Automation is changing the modern world. DevOps, Infrastructure Automation, Process Automation

Similar documents
We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Comprehensive datacenter protection

RSA Web Threat Detection

The Bots Are Coming The Bots Are Coming Scott Taylor Director, Solutions Engineering

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

Beyond Blind Defense: Gaining Insights from Proactive App Sec

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Business Logic Attacks BATs and BLBs


Imperva Incapsula Product Overview

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

RSA Web Threat Detection

Key Considerations in Choosing a Web Application Firewall

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Copyright

The Interactive Guide to Protecting Your Election Website

A GUIDE TO DDoS PROTECTION

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Personal Cybersecurity

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

OWASP Automated Threat Handbook Web Applications

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Bank Infrastructure - Video - 1

Cyber War Chronicles Stories from the Virtual Trenches

Advanced Techniques for DDoS Mitigation and Web Application Defense

Check Point DDoS Protector Introduction

How to perform the DDoS Testing of Web Applications

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Intelligent and Secure Network

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

DDoS Hybrid Defender. SSL Orchestrator. Comprehensive DDoS protection, tightly-integrated on-premises and cloud

RETHINKING DATA CENTER SECURITY. Reed Shipley Field Systems Engineer, CISSP State / Local Government & Education

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

paladin vendor report 2017

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

Application Security. Rafal Chrusciel Senior Security Operations Analyst, F5 Networks


Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

WHAT IS MALICIOUS AUTOMATION? Definition and detection of a new pervasive online attack

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

Comprehensive DDoS Attack Protection: Cloud-based, Enterprise Grade Mitigation F5 Silverline

Office 365 Buyers Guide: Best Practices for Securing Office 365

War Stories from the Cloud: Rise of the Machines. Matt Mosher Director Security Sales Strategy

BIG-IP Application Security Manager : Implementations. Version 13.0

CASE STUDY TOP 10 AIRLINE SOLVES AUTOMATED ATTACKS ON WEB & MOBILE

How technology changed fraud investigations. Jean-François Legault Senior Manager Analytic & Forensic Technology June 13, 2011

Vincent van Kooten, EMEA North Fraud & Risk Intelligence Specialist RSA, The Security Division of EMC

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Online Threats. This include human using them!

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

Vidder PrecisionAccess

F5 DDoS Hybrid Defender : Setup. Version

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

Imperva Incapsula Website Security

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

A Layered Approach to Fraud Mitigation. Nick White Product Manager, FIS Payments Integrated Financial Services

CSE 565 Computer Security Fall 2018

Security

Check Point DDoS Protector Simple and Easy Mitigation

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

THUNDER WEB APPLICATION FIREWALL

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

Security Policy (EN) v1.3

RSA Fraud & Risk Intelligence Solutions

Web Applications Security. Radovan Gibala F5 Networks

BIG-IP Application Security Manager : Attack and Bot Signatures. Version 13.0

RiskSense Attack Surface Validation for Web Applications

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Who are you? Enter userid and password. Means of Authentication. Authentication 2/19/2010 COMP Authentication is the process of verifying that

AKAMAI CLOUD SECURITY SOLUTIONS

Frequently Asked Questions (FAQ)

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

Retail Security in a World of Digital Touchpoint Complexity

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

How your network can take on the cloud and win. Think beyond traditional networking toward a secure digital perimeter

OWASP Top 10 The Ten Most Critical Web Application Security Risks

F5 Synthesis Information Session. April, 2014

MODERN DESKTOP SECURITY

BIG-IP Application Security Manager : Getting Started. Version 12.1

Intrusion Attempt Who's Knocking Your Door

Advertising Network Affiliate Marketing Algorithm Analytics Auto responder autoresponder Backlinks Blog

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Accelerating growth and digital adoption with seamless identity trust

Bad Bots Adversely Affect Your Customers Amy DeMartine, Principal Analyst

War Stories from the Cloud Going Behind the Web Security Headlines. Emmanuel Mace Security Expert

A different approach to Application Security

THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Management of IT Infrastructure Security by Establishing Separate Functional Area with Spiral Security Model

Use Cases. E-Commerce. Enterprise

Chapter 6 Network and Internet Security and Privacy

Transcription:

PRESENTED BY:

Automation is changing the modern world DevOps, Infrastructure Automation, Process Automation

$2.3 billion 50% 30% 77% in account-takeover losses of Internet traffic comes from bots. of automated bot traffic is malicious. of web app attacks start from botnets. Vulnerability scanning Web scraping Denial-of-service Business Logic Attacks Click Fraud

