Stop Account Takeover Attacks, Right in their Tracks
•Als PPTX, PDF herunterladen•
4 gefällt mir•2,947 views
During every hour of every day, cyber criminals silently bypass traditional perimeter controls. They use millions of stolen user credentials to takeover Web application accounts, access sensitive applications, steal confidential data, and conduct fraudulent transactions. According to the latest Verizon DBIR report, over 50% of Web application attacks launched by organized crime in 2014 involved stolen credentials. View this presentation to learn why real-time threat intelligence is the key to preventing Web account takeover attacks.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (20)
Ähnlich wie Stop Account Takeover Attacks, Right in their Tracks
Ähnlich wie Stop Account Takeover Attacks, Right in their Tracks (20)
Mehr von Imperva
Mehr von Imperva (19)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Stop Account Takeover Attacks, Right in their Tracks
- 1. © 2015 Imperva, Inc. All rights reserved. Stop Account Takeover Attacks, Right in Their Tracks Narayan Makaram Director, Product Marketing, Application Security September 22, 2015
- 2. © 2015 Imperva, Inc. All rights reserved. Speaker 2 Narayan Makaram Dir., Product Marketing, Imperva
- 3. © 2015 Imperva, Inc. All rights reserved. Agenda • Account Takeover – A Real Problem • Anatomy of Account Takeover Attack • Best Practices – Protecting Web Applications – Real-time Threat Intelligence • Account Takeover Protection – Credential and Device Intelligence – Customer Use-Case • Questions? 3
- 4. © 2015 Imperva, Inc. All rights reserved. Web Account Takeover A Real Problem 1 4
- 5. © 2015 Imperva, Inc. All rights reserved.5 Adobe 36,000,000 Target 70,000,000 EBAY 145,000,000 Anthem 80,000,000 Home Depot 56,000,000 JPMC 76,000,000 US OPM 21,000,000 201520142013 Evernote 50,000,000 Primera 11,000,000 Ashley Madison 39,000,000 Majority of Security Breaches Caused by Web App Attacks • 75% of cyber-attacks target web applications1 • 79 average number of serious vulnerabilities / website2 • 1 in 5 vulnerabilities on websites allowed attackers access to sensitive data3 $ 5.85M in 2014 average cost of a data breach in US alone, up from $5.4M in 20134 1. Gartner Research 2. WhiteHat Website Security Statistics Report, 12th Edition 3. 2015 Internet Security Threat Report 4. 2014 Ponemon Cost of Breach Report
- 6. © 2015 Imperva, Inc. All rights reserved. Majority of Web Attacks Involve Account Takeover 6 Cyber criminals are using stolen credentials to login as genuine customers and perform unauthorized transactions without the victim’s knowledge Source: Verizon 2015 DBIR Report 50% of web attacks are using stolen credentials
- 7. © 2015 Imperva, Inc. All rights reserved. Anatomy of Account Takeover Attack 7 HARVEST CREDENTIALS Hacker Stolen credentials TEST CREDENTIALS Botnet Control Server Joe Mary Elvis xxxxx xxxxx xxxxx GAIN ACCESS Web Servers new MITB/ Phishing STEAL ASSETS Assets Medical Records Intellectual Property Banking Financial
- 8. © 2015 Imperva, Inc. All rights reserved. Web Server TR Database Server NG Firewall Perimeter Defenses Are Not Enough Non-HTTP Attacks IPS IDS HTTP/HTTPS Traffic Attacks Perimeter Defenses DO NOT Prevent: • SQL Injection • Cross-Site Scripts • Direct Object Ref. • Session Hijacking • Exploit Known Vulns. • Site-Scraping • Comment Spam • DDoS Attacks • Account Takeovers • Transactional Fraud 60% of web attacks pass through perimeter defenses 8
- 9. © 2015 Imperva, Inc. All rights reserved. Web Account Takeover Best Practices for - Protecting Web Applications - Crowd-sourced Threat Intelligence 2 9
- 10. © 2015 Imperva, Inc. All rights reserved. Web Server TR Database Server NG Firewall SecureSphere WAF: Prevents Web Application Attacks Non Web Attacks IPS IDS Web App Attacks including Account Takeover HTTP/HTTPS Traffic Crowd-Sourced Threat Intelligence • Reputation Service • Bot & DDoS Protection • Account Takeover Protection 10 SecureSphere Web App Firewall new
