shape technology & deployment overview · captured mouse event. dashed line high speed movement...

Shape Technology & Deployment Overview

2020

Jamie Lockhart, Solutions Engineer, EMEA

Confidential / / Part of F5

Shape Overview 1

How does Shape work? 2

Architecture 3

Taking Action 4

Proof of Concept 5

Agenda


Shape Overview


What does Shape do?

Security-as-a-Service (SaaS) solution that protects websites from unwanted

automated traffic that exploits the user interface of web applications without

introducing friction for users.

Access

Credential Stuffing

Account Verification

Account Takeover

Man-in-the-Browser

Misuse

Content/Price Scraping

Application DDoS

Skewing

Promo Abuse

Interaction

Account Creation

Credit Building

Cashing Out

Carding

Rewards/Gift Card Fraud

Detect, Monitor, Mitigate


Challenge: criminals use apps as you intended

User: logs in with username & password

Attacker: logs in with username & password

Criminals, armed with widely-available tools, can evade almost all defenses

Vulnerabilities Abuse

Confidential / / Part of F5Confidential

Automated Fraud Attempts● Credential Stuffing

● Account Takeover

● Fake Account Create

Monitoring

Tools

Scraping / API abuse

App Layer DDoS

Legitimate

customers

Successful

login

What does Shape do?

Good

Automation

What does Shape do?


Att

ack

Co

st

Attack Complexity7

Browser ImitationExecute JavaScript like real browser.PhantomJS, Headless Chrome

User ImitationFake mouse tracks, fake keystrokes, Selenium, Sikuli, Humans

Network RequestsHTTP requestsSentry MBA, Wget and cURL

High

Low

Low High

Evolution of Attacks

Custom Attack PlatformsTarget specific , custom developed, Purpose built for attack target

Evolution of AttacksDisrupt the economics for motivated attackers


Attacker ecosystemsBreaches, Malware, Tools, APIs


Major US Mobile Operator

POST/HR

What They Saw

68.6M ? ? ?Human AutomatedAutomatedTotal POSTs


Shape

10Total POSTs

68.6MHuman

4.1MAutomated

64.5MAutomated

94%

POST/HR

5 Attackers

Tools

Human

This is attack traffic

This orange is ok

What We Saw


When Shape Mitigates

Green = Human | Yellow = Automation | Red = Mitigated Automation

Mitigation Enabled Attackers Recon & RetoolWeb & Mobile Login

Activity


EU TelcoAutomation sophistication and evolution


How does Shape work?


How it works: Protected Flows

Shape has a concept of a protected flow:

● Entry point:

○ The page where a user submits information we want to protect (e.g. login form)

○ Shape JS is deployed to collect signals which are evaluated to determine whether the

protected URL end point request is made from a illegitimate (automated) source or a legitimate

source.

<head><script type=”text/javascript” src=”/assets/common.js”></script>...</head>

○ Shape has mechanisms to protect against reverse engineering and signal spoofing

● End point:

○ The URL where the user’s information is submitted to (e.g. auth API POST).

○ Routed to a Shape cluster for evaluation and for real time mitigation.


How it works: Shape Protected Flows== Use cases

Login Forgot Password Create Account

Entrypoint

Endpoint

Entrypoint

Endpoint

Entrypoint

Endpoint

Signal Collection


An example of an entry and end point pair

Protected endpoint

Entry point page -

Login form


Shape System Overview

Modes● Non-Blocking (Observation)● Blocking (Mitigation)

Stage I● Advanced Signals Analysis● Real-time Mitigation

○ Allow○ Flag & Allow○ Throttle○ Block○ Custom Response○ Redirect / Forward

Stage II● Artificial Intelligence● Machine Learning● Data Scientists● Investigative Analysts● 24x7 Threat Mitigation Center

Protection is based on signals not IPs or User Agents.

Technology, Analytics, Process


Shape Signal Analysis

Confidential

NetworkEnvironment Behavior

Shape Signal Analysis


All JavaScript is generated on the fly.This allows Shape to adapt to attackers with its 120+ composable signal modules.

Active and passive modules

delivers different signals back

to Shape.

Each module serves a different purpose. Proofs of

hardware, proofs of environment, deception, user

behavior collection, and much more.


Frustrating Sophisticated Attackers with our JS

Solution: Virtualization + Randomness in the Shape JavaScript

● Prevent Google Dorks: Avoid obvious naming schemes for the JS file● Avoid Clear Text: We convert readable JavaScript

→["runFonts", "pixelDepth", "-1,2,-94,-122,", "\\"", "dm_en", "psub", "cta", "tact", "fpcf", "doNotTrack", …

=> Into computer-readable, unstructured machine code:→

● Insert Randomness: Our code changes many times per minute, and is different each time it is distributed


Emojis render differently on different platforms/apps


Really big numbers convert differently on different platforms

18,446,744,073,709,552,000

18,446,744,073,709,550,000

18,446,744,073,709,550,591

0xFFFFFFFFFFFFFBFF

=


Browser IDConfidential

Plugins

Fonts Screen Size

Additional Signals

Browser


Header Pattern

Header


Shape Signal Set - User Behaviour Analysis

Blue Bar Key-down.