OAT-001: Carding IN SHORT DESCRIPTION EXAMPLES Multiple payment authorization attempts used to verify the validity of bulk stolen payment card data. Lists of full credit and/or debit card data are tested against a merchant s payment processes to identify valid card details. The quality of stolen data is often unknown, and Carding is used to identify good data of higher value. Payment cardholder data may have been stolen from another application, stolen from a different payment channel, or acquired from a criminal marketplace. Card verification

OAT-002: Token Cracking IN SHORT DESCRIPTION Mass enumeration of coupon numbers, voucher codes, discount tokens, etc. Identification of valid token codes providing some form of user benefit within the application. The benefit may be a cash alternative, a non-cash credit, a discount, or an opportunity such as access to a limited offer. EXAMPLES Coupon guessing Voucher, gift card, and discount enumeration

OAT-003: Ad Fraud IN SHORT DESCRIPTION False clicks and fraudulent display of web-placed advertisements. Falsification of the number of times an item such as an advert is clicked on, or the number of times an advertisement is displayed. Performed by owners of websites displaying ads, competitors, and vandals. EXAMPLES Click Bot Pay per click advertising abuse

OAT-004: Fingerprinting IN SHORT DESCRIPTION Elicit information about the supporting software and framework types and versions. Specific requests are sent to the application eliciting information in order to profile the application. Fingerprinting is often reliant on information leakage and this profiling may also reveal some network architecture/topology. Fingerprinting seeks to identity application components. EXAMPLES Target scanning Reconnaissance

OAT-005: Scalping IN SHORT DESCRIPTION EXAMPLES Obtain limited-availability and/or preferred goods/services by unfair methods. Mass acquisition of goods or services using the application in a manner that a normal user would be unable to undertake manually. Scalping includes the additional concept of limited availability of sought-after goods or services, and is most well-known in the ticketing business where the tickets acquired are then resold later at a profit by the scalpers/touts. This can also lead to a type of user denial-of-service, since the goods or services become unavailable rapidly. Restaurant table/hotel room reservation speed-booking Purchase Bot Tickets resales

OAT-006: Expediting IN SHORT DESCRIPTION EXAMPLES Perform actions to hasten progress of usually slow, tedious, or time-consuming actions. Using speed to violate explicit or implicit assumptions about the application s normal use to achieve unfair individual gain, often associated with deceit and loss to some other party. Automated stock trading Betting automation Game automation Gaming bot Gold farming

OAT-007: Credential Cracking IN SHORT DESCRIPTION Identify valid login credentials by trying different values for usernames and/or passwords. Brute force, dictionary, and guessing attacks used against authentication processes of the application to identify valid account credentials. EXAMPLES Brute-Force attacks

OAT-008: Credential Stuffing IN SHORT DESCRIPTION EXAMPLES Mass log in attempts used to verify the validity of stolen username/password pairs. Lists of authentication credentials stolen from elsewhere are tested against the application s authentication mechanisms to identify whether users have re-used the same login credentials. The stolen usernames (often email addresses) and password pairs could have been sourced directly from another application by the attacker, purchased in a criminal marketplace, or obtained from publicly available breach data dumps. Account take-over Use of stolen credentials

OAT-009: CAPTCHA Bypass IN SHORT DESCRIPTION EXAMPLES Solve anti-automation tests. Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) challenges are used to distinguish normal users from bots. Automation is used in an attempt to analyse and determine the answer to visual and/or aural CAPTCHA tests and related puzzles. The process that determines the answer may utilise tools to perform optical character recognition, or match against a prepared database of pre-generated images, or use other machine reading, or human farms. CAPTCHA solver

OAT-010: Card Cracking IN SHORT DESCRIPTION Identify missing start/expiry dates and security codes for stolen payment card data by trying different values. Brute-Force attack against application payment card processes to identify the missing values for start date, expiry date and/or card security code (CSC). When these values are known as well as the Primary Account Number (PAN), OAT-001 Carding is used to validate the details, and OAT-012 Cashing Out to obtain goods or cash. EXAMPLES Brute Force credit card information

OAT-011: Scraping IN SHORT DESCRIPTION EXAMPLES Collect application content and/or other data for use elsewhere. Collecting accessible data and/or processed output from the application. Some scraping may use fake or compromised accounts, or the information may be accessible without authentication. The scraper may attempt to read all accessible paths and parameter values for web pages and APIs, collecting the responses and extracting data from them. Comparative shopping Data aggregation Database scraping

OAT-012: Cashing Out IN SHORT DESCRIPTION EXAMPLES Buy goods or obtain cash utilising validated stolen payment card or other user account data. Obtaining currency or higher-value merchandise via the application using stolen, previously validated payment cards or other account login credentials. Cashing Out sometimes may be undertaken in conjunction with product return fraud. For financial transactions, this is usually a transfer of funds to a mule s account. For payment cards, this activity may occur following OAT-001 Carding of bulk stolen data, or OAT-010 Card Cracking, and the goods are dropped at a reshipper s address. Online payment card fraud