- 11. © 2015 Imperva, Inc. All rights reserved. ThreatRadar: Crowd-sourced Threat Intelligence 11 Reputation Service Phishing URLs Anonymous proxies TOR networks Bad IP Geo-locations Malicious IP addresses Comment Spammers Prevents Bad Sources (IP’s) Bot & DDoS Protection Classifies Bots or Humans Good or Bad Bots App (Layer 7) DDoS Attacks Eliminates 30% of Unwanted Bot Traffic Account Takeover ProtectionPrevents Credential Reconnaissance Credential Stuffing Attacks Brute-force Dictionary Attacks Privileged Account Attacks Detects Suspicious Device Behavior Device Reputation Device Evasion Techniques Device-Account Associations Device detection/mitigation policies
- 12. © 2015 Imperva, Inc. All rights reserved. WAF Correlation: Improves Efficiency and Productivity 12 SecureSphere WAF Correlation Engine ProtocolValidation AttackSignatures ApplicationProfiling TRReputationDetection TRBot/DDoSProtection Increases Accuracy Improves SOC Efficiency Removes Unwanted Traffic Reduces Threats TRATOProtection NEW Improve User Protection/Experience
- 13. © 2015 Imperva, Inc. All rights reserved. Web Account Takeover Account Takeover Protection - Credential Intelligence - Device Intelligence 3 13
- 14. © 2015 Imperva, Inc. All rights reserved. Detecting Account Takeover Using Credential Intelligence www.bank.com Test credentialsAttacker uses bots to test • Stolen credentials • Weak passwords • Privileged accounts Suspicious Activity • Attacker uses bots to test stolen credentials • Repeated login failures triggers checks against ThreatRadar Cloud • Successful match confirms stolen/weak credentials were used • Sources are are automatically blocked Check failed credentials Stolen credentials Weak passwords Privileged Accounts ThreatRadar Login failures Med-Risk (ALERT) = (Failed Logins to Multiple Accounts) + (Brute-Force attack Weak Passwords) High-Risk (BLOCK) = (Failed Logins to Multiple Accounts) + (Evidence of Stolen Credentials) + (TR Bot Protection detected known bot client) WAF Mitigation Rules 14
- 15. © 2015 Imperva, Inc. All rights reserved. Detecting Account Takeover Using Device Intelligence www.webstore.com ThreatRadar Med-Risk (ALERT) = Device (w/ prior fraud) + Device (associated multiple accounts) High-Risk (BLOCK) = Device (w/ prior fraud) + Device (associated w/ multiple accounts) + (TR known bot client) WAF MITIGATION RULES: Device Profiling1 identification1 Device Risk Evaluation Returns device Risk-Score 2 Device Risk Score = Low/Medium/High reputation association evasion 2 3 WAF Mitigation Rules Correlates device Risk-Score with other TR services to Alert or Block 3 15
- 16. © 2015 Imperva, Inc. All rights reserved. Account Takeover – Reports Identifies Compromised Accounts 16 Account 1 Account 2 Account 3 compromised Device with BAD- reputation with access to accounts compromised compromised Account 1 Account 2 Account 3 compromised Device exhibiting risky behavior – access to multiple accounts, but with NO bad-reputation compromised compromised Attackers use evasion techniques having access to accounts TOR Emulators Geo mismatch Account 1 Account 2 compromised compromised Compromised Accounts Report
- 17. © 2015 Imperva, Inc. All rights reserved. Account Takeover: Banking Customer Example 17 PROBLEMS • Bot, DDoS, MITB, and Phishing attacks on the rise • Brute-force attacks using stolen credentials • Denial-of-service - automated account lockouts • Security Ops and Fraud Team overwhelmed with manual analysis of alerts/logs (reactive approach) BENEFITS OF IMPERVA SOLUTION • Proactive detection BEFORE fraud is committed • Improved frictionless user experience • Reduced workload for Security Ops • Actionable device intelligence usable for Fraud IR SOLUTION NEEDS • Detect ATO based on known user/device activity • Visibility to humans versus bot traffic • Visibility into compromised user accounts • Reduce (friction) need for step-up authentication • Device threat intelligence that can be used by backend fraud investigation teams • One of the largest banks • Losing $500K / month in ATO and/or fraud • 20% of on-line payments need investigation
