatch, is formulated by identifying location types, such as such as hotels, airports, train stations, and other public or known locations. This data is factored into the evaluation of risk associated with a transaction outside of a user’s typical IP location pattern to compensate for known factors such as travel.

For more information on Norse GeoMatch, please see the detailed white paper available on our website.

14

SummaryDespite a plethora of available solutions, the fundamental architectures of traditional signature and policy-based security solutions lack the intelligence and proactive adaptability needed to effectively protect against today’s advanced attacks, APTs, and zero-day exploits. While some promising new intelligence-based security offerings have started to emerge, the complexity of today’s attacks and the ability of cybercriminals to rapidly change the IP addresses from which their attacks are launched necessitate intelligence-based security with big context rather than merely big data - and truly live data vs. the dubious “real-time” claims of many vendors.Norse Live Threat Intelligence enables organizations to transition to an intelligence-based strategy incrementally, prioritizing resources and efforts based on the organization’s specific risk profile and attack surface. Using flexible REST APIs, organizations can quickly and cost effectively integrate live actionable threat intelligence at virtually any point in their IT infrastructure and web-based business processes, thereby raising their overall security posture and lowering business risk.

IPViking Features and Benefits Summary

IPQ Score provides simple, weighted risk scoring system

GeoMatch scores transactions and connections based on IP address geolocation often with accuracy to within tens of feet

Powerful security analytics provide rich contextual reporting

Custom API Fields allow enterprises to customize API scores using factors specific to their business

API response within milliseconds

Simple, flexible REST API

Immediately effective – requires no machine learning, building of rules engines, or establishing of statistical baselines

Reduces risk of security breaches, website hacks, and the associated loss of reputation and revenue

Prevents account takeover fraud due to stolen credentials

Reduces fraud and chargeback related costs

Protects your brand and improves user experience when integrated into sign-up and login screens

Provides security analysts with contextual threat intelligence for improved forensics and investigations

Supports FFIEC Compliance requirements for layered security

IPVikingFEATURES

IPVikingBENEFITS

Norse Corporation 1825 S Grant St Ste 400 San Mateo, Ca 94402

www.norse-corp.com inquiry@norse-corp.com +1-650-513-2881

About Norse

Norse is the leading innovator in the live threat intelligence security market. With the goal of transforming the traditionally reactive IT security industry, Norse offers proactive, intelligence-based security solutions that enable organizations to identify and defend against the advanced cyber threats of today and tomorrow. Norse’s synchronous, global platform is a patent-pending infrastructure-based technology that continuously collects and analyzes real-time, high risk Internet traffic to identify the sources of cyber attacks and fraud. Norse is the only provider of live, actionable, cyber threat intelligence that enables organizations to prevent financial fraud and proactively defend against today’s most advanced cyber threats including zero day and advanced persistent threats. Norse has offices in Silicon Valley, St. Louis, and Atlanta. Visit us online at norse-corp.com.

© 2013 Norse Corporation. All Rights Reserved Worldwide.