Orange Bar

Key-up.

Red Circle

Mouse-click.

Green Tick

Captured mouse event.

Dashed Line

High speed movement between two points.

Brown Square

Long pause.

Grey Line

Transition from non-mouse event to mouse event.

U1

U2

U3

Key-down, key-up events

Mouse events & Mouse click


Shape Signal Set - User Behaviour Analysis

11 keystrokes < 30 ms

Blue Bar Key-down.

Orange Bar

Key-up.

Red Circle

Mouse-click.

Green Tick

Captured mouse event.

Dashed Line

High speed movement between two points.

Brown Square

Long pause.

Grey Line

Transition from non-mouse event to mouse event.

U1


Timing AnalysisConfidential

Inorganic

(Manual Fraud)

Organic

(Human)

Inorganic

(Automation)

Time to Complete Form


Source (IP/ASN) AnalysisConfidential

Nu

mb

er

of

Tra

nsa

ctio

ns

Top Source IP’s

Nu

mb

er

of

Tra

nsa

ctio

ns

Top Source IP’s


Shape Telemetry Example

Shape Telemetry

● Resulting from the Shape JS execution

on an entry point page.

● Typically included as X- form parameters

in the POST request payload.

● These are stripped when the request

passes through the SSE.

Shape SignalsAn example of signals on a protected POST

Confidential /

Signal Inspection

1. Token Missing2. Token Expired3. Token Replay Exceeded4. Token Blacklisted5. AI Payload Missing6. AI Payload Invalid7. UUBID Blacklisted8. Attack Inference

Description: the Shape signals are indicative of automation (that is, automation is “inferred”).Category: ToolCategory: ScrapingCategory: Monitor….

Causes: an attacker used an automated tool such as Selenium, iMacros, or PhantomJS; or there were other indications of automation such as a mismatch between the UA specified in the HTTP header and the DOM.

Inference process evaluates the request for attack causes


Mobile Environment Signals (Native Mobile Apps)Gathered via Shape Mobile SDK Telemetry

● Operating System

● Device Information

● App Versioning

● Battery Information

● Processor

● Localization Information

● Physical Sensor Data

● Epoch Timestamp

● WebView Data

● Emulator Detection

● Rooted Device Detection

AltitudeOrientationGyroscope

TemperatureCapacityTechnology

Screen resolutionScreen brightnessHardware

Shape’s Mobile SDK is deployed on >200M mobile devices worldwide


Identifying AutomationDetection Formula

B U ASNH

To find fraudulent transactions, we use one or more data points:- Signals (custom if required)- Browser identifier based on unique interrogation- User interaction pattern- HTTP Header indicators- Timing analysis (keystrokes and interaction)- Traffic source analysis (Autonomous Systems)- Rules


Signals can reveal contrived entropyMotivated actors continue seeking ways to avoid detection

2

1

3

5

4

1

2

3

4

5

...


Disclaimer Page: POST Differences Heat MapAutomatedHuman

Mouse Move Mouse Click


Defeating the most sophisticated attacks

“Fullz”



First Name Last Name



300px


Capture The Potential of Shape’s DeviceID DeviceID provides insight into your customer base

Screenshot

Identifying devices used for malicious and abusive

transactions

OR

Allows you to create device to account association

OR

Simplifying login experience for returning users


Shape Device ID

* Browser or mobile app, to be precise

● A mechanism to enable device identification and activity○ A data feed your systems can use for risk profiling

● A digital ID to identify devices* visiting enterprises’ web pages ○ A 64 char string - e.g.,74b174532bc7b1daeb914d2bf5ca0b75cf4ad8b8f357c9ad277c3cf9ea66be5c

● An optional feature of Shape Enterprise Defense○ Available for web and mobile○ Device IDs generated from a selection of signals captured by Shape JS and SDKs ○ Enabled by a simple policy change○ Device IDs generated and delivered on the fly

An ID of the device


Shape Protection Manager (SPM)Reporting, Analysis and Management Portal


Architecture


HostedShape proxy is located in a Shape

managed colocation facility.

Deployment OptionsOptions to Fit Your Business

CloudShape proxy is located in a cloud

provider and managed by Shape.

On-PremiseShape proxy is located inside the

customer data center.


Deployment Options

● Inline

○ Cloud / Hosted / On-premise

○ Integration at CDN / Load balancer / Nginx / Apache ….