- 18. © 2015 Imperva, Inc. All rights reserved. Known Attackers Anonymous Proxies TOR Networks, Bots OWASP Top-10 Web Attacks Undesirable Geo-locations Web Fraud App DDoS Scrapers Phishing Sites Comment Spammers Web App Vulnerabilities Web Apps Web App Firewall Complete Protection Against Web Threats Suspicious Devices Credential Stuffing 18
- 19. © 2015 Imperva, Inc. All rights reserved. Gartner “Magic Quadrant for Web Application Firewalls” by Jeremy D'Hoinne, Adam Hils, Greg Young, Nicole Papadopoulos, 15 June 2015. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Imperva. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. THE ONLY LEADER TWO CONSECUTIVE YEARS Gartner Magic Quadrant for Web Application Firewalls
- 20. © 2015 Imperva, Inc. All rights reserved. Web Account Takeover Questions? 4 20
- 21. © 2015 Imperva, Inc. All rights reserved. Imperva Technical Deep Dive Demo Series Upcoming Demos: • September 29: Imperva Incapsula DDoS Protection • October 6: Imperva Skyfence • October 13: Imperva SecureSphere Web Application Firewall • October 20: Imperva SecureSphere Database Activity Monitor Register Now: www.imperva.com/Resources/Videos 4 21
Hinweis der Redaktion
- Large scale data breaches continue to occur in spite of the money companies are spending on security defenses. Cyber criminals have stolen millions of records including user credentials, credit cards, SSN numbers, medical records and intellectual property. 75% of the cyber-attacks target web-applications according to Gartner Research, because they are easily accessible from the internet, and they provide lucrative entry points to valuable data. Web attacks are common because most websites today contain vulnerabilities. An average of 79 serious vulnerabilities exist per web-site according to WhiteHat website security stats. 1 in 5 vulnerabilities discovered on legitimate websites were considered critical – allow attackers to access sensitive data, alter websites content, compromise visitors computers As a result, data breaches due to web application attacks have been increasing. $5.85 M is the average cost per data breach accoring to the latest Ponemon Report
- PROBLEM: Over 50% of web application attacks in 2014 involved stolen credentials according to the latest Verizon DBIR report, followed by other types of attacks – backdoor to CnC, SQLi, Remote File Inclusions, etc. An Account Takeover attack is where, a cyber criminal uses stolen credentials to login as a genuine customer, perform unauthorized transactions without the victims knowledge, and in some cases commit fraud. This is a real problem that is impacting many banks and e-commerce sites today.
- Here is anatomy of a typical Account Takeover Attack: Harvest Credentials: Hackers purchase harvested credentials from various data breaches, and use launch account takeover attacks. Test Credentials: They test various credentials using bot networks that may be hiding behind TOR networks and proxy servers. Gain access: They bypass next generation firewalls and perimeter controls to launch web-based attacks that appear as legitimate traffic Steal Assets: Once they are in, they perform fraudulent transactions transferring money, stealing medical records or intellectual property. Alternatively, a hacker can grab user credentials from a Man-In-The-Browser attack or Phishing attack, and take over a user account on the web-site entirely skipping the TEST CREDENTIALS step.
- Present day perimeter defenses like – IPS/IDS or NG Firewalls are unable to stop web-based threats. According to the Verizon 2014 Report, 60% of the web application attacks by-pass current perimeter defenses. <click> Even-though NG-Firewalls are increasingly becoming application aware, they cannot detect the following types of OWASP Top-10 technical attacks, business logic attacks, include account takeover and fraud.
