RSA Web Threat Detection Online Threat Detection in Real Time Alaa Abdulnabi. CISSP, CIRM RSA Pre-Sales Manager, TEAM Region 1
Web Threat Landscape In the Wild Begin Session Login Transaction Logout Web Threat Landscape Phishing Site Scraping Vulnerability Probing Layer 7 DDoS Attacks InfoSec Pre-Authentication Threats Password Cracking/Guessing Parameter Injection New Account Registration Fraud Advanced Malware (e.g. Trojans) Promotion Abuse Man in the Middle/Browser Account Takeover New Account Registration Fraud Unauthorized Account Activity Fraudulent Money Movement Fraud Post-Authentication Threats 2
How are Websites Protected Today? User 2 Factor Authentication Device ID Network Firewall IPS/IDS Application WAF Penetration Testing Dynamic Scanning Log Analysis/SIEM Source Code Analysis 3
Intelligent Risk-Based Fraud Prevention Pre-Authentication Threats Shared Threat Intelligence Post-Authentication Threats Anti-Phishing/ -Trojan/-Rogue Apps Behavioral Analysis Risk Based Authentication Transaction Monitoring In the Wild Beginning of Session Login Transaction Logout Web and Mobile Channels Site Scraping Trojan Attacks Rogue Mobile Apps Vulnerability Probing DDOS Attacks New Account Registration Fraud Phishing Attacks Promotion Abuse Parameter Injection Password Guessing Access From High Risk Country Man In The Browser Unauthorized Account Activity Man In The Middle Account Takeover High Risk Checkout Fraudulent Money Movement 4
Stream Analytics Threat Scores Velocity Behavior Parameter Injection Man in the Middle Man in the Browser Copyright 2011 EMC Corporation. All rights reserved. 5
Web Threat Detection Add Bill Payee Enter Payment Amount Session determined Sign-In Bill Pay Home Select Bill Payee My Account Submit Homepage Checking Account View Click Behind the User Experience Copyright 2011 EMC Corporation. All rights reserved. 6
Add Bill Payee Enter Payment Amount Sign-In Bill Pay Home Select Bill Payee My Account Submit Homepage Checking Account View Click Behind the User Experience 1. Data is broken apart into several pieces under a lens. 2. Data is sessionized. Copyright 2011 EMC Corporation. All rights reserved. 7
Add Bill Payee Enter Payment Amount Sign-In Bill Pay Home Select Bill Payee My Account Submit Homepage Checking Account View Click Behind the User Experience Inspects all Scrubs data Data is compressed, indexed, and stored Copyright 2011 EMC Corporation. All rights reserved. 8
Add Bill Payee Enter Payment Amount Sign-In Bill Pay Home Select Bill Payee My Account Submit Homepage Checking Account View Click Behind the User Experience Scoring Engine Send API SysLog Incident Create email report Copyright 2011 EMC Corporation. All rights reserved. Web Session Traffic Rules Engine 3 rd Party Systems 9
Summary of clickstream Interactive clickstream Table display Humanreadable click details Copyright 2011 EMC Corporation. All rights reserved. 10
Typical Use Cases Information Security Threats Fraud Threats Business Intelligence Infrastructure Utilisation 11
Information Security Case Examples 12
Site Scraping Overview Example of the Web Scraping process Hypothetical example only! Hotel reviews posted on customer site Bot pulls content from site within minutes of posting Potential traveller searches Google & clicks to travel review site Customer clicks link to hotel booking site Hotel booked & travel plans complete! Travel hotel chosen based on reviews from the original site without the customer actually visiting the original content website Key impacts to the travel review website? 1. Missed web traffic equals missed advertising revenue 2. Travel booking referral to hotel based on original site content but claimed by third party review site 3. Increased market competition from competitors with minimal operational cost overheads 13
Information Security Site scraping Content cycling - the direct approach Brisbane based IP 233 clicks in 1 hour each click to a unique page content number URL 1746 clicks in 1 hour Human-like click velocity - between 1 to 5 seconds Identified via a Web Threat Detection site scraping rule alert 14
Information Security Architecture probing Scripted website probing attack against bank domain Threat Summary Customer typically only has ~150 unique URLs which are actively accessed by customers This attack targeted over four thousand URLs the majority of the page requests were invalid but were still received by their web server Invalid page requests (e.g. 404 errors) are common when identifying website attacks which are looking to map the site or locate vulnerable pages 10945 clicks within 1 hour, to 4484 unique URLs from single US based IP 95% clicks sub-0.5 seconds 15
Information Security Password guessing Attempted account takeover via scripted attacks Do you have visibility of brute force attacks on your login pages? RSA Web Threat Detection is very effective at both types of password guessing: Vertical. Same user ID, guess the password Horizontal. Same password, guess the user ID Often banks & other online organisations allocate user IDs based on number. If you run a script with a common password (e.g. P@ssword1), then it is simply a matter of time until an account logon is compromised as the script cycles through sequential login numbers Analysis of header data detects Linux operating system which is very common for scripted attacks Single user ID, multiple password attempts. Note: Password has one-way encryption which still allows for value profiling 16
Distributed Denial of Service (DDoS) Attack Behavior indicating the onset of a DDoS Web Threat Detection identified a single page being hit 1.6 million times over the course of one hour without the activity being blocked normal peak traffic is 1.2 million hits IPs originating from high-risk countries Single IP executing 70,000 page requests in one hour 10 IP s executing 366,000 page requests in one hour Mitigation Categorized 10 IPs as a threat group and sent to firewall 17
Fraud Threat Case Examples 18
Fraud Threats Credential Testing Account peeking. Multiple test logins from Nigerian IP address Early Detection = Reduced impact Detection of account peeking via Web Threat Detection allows for at-risk user accounts to be identified & treated before the customer or business is impacted Account peeking is a very common behaviour by Fraudsters as it allows them to: 1. Validate the login credentials 2. Identify higher value accounts 3. Understand the controls which must be defeated to complete future unauthorised transactions Single login test click for each account Multiple users from single Nigerian IP within 1 hour 19
Man in the Middle (MITM) One account accessed by 2 or more IP addresses in different geographies First attack vector used against online banking targets 20
Detecting Zeus Variants Production Web App / Transactional Systems Client infected with Zeus variant Accesses banking site Telltale signs detected by rules in real-time U S E R A G E N T C O N TA I N S : Z e u s 5 4 3 6 1 W e b s t e r P r o V 2. 9 21
Dynamic Detection of Man in the Browser / Mobile Malware Initiates T A R G E T : To p 5 F i n a n c i a l S e r v i c e s Sign-in Account Overview Pay Bill Overview Pay Bill Pay Bill Complete Legitimate Flows Add External Account Transfer Funds Transfer Funds Complete Attack Flows P A T T E R N S : M u l t i p l e F l o w s A T T A C K : M A N I N T H E B R O W S E R D A M A G E : F u n d s T r a n s f e r r e d F r o m V i c t i m A c c o u n t 22
Fraud Threats Account Takeover Malware on customer s device attempting account takeover Malware driven password guessing against single user ID 50% clicks in sub 0.5 seconds The user agent for this particular IP contains SIMBAR. This is a characteristic of adware known to be used by malware for account takeover purposes 23
Business Logic Abuse Case Examples 24
Business Logic Abuse Content Click Fraud Inflation of page traffic via automated views Single User Id = username@domain.com Single user cycling through 18 different IP addresses within 24 hours across multiple states/cities Repetitive clickstream behaviour. (1) Login (2) Search (3) View Page (4) Logout (5) Repeat above 25
Business Logic Abuse User rating inflation False sales between common parties to inflate user rating 10 identical orders (same buyer/seller) placed within 9 minutes 21 orders from single user within 1 hour at 5am Each order value ~$1,000 USD 26
Business Logic Abuse Coupon testing Scripted attacks to find valid coupon codes Impact of coupon abuse can include: Genuine customer impact due to unauthorised use of coupon offers Decreased revenue due to offer abuse Increased website overhead due to scripted attacks Site scraping by resellers or coupon aggregator sites Single IP driving 95%+ of all coupon code page traffic 27
Intelligence Data External Data Source API Risk Engines Platform Architecture Case Management SIEM Automated Response Action Server Profile Analyzer Mitigator Forensics Silver Tap Network Switch/TAP Span Port 28
RSA Web Threat Detection Real-Time Visibility Industry Leading Accuracy Understand Customers vs. Criminals Almost Immediate Time To Benefit No Impact To Users or Web App Self Learning 29