RSA Web Threat Detection - Dell EMC · My shipping mule will have it before your fraud ... fraud t\൨ere is\爀屲Web Threat Detection identifies anomalous ... 椀琀猀攀氀昀
Web Threat Landscape• Password Cracking/Guessing• Parameter Injection• New Account Registration Fraud• Advanced Malware (e.g. Trojans)• Promotion Abuse
• Man in the Middle/Browser• Account Takeover• New Account Registration Fraud• Unauthorized Account Activity• Fraudulent Money Movement
• Phishing• Site Scraping• Vulnerability Probing• Layer 7 DDoS Attacks
FraudPost-Authentication Threats
InfoSecPre-Authentication Threats
BeginSession Login Transaction Logout
In theWild
Presenter
Presentation Notes
The web threat landscape spans the entire online user lifecycle – from out in the wild, to login in, transaction throughout logout. Different threats occur at different points of this lifecycle – and these threats correspond to the use cases that Web Threat Detection protects agains. Some of these threats – like vulnerability probing and parameter injection are pre-authentication threats that may be precursors to fraud, but are many times are threats that the InfoSec team is going to care about, not necessarily the fraud team. Post-authentication threats, or threats that occur at the point of authentication – like new account registration fraud, account takeover and fraudulent money movement – are attempts at fraud and will be important for fraud teams to understand. Ultimately, Web Threat Detection is NOT just a fraud solution – the value spans the entire web session lifecycle. Despite existing security measures, fraud threats and tactics continue to increase in number and evolve in sophistication and complexity. According to survey results from the Financial Services Information Sharing and Analysis Center, the total number of account takeover attempts reported by financial institutions has more than tripled since 2009. In order to reach these accounts, cyber criminals often target different segments of the online user life cycle. Employing a range of diverse tactics, they eventually arrive at stolen credentials, identified vulnerabilities on a targeted website, access to their victim’s accounts and, in some cases, the ability to drain funds from the online account. One recent example is the use of a DDoS attack as a smokescreen – while the security team addresses the DDoS attack, cyber criminals go after their intended target and drain assets. This attack is typically leveraged at financial institutions In addition to new and more sophisticated tactics, the attack surface of the online channel has expanded to encompass web, mobile and ecommerce. Security needs to be layered and span all these entry points. By deploying the appropriate monitoring, detection and prevention tools in the wild, throughout the web session and at the point of authentication and transaction , RSA can span this extended attack surface and protect the entire online user life cycle.
Business & Customer Challenges Security is a Balancing Act
Information Sprawl
Mobility of End Users
More Threats
More Regulations
Business Challenge
Business Requirements
End-User Requirements
Meet Regulations
Mitigate Emerging Threats
Self-Service
Secure Account Access and Use
Protect Information
Ease of Use
Presenter
Presentation Notes
Now let’s look at the business and customer environment. The Business Challenges: Businesses face challenges today ranging from identity and information sprawl to managing the growing mobile workforce while at the same time protecting against emerging threats and remaining compliant. The Business Requirements: Technical requirements may vary from organization to organization but there are common themes that both the security and management teams are concerned with, and that is a solution that helps to protect information such as intellectual property (IP), financial data, and personally identifiable information (PII); mitigate the ever-evolving threat landscape; and address new regulations. The End-User Requirements: Additionally, consumers, employees, partners, and contractors demand secure, convenient, self-service options. organizations have migrated their services to remote channels such as the Internet and call center. How is it that an organization balances the business challenges, requirements, and end-user preferences/demands? RSA Adaptive Authentication can help organizations address this balancing act.
“Forgot my password” link If only there was a way to validate accounts…
Next-day shipping My shipping mule will have it before your fraud team knows its gone
Express wire transfers I’ll cash out before your customer calls about a weird transaction
$10 for new accounts promotion One sounds good- 6,000 sounds great
Services for Customers Opportunity for Criminals
Account locks after 5 failed logins Good luck making money when I lock all of your user accounts.
View your statement online Thanks for the identity theft one-stop-shop!