● API

○ Cloud / Hosted / On-premise

For Shape to provide real time mitigation the deployment needs to be inline

Confidential /

Cloud Integration

Website end-users

Enterprise Boundary

Internet

Shape JS

and

Protected

Traffic

Shape Protection

Manager (SPM) receives

transaction metadata

Shape

Javascript

Web app servers

General Traffic

Shape Processed Traffic

Load Balancer

Shape SSEs

Examples:

/signin

/forgotpassword

/accountCreate

Mobile API servers

Confidential /

Cloud Integration

Website end-users

Enterprise Boundary

CDN

Shape JS

and

Protected

Traffic

Shape Protection



Shape

Javascript

Web app servers

General Traffic


Load Balancer

Shape SSEs

Examples:

/signin

/forgotpassword

/accountCreate

Mobile API servers

Confidential /

On-premise Integration

Website end-users

Enterprise Boundary

Internet

Shape JS

and

Protected

Traffic

Shape Protection



Shape

Javascript

Web app servers

General Traffic


Load Balancer

Shape SSEs

Examples:

/signin

/forgotpassword

/accountCreate

Mobile API servers

Confidential /

API Integration*

Website end-users

Enterprise Boundary

Internet

Shape

JS

Shape Protection



Shape

Javascript

Web app serversLoad Balancer

Shape SSEs

Example:

/assets/script.js Mobile API servers

← Shape Telemetry & Request Details

Automation Decision →

GET: Webpage with Shape JS

POST: Form Data + Shape telemetry

* No real time mitigation by Shape


Taking Action


Blocking is not always the right solution

Confidential

Block - Stop processing the request

Redirect - Redirect the user browser to a specified URL

Respond - Respond with configured HTTP response

Deceive - Provide misdirection to attackers

Read-only - Limit access to transactions

Rate limit - Limit system resource impact

Types of Traffic Custom Action

Good humans

Bad humans

Good bots

Bad bots

Semi-trusted bots

Aggregators

Scrapers

Password tools

Application DDoS


Proof of Concept


Preliminary Technical Discovery

1. Do you use a CDN?

2. What is the target site?

3. What are the areas of the site/workflows that receive automated traffic (e.g. login,

create account, forgot password, search etc)?

4. What are the peak and average transactions per second for each workflow?

5. What load balancer do you use?

6. Is the load balancer capable of doing HTTP path based routing?

7. Where is your origin hosted geographically?

8. How many data centres do you have? If multiple, what is the DR model?

9. Do you have an internet facing test environment? What is the domain?

10. Where are your users located?


~Day 21 ~Day 30Day 1

Typical POC Project Timeline

Production Monitoring Mode

Production Analysis and

Threat Report

Project Startup& Policy

Development

~Day 14

Pre-Production Monitoring Mode


POC Implementation: High Level Steps

Step Who

1 Discovery - define protected paths (entry and end points) and gather technical information Customer/Shape

2 Create SSE clusters and policies Shape

3 Add <script> tag to entry point page(s) for Shape JS Customer

4 Add traffic routing rules to CDN / load balancer for Shape JS and end point URL(s) Customer

5 Test in QA / Staging environment Customer/Shape

6 Promote to production environment (incl. Cookie wall) Customer

7 Test in production Customer/Shape

8 Remove cookie wall Customer

9 LIVE TRAFFIC IN MONITORING MODE Customer/Shape

10 Threat Briefing Shape


Shape Passive Detection Tool(SPDT)Detect and report bots in a simple integration

● A tool to detect & report bot threats in a simple integration○ Threat reports for any HTTP traffic - web, mobile, API

■ Tool can scan whole sites and show where (URLs) attacks are appearing

○ No need to deploy Shape JS, mobile SDKs, or SSE○ Tool scans traffic passively on a monitoring port. No latency nor UX impact

● Self-contained & run within customer’s premises○ No data leaves customer premises (datacenter, VPC)

● Only for PoV (Proof of Value) project. Not for production○ It only does Reporting. No mitigation

○ Limited set of signals since Shape JS is not deployed


Within customer datacenter/VPC

SPDT integration Works on mirrored traffic

● SPDT ingests mirrored HTTP traffic (Big-IP clone pool, AWS VPC mirroring, log files,

etc)

● SPDT runs on○ VMWare ESXi - 8 core CPUs, 32GB RAM, 500GB SSD or above ○ AWS AMI - c4.4xlarge instance or above○ SSE 3200 appliance - in a later release

Traffic mirroring

Shape Passive

Detection Tool

(SPDT)

Origin server


SPDT Threat ReportsRich set of reports exhibiting threats

● Traffic overview - bot vs. human

● # and % of bots appeared for each URL

● Overview & detailed view of top bot campaigns

● Bot campaign signatures clustering graph

● Bots & traffic distribution per country


Questions

THANK YOUshapesecurity.com

shape technology & deployment overview · captured mouse event. dashed line high speed movement...

Documents