OAT-013: Sniping IN SHORT DESCRIPTION EXAMPLES Last minute bid or offer for goods or services. The defining characteristic of Sniping is an action undertaken at the latest opportunity to achieve a particular objective, leaving insufficient time for another user to bid/offer. Sniping normally leads to some disbenefit for other users, and sometimes that might be considered a form of denial-of-service. In contrast, OAT-005 Scalping is the acquisition of limited availability of sought-after goods or services, and OAT-006 Expediting is the general hastening of progress. Last-minute bet Auction Sniping

OAT-014: Vulnerability Scanning IN SHORT DESCRIPTION Crawl and fuzz application to identify weaknesses and possible vulnerabilities. Systematic enumeration and examination of identifiable, guessable, and unknown content locations, paths, file names, parameters, in order to find weaknesses and points where a security vulnerability might exist. Vulnerability Scanning includes both malicious scanning and friendly scanning by an authorised vulnerability scanning engine. It differs from OAT- 011 Scraping in that its aim is to identify potential vulnerabilities. EXAMPLES Active / Passive scanning Known vulnerability scanning

OAT-015: Denial of Service IN SHORT DESCRIPTION Target resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS). Usage may resemble legitimate application usage, but leads to exhaustion of resources such as file system, memory, processes, threads, CPU, and human or financial resources. The resources might be related to web, application, or database servers or other services supporting the application, such as third-party APIs, included third-party hosted content, or content delivery networks (CDNs). The application may be affected as a whole, or the attack may be against individual users such as account lockout. EXAMPLES Account lockout DDoS business logic

OAT-016: Skewing IN SHORT DESCRIPTION Repeated link clicks, page requests, or form submissions intended to alter some metric. Automated repeated clicking or requesting or submitting content, affecting application-based metrics such as counts and measures of frequency and/or rate. The metric or measurement may be visible to users (e.g. betting odds, likes, market pricing, visitor count, poll results, reviews) or hidden (e.g. application usage statistics, business performance indicators). Metrics may affect individuals as well as the application owner (e.g. user reputation, influence others, gain fame, or undermine someone else s reputation). EXAMPLES Boosting friends, visitors, and likes Poll fraud Market distortion

OAT-017: Spamming IN SHORT DESCRIPTION EXAMPLES Malicious or questionable information addition that appears in public or private content, databases, or user messages. Malicious content can include malware, IFRAME distribution, photographs and videos, advertisements, referrer spam, and tracking/surveillance code. The content might be less overtly malicious but be an attempt to cause mischief, undertake search engine optimisation (SEO), or dilute/hide other posts. Blog spam Forum spam Wiki spam

OAT-018: Footprinting IN SHORT DESCRIPTION EXAMPLES Probe and explore application to identify its constituents and properties. Information gathering with the objective of learning as much as possible about the composition, configuration, and security mechanisms of the application. Unlike Scraping, Footprinting is an enumeration of the application itself, rather than the data. It is used to identify all the URL paths, parameters and values, and process sequences (i.e., to determine entry points, also collectively called the attack surface). As the application is explored, additional paths will be identified which in turn need to be examined. Application enumeration Crawling

OAT-019: Account Creation IN SHORT DESCRIPTION EXAMPLES Create multiple accounts for subsequent misuse. Bulk account creation, and sometimes profile population, by using the application s account sign-up processes. The accounts are subsequently misused for generating content spam, laundering cash and goods, spreading malware, affecting reputation, causing mischief, and skewing search engine optimisation (SEO), reviews, and surveys. Fake account Massive account registration

OAT-020: Account Aggregation IN SHORT DESCRIPTION EXAMPLES Use by an intermediary application that collects together multiple accounts and interacts on their behalf. Compilation of credentials and information from multiple application accounts into another system. This aggregation application may be used by a single user to merge information from multiple applications, or alternatively to merge information of many users of a single application. Commonly used for aggregating social media accounts, email accounts, and financial accounts in order to obtain a consolidated overview. Data aggregation Aggregator

OAT-021: Denial of Inventory IN SHORT Selection and holding of items from a limited inventory or stock, but which are never actually bought, paid for, or confirmed, such that other users are unable to buy/pay/confirm the items themselves. DESCRIPTION EXAMPLES Denial of Inventory is most commonly thought of as taking e-commerce items out of circulation by adding many of them to a cart/basket; the attacker never actually proceeds to checkout to buy them but contributes to a possible stock-out condition. A variation of this automated threat event is making reservations (e.g. hotel rooms, restaurant tables, holiday bookings, flight seats), and/or click-and-collect without payment. Denial-of-service Scalping Sniping

Controlling Advanced Application security threats can be challenging! These are difficult and complex problems to solve reliably.