Presenter
Presentation Notes
Here we have a list of basic business logic abuse examples- it’s by no means exhaustive, but it gives you an idea of what we’re talking about. Picking on just a few of these: Consider the account lockout feature many sites have- if someone tries to login to your account more than 3 or 4 times, your account may be locked to prevent someone from guessing your password. But what if the attacker isn’t interested in accessing your account, and instead just wants to keep the site from doing business? In this case, the attacker may deliberately fail multiple logins across multiple accounts…imagine you’re running a banking site…what would the impact be if no one could get past your login page? There are many forms of business logic abuse out there- some use malware loaded on a customer’s device, some exploit vulnerabilities on the site, but they all have the same impact: increased cost of doing business for the customer at best, and likely hard dollar fraud losses.
RSA Fraud & Risk Intelligence SolutionsSecuring Online User Life Cycle
BeginSession Login Transaction Logout
In theWild
Fraud Action& CyberCrimeIntelligence
SilverTail
Transaction Monitoring
AdaptiveAuthentication
Web Threat Landscape
Presenter
Presentation Notes
RSA Fraud and Risk Intelligence solutions span the online user lifecycle with external threat intelligence services, risk-based and dynamic knowledge-based authentication, transaction protection and monitoring and continuous online behavioral monitoring and analysis. Adaptive authentication is as its name implies an authentication solution – Adaptive Auth and Transaction Monitoring protect log in and transactions, respectively, by trying to ensure that the individual seeking access to an account or a transaction is the person to whom credentials were issued. These solutions are one of the best lines of defense against fraud there is Web Threat Detection identifies anomalous online behavior suggestive of disruptive activities – Web Threat Detection protects against a wide range of attack types far beyond fraud. Web Threat Detection’s continuous monitoring and analysis reveals things such as DDoS attacks, password guessing, vulnerability or architecture probing, site scraping, business logic abuse such as exploiting shopping cart vulnerabilities or excessive account registration – in short, any online threat Authentication and anomalous behavior detection together offer a deep, layered defense This defense identifies fraud and its behavioral pre-cursors as well as a host of other disruptive behaviors that cost customers money and damage their reputation A layered defense allows you to deploy different security controls at different points throughout the entire customer life cycle based on your organizational risk tolerance, policy and customer segmentation.
So how are we responding to this onslaught of attacks? There are three points of interaction that can be protected – at the User level – making sure they are who they say they are by looking at the device id and requiring two factor authentication Network level – trying to protect access by disruptive users or devices by leveraging Application level – employing physical safeguards like the WAF as well as proactive (pen testing), real time (dynamic scanning) and reactive (log/SIEM and source code analysis) So which is most effective?
BULLETS Customer problem – you do not know what people are doing on your website leaving you open to all kinds of threats. Difficult to detect many of these attacks: Account Takeover Man-in-the-Middle Man-in-the-Browser Password guessing Stolen credentials New Account Registration Fraud DDoS Information scraping Reconnaissance Exploitation of architectural or other vulnerabilities Below is some color on some of the threats: DDoS Criminals are increasingly targeting the application layer (approximately 25% of DDoS attacks are application layer) rather than targeting the network layer. Recent attacks include Reddit, Mt Gox (virtual currency based in Tokyo), “Large gaming site” (brought down by pingback feature of Wordpress), Wordpress itself (by a botnet) New Account Registration Fraud To collect benefits, increase chances of winning sweepstakes for new account registrations Password guessing Vertical – trying multiple passwords for a single user id Horizontal – trying a single password for multiple user ids (“admin” is always popular) Man in the Middle or Man in the Browser attacks steal credit cards or account credentials Information scraping financial or customer account information data from government websites prices or other competitive information by competitors (corporate espionage) Reconnaissance by insiders looking to harm the enterprise or government test out stolen credit card numbers probing of website architecture to identify vulnerabilities that can be exploited in a future attack Parameter injection Inject code into a program or query o execute remote commands that can change data on a website Exploiting architectural or other vulnerabilities business logic abuse robotic sweepstakes entries hacktivism access stored credit card or other valuable data Account Takeover Direct money to mule or other accounts Other unauthorized account activity
Mitigating Online Threats with Real-Time Detection
• Total visibility into web sessions• Ability to identify behavioral patterns for crowds and individual
users• Ability to process this information and draw meaningful
conclusions• Ability to act on these conclusions
What do you need to tell the difference between legitimate and disruptive or criminal use of your web site?