- Web Application Firewall protect in-coming HTTP traffic against web-based attacks that easily by-pass NG Firewalls, such as SQL-Injection, Cross Site Scripting, and those in the OWASP top-10. WAF customers can subscribe to the following Threat Radar services: Reputation: Insights based on reputation of source IP address Bot Protections: distinguishes threats coming from humans and bot networks Account Takeover protection: Protects website user accounts from attack and takeover – This a new subscription service is part of the latest SecureSpehere 11.5 release.
- ThreatRadar is Imperva’s crowd-sourced threat intelligence that arms the SecureSphere WAF with security policies and signatures that help detect web app attacks with incredible accuracy. This threat intel is gathered from leading threat researchers in Imperva’s Application Defense Center (ADC), combined with live attack information gathered from the community of SecureSphere WAF customers (who have opted in to share information). ThreatRadar feed is key to improving the detection accuracy of web app attacks and improve the signal to noise ratio of web traffic. We offer 3 types of subscription feeds. Reputation Service: Blocks web traffic from IP address with Bad-Reputation, such as malicious sites, bad geo-locations, sites sitting behind TOR networks/proxies, phishing sites, etc. Bot & DDoS Protection: Eliminates 30% of unwanted traffic coming from botnets and sites launching DDoS attacks. We get DDoS attack information from Imperva Incapsula, which offers Cloud-based DDoS protection. Account Takeover Protection service is new: Here we provide 2 types of threat intelligence to protect web user accounts from takeover attempts. Credential Intelligence – to prevent credential reconnaissance, which is a first stage in launching ATO attacks Device Intelligence – where we detect suspicious device behavior based on previous knowledge of devices with bad reputation, that have exhibited suspicious behavior such using evasion techniques, associated with multiple accounts. We use device detection/mitigation policies to determine whether to allow/deny login.
- SecureSphere WAF correlates the outputs of several detection engines to improve the signal to noise ratio of web traffic, before the traffic hits the web-server. The overall benefits correlating the results are – Removes unwanted traffic and reduces threats (e.g. Bot and DDoS traffic) Increases detection accuracy and improves efficiency of SOC by reducing alerts (e.g. Reputation) Improves User Protection and User Experience – no need for step-up authentication (e.g. ATO) Some of these engines are available by default in the WAF to perform. But not ALL of the engines have to be sued sequentially for protection. - Protocol Validation: checks if HTTP traffic complies with RFC standards. Attack signatures: Over 8000 attack signatures are used to check against known web attack vectors Application Profiling: is used to dynamically discovers application interfaces (URLs) and base-line acceptable user behavior. It eliminates the need for for manually updating checks as the application changes. ThreatRadar engines: are optional subscription services that provide threat intelligence feeds, which improve the attack detection accuracy Reputation sevrice, Bot/DDoS protection service, and ATO Protection which is the new service in the 11.5 release. WAF policies can use a combination of these threat feeds to determine the RISK level of a specific attack. We will see some examples of policies in the next few slides
- The SecureSphere WAF invokes ThreatRadar API calls after certain policy thresholds are met, such as Repeated login failures checked against a repository of stolen credentials, weak password, or privileged accounts/passwords Identifies repeated failures from same device (IP addr) to multiple accounts Mitigation Policies running on the WAF evaluates the results returned by ThreatRadar. Policy 1: Generate ALERT, when (X failed logins to multiple accounts are initiated from same IP) AND (a Brute-force attack is detected using Weak Passwords) Policy 2: BLOCK login, when ((X failed logins to multiple accounts are initiated from same IP) AND (TR returns evidence of Stolen Creds in use) AND (TR Bot Protection detects that the IP addr is a previously known Bot client)
- Now, let us look at how the WAF detects account takeover and takes policy-based mitigation action. Device Profiling: WAF injects java script to every device that attempts to log into the web application. The java script profiles the device and identifies if it is a new or returning devices accessing the web application. Risk Rules Evaluation: After every user successfully logs into WAF, the WAF invokes the ThreatRadar API that evaluates the risk rule using correlation of device reputation, evasion, and association. The rule determines the legitimacy of every user that logs in, and returns a risk score of low/medium/high. Mitigation Rules: The Risk score returned from ThreatRadar is correlated with other feeds in the WAF to determine the mitigation action performed on a specific web-login attempt. The results of this WAF Mitigation rule determines the mitigation action – Audit, Alert or Block.
