During every hour of every day, cyber criminals silently bypass traditional perimeter controls. They use millions of stolen user credentials to takeover Web application accounts, access sensitive applications, steal confidential data, and conduct fraudulent transactions. According to the latest Verizon DBIR report, over 50% of Web application attacks launched by organized crime in 2014 involved stolen credentials.
View this presentation to learn why real-time threat intelligence is the key to preventing Web account takeover attacks.
Large scale data breaches continue to occur in spite of the money companies are spending on security defenses. Cyber criminals have stolen millions of records including user credentials, credit cards, SSN numbers, medical records and intellectual property.
75% of the cyber-attacks target web-applications according to Gartner Research, because they are easily accessible from the internet, and they provide lucrative entry points to valuable data.
Web attacks are common because most websites today contain vulnerabilities. An average of 79 serious vulnerabilities exist per web-site according to WhiteHat website security stats.
1 in 5 vulnerabilities discovered on legitimate websites were considered critical – allow attackers to access sensitive data, alter websites content, compromise visitors computers
As a result, data breaches due to web application attacks have been increasing. $5.85 M is the average cost per data breach accoring to the latest Ponemon Report
PROBLEM: Over 50% of web application attacks in 2014 involved stolen credentials according to the latest Verizon DBIR report, followed by other types of attacks – backdoor to CnC, SQLi, Remote File Inclusions, etc.
An Account Takeover attack is where, a cyber criminal uses stolen credentials to login as a genuine customer, perform unauthorized transactions without the victims knowledge, and in some cases commit fraud.
This is a real problem that is impacting many banks and e-commerce sites today.
Here is anatomy of a typical Account Takeover Attack:
Harvest Credentials: Hackers purchase harvested credentials from various data breaches, and use launch account takeover attacks.
Test Credentials: They test various credentials using bot networks that may be hiding behind TOR networks and proxy servers.
Gain access: They bypass next generation firewalls and perimeter controls to launch web-based attacks that appear as legitimate traffic
Steal Assets: Once they are in, they perform fraudulent transactions transferring money, stealing medical records or intellectual property.
Alternatively, a hacker can grab user credentials from a Man-In-The-Browser attack or Phishing attack, and take over a user account on the web-site entirely skipping the TEST CREDENTIALS step.
Present day perimeter defenses like – IPS/IDS or NG Firewalls are unable to stop web-based threats. According to the Verizon 2014 Report, 60% of the web application attacks by-pass current perimeter defenses.
<click>
Even-though NG-Firewalls are increasingly becoming application aware, they cannot detect the following types of OWASP Top-10 technical attacks, business logic attacks, include account takeover and fraud.
Web Application Firewall protect in-coming HTTP traffic against web-based attacks that easily by-pass NG Firewalls, such as SQL-Injection, Cross Site Scripting, and those in the OWASP top-10.
WAF customers can subscribe to the following Threat Radar services:
Reputation: Insights based on reputation of source IP address
Bot Protections: distinguishes threats coming from humans and bot networks
Account Takeover protection: Protects website user accounts from attack and takeover – This a new subscription service is part of the latest SecureSpehere 11.5 release.
ThreatRadar is Imperva’s crowd-sourced threat intelligence that arms the SecureSphere WAF with security policies and signatures that help detect web app attacks with incredible accuracy. This threat intel is gathered from leading threat researchers in Imperva’s Application Defense Center (ADC), combined with live attack information gathered from the community of SecureSphere WAF customers (who have opted in to share information). ThreatRadar feed is key to improving the detection accuracy of web app attacks and improve the signal to noise ratio of web traffic.
We offer 3 types of subscription feeds.
Reputation Service: Blocks web traffic from IP address with Bad-Reputation, such as malicious sites, bad geo-locations, sites sitting behind TOR networks/proxies, phishing sites, etc.
Bot & DDoS Protection: Eliminates 30% of unwanted traffic coming from botnets and sites launching DDoS attacks. We get DDoS attack information from Imperva Incapsula, which offers Cloud-based DDoS protection.
Account Takeover Protection service is new: Here we provide 2 types of threat intelligence to protect web user accounts from takeover attempts.
Credential Intelligence – to prevent credential reconnaissance, which is a first stage in launching ATO attacks
Device Intelligence – where we detect suspicious device behavior based on previous knowledge of devices with bad reputation, that have exhibited suspicious behavior such using evasion techniques, associated with multiple accounts. We use device detection/mitigation policies to determine whether to allow/deny login.
SecureSphere WAF correlates the outputs of several detection engines to improve the signal to noise ratio of web traffic, before the traffic hits the web-server.
The overall benefits correlating the results are –
Removes unwanted traffic and reduces threats (e.g. Bot and DDoS traffic)
Increases detection accuracy and improves efficiency of SOC by reducing alerts (e.g. Reputation)
Improves User Protection and User Experience – no need for step-up authentication (e.g. ATO)
Some of these engines are available by default in the WAF to perform. But not ALL of the engines have to be sued sequentially for protection.
- Protocol Validation: checks if HTTP traffic complies with RFC standards.
Attack signatures: Over 8000 attack signatures are used to check against known web attack vectors
Application Profiling: is used to dynamically discovers application interfaces (URLs) and base-line acceptable user behavior. It eliminates the need for for manually updating checks as the application changes.
ThreatRadar engines: are optional subscription services that provide threat intelligence feeds, which improve the attack detection accuracy
Reputation sevrice, Bot/DDoS protection service, and ATO Protection which is the new service in the 11.5 release.