… and you need to be able to do this in real time
Presenter
Presentation Notes
Visibility into web sessions What exactly ARE people doing on your website? What pages are they looking at? For how long? Where are they coming from? Ability to identify behavioral patterns for crowds and individual users Do people typically go to particular pages before others? How long do people typically stay on particular pages? Does this individual user typically view the same pages in the same order? Or log in from the same geographic area? Ability to process this information and draw meaningful conclusions What does it mean if a user doesn’t navigate pages in the typical order? What if an individual user spends significantly more time on a web page than he usually does? And crowd behavior changes – is there a way to make sure that behaviors that would have been anomalous two weeks ago aren’t flagged? Is there a way to score these behaviors so that you aren’t focusing on red herrings? Ability to act on these conclusions Is there a way to alert the fraud or IT teams to potentially disruptive behavior? To limit or deny access to online assets based on a threat score or other rule?
Providing Continuous Monitoring for Total Visibility into Web SessionsLeveraging Big Data Analytics and Visualization
Building Dynamic Behavioral Profiles for the Population and IndividualsCalculating Real-time Threat Scores for Use in Rules
Through Total Visibility into the Web Session
Presenter
Presentation Notes
BULLET POINTS Customers vs criminals via behavioral analysis – looking for anomalies Calculates threat score for each click for Velocity Behavior Parameter Profile Man in the Middle Man in the Browser This allows disruptive behavior to expose itself SCRIPT Web Threat Detection helps organizations tell the difference between legitimate and disruptive or criminal use of a website through behavioral analysis. Web Threat Detection looks for behavioral anomalies indicative of fraud or other disruptive use of a website Web Threat Detection captures each and every click for each and every web session and calculates a threat score in real time for each. Real time threat scoring empowers you to respond to identified threats in real time – these scores can be consumed by the rules engine so that you can determine how to respond to different levels and types of threats The threat scores reflect how anomalous the user’s behavior is across a range of variables including Velocity – or how quickly the user transitions from one web page to another. Unusually high velocity is typically indicative of a robotic attack Behavior – or how close the user conforms to the navigation sequence of the rest of the web sessions for that site Parameter – or how rare a given parameter submitted through POST or GET is. Those that are typically not present are scored higher Profile – or how closely the individual user’s current behavior is to his past behavior Man in the Middle Man in the Browser This approach enables potentially fraudulent or disruptive behavior to expose itself. After all what constitutes legitimate use may look slightly different depending on the individual site.
Threat Scores• Velocity• Behavior• Parameter Injection• Man in the Middle• Man in the Browser
Stream Analytics
Presenter
Presentation Notes
BULLET POINTS Forensic approach allows anomalous behavior to stand out Different than traditional approach where create static picture of bad behavior and compare Allows Web Threat Detection to keep up with evolving threat landscape SCRIPT The forensics approach to analyzing all of this data is what allows anomalous behaviors such as navigating pages in an atypical manner or attempting to access non-indexed, unvisited pages stand out This is totally different than the usual approach to identifying potentially disruptive or fraudulent activities – rather than comparing current online behavior to a rules-based, predefined and static profile (for example, if the user goes to this page on the site he is obviously up to no good), the self learning engine creates and maintains a dynamic profile of how legitimate users are using your site right now! This allows Web Threat Detection to keep up with the evolving threat landscape – population behavior changes over time in response to any number of factors (some of which are totally out of your control). The self learning risk engine means not having to rely on constant manual recalibration of what constitutes disruptive behavior
Anomalous Behavior Detection Cyber Criminals Look Different than Online Customers
Sign-in
Homepage
My Account
Bill Pay Home
Add Bill PayeeEnter Pay Amount
Select Bill Payee
Submit
Checking Account
View Checking
• Velocity• Page Sequence• Origin• Contextual Information
Presenter
Presentation Notes
BULLET POINTS Criminals behave differently than legitimate users Becomes apparent when you look at velocity navigation sequence geo location contextual info (e.g., user agent or referrer changes mid session) Example on slide – page navigation SCRIPT Web Threat Detection’s approach to identifying potentially fraudulent or disruptive use of a website using behavioral analysis works because criminals do in fact behave differently than legitimate site users. That becomes apparent when you compare how quickly they move through the site, where they access your site from, even how they navigate through the site For example, any user that comes to this particular banking site will land on the home page, sign in and then and on the My Account page. From here though, a legitimate user may proceed to their checking account and then to view a check Another legitimate user after landing on the My Account page may proceed to the bill pay home page, add a bill payee, select that bill payee, enter the payment amount and submit the bill Now a third user enters the site and after landing on the My Account page skips over the bill pay home page and proceeds right to the add bill payee page. Then he goes to enter the pay amount and submits Does this mean that moving straight to the add bill payee page is in and of itself indicative of fraudulent behavior? Or that not accessing the checking account before selecting the bill payee is? Perhaps not in and of itself – it is only because it is so unusual for the population that uses this site that it is flagged as suspicious. Of course there are other factors that in combination with this anomaly suggests fraud or misuse and contribute to a higher threat score. This is just an example of how Web Threat Detection processes the end users interaction with your site.