- SecureSphere WAF has an ability to identify compromised users, based on mitigation action taken for each of the login attempts. It also enables the administrator to get a report of all compromised accounts, so he/she can schedule a password reset or lock-out the compromised accounts.
- Currently a very large bank is considering/evaluating the ATO ThreatRadar subscription service for their WAF installation. They are currently losing about $500K/month in ATO and/or Fraud. 20% of their online payments needs investigation for possible fraud. Here is a brief overview of the PROBLEM they are facing, their SOLUTION NEEDS, and how SecureSphere WAF is helping them. PROBLEM: The bank is seeing a significant increase in automated attacks such as Bots, MITB, DDoS and Phishing attacks They are also seeing bots using brute-force mechanisms to login to user accounts using stolen credentials These brute-force attacks result in account lockout, when several logins fail. Impacts banks business and reputation. Both Sec-Ops and Fraud teams are overwhelmed in manual analysis of logs records and attending to alerts. SOLUTION NEEDS: Bank want to proactively detect, what percentage of these attacks are via ATO, using known user/device behavior Need visibility into Bot vs human traffic, and visibility into compromised accounts with better accuracy - whose passwords have to be quickly reset Need additional threat intelligence related to the accounts and the device used to login, so the Fraud teams at the backend can improve IR processes SecureSphere WAF with ATO subscription is enabling them to: Proactively detect ATO attempts BEFORE fraud can be committed. Identify what percentage of fraudulent transactions are as result of ATO, versus legitimate users committing fraud. Enables them to detect automated attacks without step-up authentication which hurts user experience. Sec-Ops does not have to fight fires on a daily basis, since the noisy bots generating brute-force attacks have been addressed The Device Risk Score returned by ThreatRadar includes the reason why a specific Login attempt was flagged as HIGH-RSIK, which can be captured in reports that the Fraud Team can use in IR processes. Overall, Proactive ATO detection BEFORE fraud is committed, reduced work load on Sec-Ops and Fraud teams, and policy based mitigation actions have helped the bank save costs and improve ROI.
- In summary, the SecureSphere Web Application Firewall helps protect businesses against all types of Web application threats including Web attacks like SQL injection, bots, known malicious sources, and requests from prohibited or undesirable countries. It also stops business logic attacks like site scraping, comment spam in forums and message boards, phishing attacks and application DDoS attacks. SecureSphere can prevent Web fraud and man-in-the-browser attacks through its fraud prevention capabilities. It can also virtually patch vulnerabilities by integrating with application scanners and through its own inherent application security defenses. Overall, SecureSphere offers the most accurate and complete Web application security available and Imperva continually researches emerging Web threats to ensure that it will fully protect Web applications today and in the future. This, coupled with its scalable centralized management and its flexible and transparent deployment, is why SecureSphere is the most trusted Web application firewall in the world.
- Gartner Magic Quadrant Imperva has consistently innovated and led the market for data security, as the Gartner Magic Quadrant for Web Application Firewalls shows. If you’re not familiar with Web Application Firewalls, or WAFs as we call them, Gartner describes them by saying they provide “protection for custom Web applications that would otherwise go unprotected by other technologies.” In other words, the applications that drive business for organizations are exposed without a WAF. We are the Leader in this Magic Quadrant, which demonstrates our ability to deliver value to customers and outpace not just the competition, but more importantly, the hackers. What Gartner says about Leaders is that “In addition to providing technology that is a good match to current customer requirements, Leaders also show evidence of superior vision and execution for anticipated requirements.” You can see that every other vendor finds themselves falling short on the Vision dimension. Challengers are typically selling a WAF as a bolt-on afterthought to their main product line. And Niche Players are focused on a regional market or narrow use cases. What that means in practical terms is that the other vendors here are not focused on data center security. We are unique in our vision and our ability to deliver on that vision. Credit: Gartner, Magic Quadrant for Web Application Firewalls, Jeremy D'Hoinne, Adam Hils, Greg Young, Joseph Feiman, 17 June 2014
- https://www.imperva.com/ld/technical_deep_dive.asp