WAF policies can use a combination of these threat feeds to determine the RISK level of a specific attack.
We will see some examples of policies in the next few slides
The SecureSphere WAF invokes ThreatRadar API calls after certain policy thresholds are met, such as
Repeated login failures checked against a repository of stolen credentials, weak password, or privileged accounts/passwords
Identifies repeated failures from same device (IP addr) to multiple accounts
Mitigation Policies running on the WAF evaluates the results returned by ThreatRadar.
Policy 1: Generate ALERT, when (X failed logins to multiple accounts are initiated from same IP) AND (a Brute-force attack is detected using Weak Passwords)
Policy 2: BLOCK login, when ((X failed logins to multiple accounts are initiated from same IP) AND (TR returns evidence of Stolen Creds in use) AND (TR Bot Protection detects that the IP addr is a previously known Bot client)
Now, let us look at how the WAF detects account takeover and takes policy-based mitigation action.
Device Profiling: WAF injects java script to every device that attempts to log into the web application. The java script profiles the device and identifies if it is a new or returning devices accessing the web application.
Risk Rules Evaluation: After every user successfully logs into WAF, the WAF invokes the ThreatRadar API that evaluates the risk rule using correlation of device reputation, evasion, and association. The rule determines the legitimacy of every user that logs in, and returns a risk score of low/medium/high.
Mitigation Rules: The Risk score returned from ThreatRadar is correlated with other feeds in the WAF to determine the mitigation action performed on a specific web-login attempt. The results of this WAF Mitigation rule determines the mitigation action – Audit, Alert or Block.
SecureSphere WAF has an ability to identify compromised users, based on mitigation action taken for each of the login attempts. It also enables the administrator to get a report of all compromised accounts, so he/she can schedule a password reset or lock-out the compromised accounts.
Currently a very large bank is considering/evaluating the ATO ThreatRadar subscription service for their WAF installation. They are currently losing about $500K/month in ATO and/or Fraud. 20% of their online payments needs investigation for possible fraud. Here is a brief overview of the PROBLEM they are facing, their SOLUTION NEEDS, and how SecureSphere WAF is helping them.
PROBLEM:
The bank is seeing a significant increase in automated attacks such as Bots, MITB, DDoS and Phishing attacks
They are also seeing bots using brute-force mechanisms to login to user accounts using stolen credentials
These brute-force attacks result in account lockout, when several logins fail. Impacts banks business and reputation.
Both Sec-Ops and Fraud teams are overwhelmed in manual analysis of logs records and attending to alerts.
SOLUTION NEEDS:
Bank want to proactively detect, what percentage of these attacks are via ATO, using known user/device behavior
Need visibility into Bot vs human traffic, and visibility into compromised accounts with better accuracy - whose passwords have to be quickly reset
Need additional threat intelligence related to the accounts and the device used to login, so the Fraud teams at the backend can improve IR processes
SecureSphere WAF with ATO subscription is enabling them to:
Proactively detect ATO attempts BEFORE fraud can be committed. Identify what percentage of fraudulent transactions are as result of ATO, versus legitimate users committing fraud.
Enables them to detect automated attacks without step-up authentication which hurts user experience.
Sec-Ops does not have to fight fires on a daily basis, since the noisy bots generating brute-force attacks have been addressed
The Device Risk Score returned by ThreatRadar includes the reason why a specific Login attempt was flagged as HIGH-RSIK, which can be captured in reports that the Fraud Team can use in IR processes.
Overall, Proactive ATO detection BEFORE fraud is committed, reduced work load on Sec-Ops and Fraud teams, and policy based mitigation actions have helped the bank save costs and improve ROI.
In summary, the SecureSphere Web Application Firewall helps protect businesses against all types of Web application threats including Web attacks like SQL injection, bots, known malicious sources, and requests from prohibited or undesirable countries.
It also stops business logic attacks like site scraping, comment spam in forums and message boards, phishing attacks and application DDoS attacks.
SecureSphere can prevent Web fraud and man-in-the-browser attacks through its fraud prevention capabilities. It can also virtually patch vulnerabilities by integrating with application scanners and through its own inherent application security defenses.
Overall, SecureSphere offers the most accurate and complete Web application security available and Imperva continually researches emerging Web threats to ensure that it will fully protect Web applications today and in the future. This, coupled with its scalable centralized management and its flexible and transparent deployment, is why SecureSphere is the most trusted Web application firewall in the world.
Gartner Magic Quadrant
Imperva has consistently innovated and led the market for data security, as the Gartner Magic Quadrant for Web Application Firewalls shows.
If you’re not familiar with Web Application Firewalls, or WAFs as we call them, Gartner describes them by saying they provide “protection for custom Web applications that would otherwise go unprotected by other technologies.” In other words, the applications that drive business for organizations are exposed without a WAF.
We are the Leader in this Magic Quadrant, which demonstrates our ability to deliver value to customers and outpace not just the competition, but more importantly, the hackers.
What Gartner says about Leaders is that “In addition to providing technology that is a good match to current customer requirements, Leaders also show evidence of superior vision and execution for anticipated requirements.”
You can see that every other vendor finds themselves falling short on the Vision dimension. Challengers are typically selling a WAF as a bolt-on afterthought to their main product line. And Niche Players are focused on a regional market or narrow use cases.
What that means in practical terms is that the other vendors here are not focused on data center security. We are unique in our vision and our ability to deliver on that vision.
Credit: Gartner, Magic Quadrant for Web Application Firewalls, Jeremy D'Hoinne, Adam Hils, Greg Young, Joseph Feiman, 17 June 2014