— Man in the Middle— Man in the Browser— Behavior— Velocity— Parameter
Forensic DashboardOne Click Investigation
Deep Inspection
Real TimeAlerts
HourlyAlerts
Web Threat Detection Threat
Score0-100
Web Threat Detection
Action Server
Page Request
Web Threat Detection User Interface
Sessionize andVisualize
Click Stream
Presenter
Presentation Notes
So how does Web Threat Detection actually work? 1. The page request, arguments and HTTP header data is fed into the threat engine and a threat score is calculated on a scale from 0 to 100 – note that a threat score is calculated for each click 2. The threat score can be consumed by Web Threat Detection’s rules engine, meaning that you can determine how to respond to different levels and types of threats. So for example you could create a rule that asks the end user to re-authenticate if the Man-in-the-Middle score for a click or series of consecutive clicks exceeds a particular threshold. Or you could create a rule that sends the session to a web application firewall (WAF) if the velocity score for a click or series of clicks is high – clicks that are executed less than .05 seconds after the preceding click are often indicative of robotic activity. Rules based on criteria other than the threat score can also be defined. For example, a real-time alert could be raised if an end user visits the add bill payee page, followed by the transfer money to new payee page and then proceeds to the delete payee page. 3. If a click meets the criteria defined in a rule – if the threat score exceeds a defined threshold or a particular navigation sequence occurs for example – a real time alert is generated and an incident is created on the Web Threat Detection dashboard. The alert includes the rule that fired the alert (and therefore the type of threat) as well as all of the information necessary to investigate the incident. Incidents in the dashboard are prioritized based on how you have prioritized the rule that was fired. In addition to real time alerts, Web Threat Detection generates hourly alerts which also populate to the user interface. Top scores for Man in the Middle, Man in the Browser, Behavior, Velocity and Parameter are posted for IPs, users and pages. This feature is a boon to your threat analysts who can track trends over time or drill down into individual IPs, users and pages. 4. The alerts are consumed by the Web Threat Detection Action Server which actually carries out the action defined in the rule. The Action Server can export details to a SIEM, case management system or load balancer, generate an email, and/or send the IP or user to a WAF. 5. Now that we have seen how Web Threat Detection generates alerts so that you can define responses to different threat types and levels, let’s look at how Web Threat Detection provides even more context for your threat investigations by providing total visibility into the web session. The same page requests, arguments and HTTP header data that are fed into the risk engine to be scored are combined with the User ID, session cookie and IP address and “sessionized.” What we mean by sessionizing is taking all of these click stream details – details that get posted to web server logs in chronological order – and categorize them by individual web sessions. Therefore my interaction with a web site (or my web session) can be investigated separately from your interaction with a web site (or your web session). Web Threat Detection allows you to drill down into these individual web sessions and see exactly what transpired click by click and in real time. It is hard to underestimate the power that this visibility confers. When you can you see each click in real time, you can act on what you see in real time.
Today, many organizations outsource at least some web-enabled functionality to third party providers. From online bill payment to promotions to hosted log-ins or search, there are a number of use cases for embedded third party applications. Although outsourcing these functionalities brings efficiency and cost savings, it also increases exposure to online threats. Embedded third party applications are a blind spot – once the end user enters the embedded application, visibility is lost and not regained until he re-enters the main site. This leaves the site vulnerable to an attack or malware launched by cyber criminals from that application. In addition to both direct and indirect costs associated with loss of assets, brand damage and mitigating the attack, regulatory requirements around vendor management are intensifying across verticals. Whether you are in healthcare, government, the financial services industry or retail, you are increasingly being expected to proactively identify potential security risks, verify regulatory compliance and monitor changes for third party providers. In order to reduce exposure to online threats from embedded third party applications you need total visibility into the entire web session, not just the segment of the web session transacted on your site. RSA Web Threat Detection supports visibility into embedded applications so that you can reduce risk associated with exposing your web site and your customers’ information and assets to third party providers. The traffic from the embedded application will be monitored, analyzed and visualized alongside traffic from your website – without disrupting the end user experience or degrading site response time.