Basic Signatures OWASP Top 10 Proactive Bot Defense SSL/TLS Inspection Credential Protection Positive & Negative Security App-Layer DoS Protection

Defend against bots Anti-Bot Mobile SDK Proactive bot defense Anti-bot mobile SDK Client and server monitoring Mobile USERNAME F5 Advanced WAF Prevent account takeover App-level encryption Users Mobile app tamper protection Brute-force attack protection Attackers Protect apps from DoS Auto-tuning Bots Behavioral analytics Dynamic signatures

Controlling Automated Threats

CONTROLLING AUTOMATED THREATS WHO ARE YOU? WHAT ARE YOU DOING?

CONTROLLING AUTOMATED THREATS WHO ARE YOU? WHAT ARE YOU DOING?

JavaScript Challenge Simple Bots Headless Browsers Real Browser Captcha Challenge Optical Image Recognition Human Solvers Anomaly Counters IP address Device ID

Mobile Target of the same automated attacks. Lack of app-specific security controls. Need for integrated security.

Mitigate Bots with the F5 Anti-Bot Mobile SDK 30 sec Upload ios or Android app built in any environment Select the F5 SDK on Appdome FUSE MY APP Click Fuse my App Publish Anywhere

Controlling Credential Attacks

F5 Networks 39

Problem Anti-Bot Mobile SDK Mobile Users USERNAME Credential Encryption Stolen Credential Protection Criminals are performing account takeover by stealing account credentials via malware. Solution App-level credential encryption Anti-bot mobile SDK Credential stuffing protection Brute-force attack protection Attackers Bots Data Center Interconnect Cloud Account Takeover Protection Benefits Prevent the use of dumped credential databases. Prevent the theft of user credentials. Protect mobile apps.

Credentials from Previous Breaches USERNAME Healthcare Data USERNAME USERNAME USERNAME USERNAME USERNAME Credit Card Data USERNAME USERNAME USERNAME USERNAME USERNAME Financial Data USERNAME USERNAME USERNAME USERNAME USERNAME Passport Data USERNAME USERNAME USERNAME Intellectual Property

Goes beyond TLS/SSL 088373be1 = lsdkwe9 0x8xb28 = pei57 TLS + User = user Password = 12345 Application Layer Encryption Obfuscation and Evasion Detection Comprehensive Brute Force Mitigation Users USERNAME Attackers Stolen credentials are encrypted and cannot be re-used App-Level Encryption DataSafe Encryption Field Name Obfuscation Field Value Encryption AJAX JSON Support v No app updates required Bots

Application Layer Denial-of-Service

Traffic typically looks like normal, legitimate traffic No advance warning or threat from malicious attackers May not affect ISP bandwidth utilization Troubleshooting root cause during the outage is difficult Mitigation may require significant investment

Layer 7 Application Slowloris, Slow Post/Read, HTTP GET/POST floods, Layer 6 Layer 5 Session SSL DNS, NTP DNS UDP floods, DNS query floods, DNS NXDOMAIN floods SSL floods, SSL renegotiation, Layer 4 Layer 3 Layer 2 Network SYN/UDP/Conn. floods, PUSH and ACK floods, ICMP/Ping floods, Teardrop, Smurf Attacks

Use Case: DoS Attacks DoS Managed Services Problem DoS attacks are growing, but your resources are not. Mitigation time is slow due to manual initiation and difficult policy tuning. Solution Silverline Always On Under Attack Communication (signaling) Silverline Always On protection with on-premises hardware. Mitigation with layered defense strategy and cloud services. F5 SOC monitoring with portal. Layer 3 DDoS Protection Layer 7 DoS Protection Protection against all attacks with granular control. Benefits DDoS Hybrid Defender Core On-Premises Advanced WAF On-premises hardware acts immediately and automatically. Silverline cloud-based services minimizes risk of larger attacks.

Detect GET flood attacks against Heavy URIs Identify non-human surfing patterns Fingerprint to identify beyond IP address

THE CHANGING DYNAMICS OF APPLICATION SECURITY Maximizing Value from Your WAF Web Application Firewall Proactive Bot Defense Anti-Bot Mobile SDK Vulnerabilities & Exploits Automated Attacks Mobile Applications DataSafe Encryption Behavioral Analytics API Protocol Security Credential & Data Theft Low & Slow DDoS API Vulnerabilities Threat Intelligence Feeds Credential Stuffing Threat Campaigns! Device Identification

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback