RSA Web Threat Detection

Download Report

Transcript RSA Web Threat Detection

RSA Web Threat Detection
Amy Blackshaw, CISSP
Web Threat Landscape
Begin
Session
In the
Wild
Login
Transaction
Logout
Web Threat Landscape
•
•
•
•
Phishing
Site Scraping
Vulnerability Probing
Layer 7 DDoS Attacks
InfoSec
Pre-Authentication Threats
RSA CONFIDENTIAL—INTERNAL USE ONLY
•
•
•
•
•
Password Cracking/Guessing
Parameter Injection
New Account Registration Fraud
Advanced Malware (e.g. Trojans)
Promotion Abuse
•
•
•
•
•
Man in the Middle/Browser
Account Takeover
New Account Registration Fraud
Unauthorized Account Activity
Fraudulent Money Movement
Fraud
Post-Authentication Threats
2
How are Websites Protected Today?
User
Network
• 2 Factor
Authentication
• Device ID
• Firewall
• IPS/IDS
© Copyright 2015 EMC Corporation. All rights reserved.
Application
•
•
•
•
•
WAF
Penetration Testing
Dynamic Scanning
Log Analysis/SIEM
Source Code Analysis
3
Lack of Visibility into Online User Behavior
What ARE users doing on your site?
Great!?
New online
Service
Just added
you as a
new Payee,
transfer the
money &
log-out
Legitimate? Disruptive? Criminal?
© Copyright 2015 EMC Corporation. All rights reserved.
4
Distinguishing Customers from Cyber Criminals
Enter Payment Amount
Add Bill Payee
Sign-In
Select Bill Payee
Bill Pay Home
Homepage
My Account
Enter Pay Amount
AbNormal
Web
Session!
Submit
Visibility
• Providing Continuous Monitoring for Total Visibility into Web Sessions
Analysis
• Building Dynamic Behavioral Profiles for the Population and Individuals
Action
RSA CONFIDENTIAL—INTERNAL USE ONLY
• Calculating Real-time Threat Scores for Use in Rules for integration
5
Web Threat Detection GUI
User/IP Sessions’
Summary (no time boundaries)
Quickly determine malicious user/IP via Risk Indicators
Score Generated by Analytics Engine
Direct
Navigation
© Copyright 2015 EMC Corporation. All rights reserved.
6
Typical Use Cases
Information
Security
Threats
Fraud
Threats
Business
Logic Abuse
© Copyright 2015 EMC Corporation. All rights reserved.
7
Account ‘peeking’
Single IP rapidly checking status & balance of a list of accounts
• IP attempts to log into multiple user accounts
• Criminals have a list of compromised accounts and
are trying to validate and check balances
• 23 different user and password combinations
• Low amount of clicks (~2-3 per user)
© Copyright 2015 EMC Corporation. All rights reserved.
8
Horizontal attack at an APAC bank
• What were they doing?
– 145,000 users attack
– 434 compromised
PW1
User
1
PW1
User
2
PW1
User
3
• How did we detect it?
– Elevated velocity and behavior scores
• Now we can leverage the API to:
– Temporarily redirect logins to customer support
– Send attacking IP to SIEM for correlation
– Add users to watch list for future activity
© Copyright 2015 EMC Corporation. All rights reserved.
9
Site scraping - Aggregators/Competitors
Script systematically cycling through and scraping all website URLs
Business impact of site scraping
Brisbane based
IP
•
Reduced revenue due to competitor
intelligence
•
Site performance
233 clicks in 1 hour – each click to a unique page content number URL
1746 clicks in 1
hour
‘Human-like’
click velocity between 1 to 5
seconds
Identified via a Web Threat Detection site scraping
rule alert
© Copyright 2015 EMC Corporation. All rights reserved.
10
Man-in-the-Browser
Victim’s Device
Victim
Login
Landing
Page
Check
Balance
View
Check
Image
Add a
Payee
Create
Wire
Transfer
MitB
Malware
1.) Valid user login immediately followed by malware login.
2.) The malware session attempts multiple wire transfers.
3.) A real-time alert is sent for risky behavior on a money movement
page
© Copyright 2015 EMC Corporation. All rights reserved.
11
Refinement and Persistence - Finance
High value transfers
automatically trigger
MFA…
…but if I create a lot of
low value transfers,
they’ll fly below the
radar.
$78.00
transfer
Wire Creation Logic
High value wire creation
demands MFA, but there’s
no restriction on wire
editing!
$7,800.00
transfer
Wire Edit Logic
Varied amounts
+ Template approach
$200,000+ Fraud
© Copyright 2015 EMC Corporation. All rights reserved.
12
Let’s attract new customers!
• Have a loss-leading sale on a few
items
• Limit folks to two items per customer
• Value of new customers > Cost of
promotion
76 User Names
JJJJJJJJJ
JJJJJJJJJ
JJJJJJJJJ
JJJJJJJJJ
JJJJJJJJJ
JJJJJJJJJ
JJJJJJJJJ
JJJJJJ
© Copyright 2015 EMC Corporation. All rights reserved.
47 Unique
IPs
KKKKKKKKKK
KKKKKKKKKK
KKKKKKKKKK
KKKKKKKKKK
KKKKKKK
1 Unique
Device
L
Failure!
Success!
• We
18%
made
from
1 device
made
more
sales,
and
• did
75%
madethan
fromwe
30thought
devices
it faster
• we
Nearly
all sales traced back
would.
to a reseller
13
Brand Reputation
Email my Cart
•
Let’s add an “email my cart” feature
–
–
–
•
This is awesome!
–
–
–
•
Users can add their comments on our products
Emails will be branded with our name and logo
People love this feature- the page gets tons of hits.
Normal users don’t email their carts 12x per minute
–
–
•
Reduce cart abandonment
Drive sales
Spread brand / sale awareness
3,500+ spam emails being sent each week
Using carriage returns to bury the product
Your email
Your email
[email protected]
[email protected]
m
Recipient email
Recipient email
[email protected]
[email protected]
[email protected]
m
om
Comments
Comments
Hello
friendI’mI’m
having
Hello
friendhaving
out
thissales
fancy on
itembig Check
money
time
big money time sales
is
this
the
one
you
wanted
Rolecks
brand watches!
on Rolecks
brand
forHere!
Xmas?
Click
watches! Click Here!
1 item in cart
Fancy Item: SKU 40593785
$45.99
Multiple Impacts
–
–
–
Brand degradation
Email filters flag our feature as spam
“We’d heard reports of spam, but figured someone was spoofing us.”
RSA CONFIDENTIAL—INTERNAL USE ONLY
14
Refinement and Persistence - Retail
Some affinity portals let
me double-dip coupon
codes.
Coupon Code Logic
Base Price
Price Floor Logic
$1375
But price floors keep me
from checking out with my - 50% off coupon
double-dipped price…
$687
- 15% off coupon
$584
- $100 off coupon
$484
…but not every item has a
price floor!
© Copyright 2015 EMC Corporation. All rights reserved.
15
Page
Request
HTTP
Headers
Arguments
POST/GET
Web Threat
Detection Threat
Score
0-100
—
—
—
—
—
User ID
Man in the Middle
Man in the Browser
Behavior
Velocity
Parameter
Web Threat
Detection
Rules Engine
IP —
User —
Page —
Real Time
Alerts
Hourly
Alerts
Web Threat
Detection
Action Server
SIEM
CM
© Copyright 2013 EMC Corporation. All rights reserved.
Email LB WAF
Cookie
IP
Sessionize and
Visualize
Click Stream
Forensic Dashboard
One Click Investigation
Deep Inspection
— IP
— User
— Page
Web Threat Detection
User Interface
Web Threat Detection
Workflow
16