Site Scraping – OverviewExample of the Web Scraping process
Hotel reviews posted on customer site
Potential traveller searches Google &
clicks to travel review site (not trip advisor)
Customer clicks link to hotel booking site
Hotel booked & travel plans complete!
Key impacts to the travel review website?1. Missed web traffic equals missed advertising revenue2. Travel booking referral to hotel based on original site content but claimed by third party review site3. Increased market competition – from competitors with minimal operational cost overheads
Bot pulls content from site within
minutes of posting
Travel hotel chosen based on reviews from the original site –without the customer actually visiting the original content website
Information SecurityExample #3 – Password guessingAttempted account takeover via scripted attacks
Single user ID, multiple password attempts.Note: Password has one-way encryption which still allows for value profiling
Analysis of header data detects Linux operating system – which is very common for scripted attacks
Do you have visibility of brute force attacks on your login pages?
• RSA Web Threat Detection is very effective at both types of password guessing:
• Vertical. Same user ID, guess the password• Horizontal. Same password, guess the user ID
• Often banks & other online organisations allocate user IDs based on number. If you run a script with a common password (e.g. P@ssword1), then it is simply a matter of time until an account logon is compromised as the script cycles through sequential login numbers
Fraud ThreatsExample #5 - Credential TestingAccount ‘peeking’. Multiple test logins from Nigerian IP address
Multiple users from single Nigerian IP within 1 hour
Single login test click for each account
Early Detection = Reduced impact
• Detection of account ‘peeking’ via Web Threat Detection allows for ‘at-risk’ user accounts to be identified & treated before the customer or business is impacted
• Account peeking is a very common behaviour by Fraudsters as it allows them to:
1. Validate the login credentials2. Identify higher value accounts3. Understand the controls which must
be defeated to complete future unauthorised transactions
Fraud ThreatsExample #7 – Fraudulent PaymentsHigh frequency, high velocity spend by single IP
Web traffic spike to ‘paycomplete’ page
• 30 transactions within 15 minutes to ‘paycomplete’ page• All transactions identical. Item, value & payment type• Individual transactions were all of a lower value to
• Web Threat Detection identified a single page being hit 1.6 million times over the course of one hour without the activity being blocked –normal peak traffic is 1.2 million hits
• IPs originating from high-risk countries
• Single IP executing 70,000 page requests in one hour
• 10 IP’s executing 366,000 page requests in one hour
Mitigation• Categorized 10 IPs as a threat
group and sent to firewall
Presenter
Presentation Notes
Web Threat Detection detected a DDoS attack in an online payment provider
BULLET POINTS ST + AA = intelligent, risk-based threat detection throughout entire web session Behavioral analysis + authentication casts wider net on criminal activity Adaptive Auth asks the question “Are the person to whom we’ve issued credentials?” Web Threat Detection asks the question “Are you doing anything that requires us to take a closer look at you?” Risk based and layered approach to detecting online threats detection of click stream anomalies indicative of fraud or misuse detection of anomalous user behavior device identification comparison of login and transaction details to known fraudulent IPs, mule accounts and device IDs Account Takeover example Web Threat Detection monitors end user behavior before log in to identify anomalous behavior indicative of fraudulent or disruptive use At login AA ensures that the person attempting to log in is the one to whom the bank has issued credentials As soon as the end user passes through this control, Web Threat Detection continues monitoring end user behavior until a transaction is initiated At transaction TM ensures that the person attempting to initiate transaction is the one to whom the bank has issued credentials As soon as the end user passes through this control, Web Threat Detection continues monitoring end user behavior By punctuating Web Threat Detection’s continuous monitoring and analysis with Adaptive Authentication’s authentication and transaction monitoring controls, RSA provides intelligent, risk-based threat detection throughout the entire online user lifecycle. SCRIPT Together, Web Threat Detection and Adaptive Authentication provide intelligent, risk-based threat detection throughout the entire online user lifecycle, from initiation of the web session through site navigation to authentication and transaction through session end. Combining Web Threat Detection with Adaptive Authentication and Transaction Monitoring casts a wider net on criminal activity that may otherwise go undetected. Together these applications combine industry leading behavior, velocity, and threat analytics together with proven authentication and fraud detection technology to help thwart attacks as they happen. Web Threat Detection and Adaptive Authentication work together to identify threats throughout the entire web session through the detection of click stream anomalies indicative of fraud or misuse, detection of anomalous user behavior and device identification as well as through comparison of login and transaction details to known fraudulent IPs, mule accounts and device IDs. The risk-based, layered approach to threat detection afforded by the deployment of Web Threat Detection and Adaptive Authentication enables organizations to understand the level of risk at each and every point in the online user lifecycle and respond accordingly based on those risk levels. How Web Threat Detection and Adaptive Authentication Together Address Account Takeover The online user lifecycle begins, and therefore the threat window opens, before an end user ever attempts to log in. This means that the moment a web session is initiated a customer’s site is vulnerable not only to account takeover but to a host of other threats including DDoS and site scraping or defacement. Web Threat Detection continuously monitors end user behavior before log in to identify anomalous behavior indicative of fraudulent or disruptive use. Once the end user attempts to access the account, a control is needed to ensure that the person attempting to log in is the one to whom the bank has issued credentials. Adaptive Authentication is that control. RSA Adaptive Authentication defends against some of the most malicious and costly Trojans that enable proxy attacks, HTML injections, and automatic scripting of payee and transfer fields leading to account take over. If an anomaly is detected at login or at the transaction – and a Trojan is suspected – the session can be blocked out right, or an additional authentication method request can be triggered. By combining intelligence, context and risk assessment data, organizations can thwart even the most advance account takeover attempts. As soon as the end user passes through this control, Web Threat Detection continues monitoring end user behavior until a transaction is initiated. At this point another control is needed to ensure that the person attempting to initiate that transaction is the one to whom the bank issued credentials. This control is Transaction Monitoring. This layered approach enables organizations to understand the level of risk for each post login transaction and increase the level of authentication needed dependant on those risk levels. When RSA Transaction Monitoring suspects a Trojan creating a fraudulent transaction to a mule account, out-of-band authentication with transaction verification can be automatically deployed to thwart the malicious attempt before damage is done. As soon as the end user passes through the transaction control, Web Threat Detection continues monitoring end user behavior until the web session ends. By punctuating Web Threat Detection’s continuous monitoring and analysis with Adaptive Authentication’s authentication and transaction monitoring controls, RSA provides intelligent, risk-based threat detection throughout the entire online user lifecycle.
• Mitigates via step up authentication incl. out of band
Web Threat Detectionfor
ANOMALOUS BEHAVIOR DETECTION
• Real-time online threat detection
• Protects across online life cycle
• Mitigates via API to send to step up, WAF, SIEM, etc
AA/TM are controls that kick in at single points in time to determine if the person attempting to log in or initiate a transaction is who he says he is
ST offers continuous monitoring and analysis to determine if the person is behaving in a way that suggests he is up to no good and requires a closer look
Behavioral Analysis Detects Online Threats in Real Time
• No disruption customer experience or site performance• Self learning risk engine continuously adapts to recognize
new threats• Real time detection allows real time response• Almost immediate time to benefit• Rapid deployment• Highly scalable
Presenter
Presentation Notes
No disruption of customer experience or site performance STS uses port mirroring – all of the data collected is directed in real time to a dedicated server for analysis. Web Threat Detection can send alerts to firewalls, SIEMs and authentication tools so that these tools can take immediate action – alerts are sent within 2 milliseconds Self learning risk engine continuously adapts to recognize new threats Profiles are continuously updated according to the site’s traffic patterns Real time detection allows real time response Customizable to individual businesses and specific security needs Mitigator, STS’s rules engine, is highly configurable Almost immediate time to benefit Because STS analyzes every click it can begin building profiles almost immediately Rapid deployment Typically less than a day Highly scalable STS handles over 330,000 SSL handshakes per second!