stop account takeover attacks, right in their tracks
TRANSCRIPT
© 2015 Imperva, Inc. All rights reserved.
Stop Account Takeover Attacks,Right in Their TracksNarayan MakaramDirector, Product Marketing, Application SecuritySeptember 22, 2015
© 2015 Imperva, Inc. All rights reserved.2
Speaker
Narayan MakaramDir., Product Marketing, Imperva
© 2015 Imperva, Inc. All rights reserved.3
Agenda
• Account Takeover – A Real Problem• Anatomy of Account Takeover Attack• Best Practices
– Protecting Web Applications– Real-time Threat Intelligence
• Account Takeover Protection– Credential and Device Intelligence– Customer Use-Case
• Questions?
4 © 2015 Imperva, Inc. All rights reserved.
Web Account Takeover
A Real Problem1
© 2015 Imperva, Inc. All rights reserved.5
Adobe36,000,000
Target70,000,000
EBAY145,000,000
Anthem80,000,000
Home Depot56,000,000
JPMC76,000,000
US OPM21,000,000
201520142013
Evernote50,000,000
Primera11,000,000
AshleyMadison39,000,000
Majority of Security Breaches Caused by Web App Attacks
• 75% of cyber-attacks target web applications1
• 79 average number of serious vulnerabilities / website2
• 1 in 5 vulnerabilities on websites allowed attackers access to sensitive data3
$ 5.85M in 2014 average cost of a data breach in US alone, up from $5.4M in 20134
1. Gartner Research 2. WhiteHat Website Security Statistics Report, 12th Edition
3. 2015 Internet Security Threat Report4. 2014 Ponemon Cost of Breach Report
© 2015 Imperva, Inc. All rights reserved.6
Majority of Web Attacks Involve Account Takeover
Cyber criminals are using stolen credentials to login as genuine customers and perform unauthorized transactions without the victim’s knowledge
Source: Verizon 2015 DBIR Report
50%of web attacks
are using stolen credentials
© 2015 Imperva, Inc. All rights reserved.7
Anatomy of Account Takeover Attack
HARVEST CREDENTIALS
Hacker
Stolencredentials
TEST CREDENTIALS
Botnet
ControlServer
Joe
Mary
Elvis
xxxxx
xxxxx
xxxxx
GAIN ACCESS
Web Servers
new
MITB/Phishing
STEAL ASSETS
Assets
MedicalRecords
IntellectualProperty
BankingFinancial
© 2015 Imperva, Inc. All rights reserved.8
Web Server
TR
Database Server
NGFirewall
Perimeter Defenses Are Not Enough
Non-HTTPAttacks
IPSIDS
HTTP/HTTPS
Traffic
Attacks
Perimeter Defenses DO NOT Prevent:
• SQL Injection• Cross-Site Scripts• Direct Object Ref.• Session Hijacking• Exploit Known Vulns.• Site-Scraping• Comment Spam• DDoS Attacks• Account Takeovers• Transactional Fraud
60%of web attackspass through
perimeter defenses
9 © 2015 Imperva, Inc. All rights reserved.
Web Account Takeover
Best Practices for- Protecting Web Applications- Crowd-sourced Threat Intelligence
2
© 2015 Imperva, Inc. All rights reserved.10
Web Server
TR
Database Server
NGFirewall
SecureSphere WAF: Prevents Web Application Attacks
Non WebAttacks
IPSIDS
Web App Attacksincluding
Account Takeover
HTTP/HTTPS
Traffic
Crowd-Sourced Threat Intelligence
• Reputation Service• Bot & DDoS Protection• Account Takeover Protection
SecureSphereWeb App Firewall
new
© 2015 Imperva, Inc. All rights reserved.11
ThreatRadar: Crowd-sourced Threat Intelligence
ReputationService
Phishing URLs
Anonymous proxies
TOR networks
Bad IP Geo-locationsMalicious IP addresses
Comment Spammers
Prevents Bad Sources (IP’s)
Bot & DDoSProtection
Classifies Bots or Humans
Good or Bad Bots
App (Layer 7) DDoS Attacks
Eliminates 30% of Unwanted Bot Traffic
Account TakeoverProtectionPrevents Credential Reconnaissance
Credential Stuffing Attacks
Brute-force Dictionary Attacks
Privileged Account Attacks
Detects Suspicious Device BehaviorDevice ReputationDevice Evasion TechniquesDevice-Account AssociationsDevice detection/mitigation policies
© 2015 Imperva, Inc. All rights reserved.12
WAF Correlation: Improves Efficiency and Productivity
SecureSphere WAF Correlation EngineP
roto
col V
alid
atio
n
Atta
ck S
igna
ture
s
App
licat
ion
Pro
filin
g
TR R
eput
atio
n D
etec
tion
TR B
ot/D
DoS
Pro
tect
ion Increases Accuracy
Improves SOC Efficiency
Removes Unwanted Traffic
Reduces Threats
TR A
TO P
rote
ctio
n
NEW
Improve User Protection/Experience
13 © 2015 Imperva, Inc. All rights reserved.
Web Account Takeover
Account Takeover Protection- Credential Intelligence- Device Intelligence
3
© 2015 Imperva, Inc. All rights reserved.14
Detecting Account TakeoverUsing Credential Intelligence
www.bank.com
Test credentialsAttacker uses bots to test • Stolen credentials• Weak passwords• Privileged accounts
Suspicious Activity
• Attacker uses bots to test stolen credentials• Repeated login failures triggers checks
against ThreatRadar Cloud• Successful match confirms stolen/weak
credentials were used• Sources are are automatically blocked
Check failed credentials
Stolen credentials
Weak passwords
PrivilegedAccounts
ThreatRadar
Login failures
Med-Risk (ALERT) = (Failed Logins to Multiple Accounts) + (Brute-Force attack Weak Passwords) High-Risk (BLOCK) = (Failed Logins to Multiple Accounts) + (Evidence of Stolen Credentials)
+ (TR Bot Protection detected known bot client)
WAF Mitigation Rules
© 2015 Imperva, Inc. All rights reserved.15
Detecting Account TakeoverUsing Device Intelligence
www.webstore.com
ThreatRadar
Med-Risk (ALERT) = Device (w/ prior fraud) + Device (associated multiple accounts) High-Risk (BLOCK) = Device (w/ prior fraud) + Device (associated w/ multiple accounts)
+ (TR known bot client)
WAF MITIGATION RULES:
Device Profiling1
identification1
Device Risk EvaluationReturns deviceRisk-Score
2
Device Risk Score = Low/Medium/High
reputation
association
evasion
2
3 WAF Mitigation RulesCorrelates deviceRisk-Score with other TR servicesto Alert or Block
3
© 2015 Imperva, Inc. All rights reserved.16
Account Takeover – ReportsIdentifies Compromised Accounts
Account 1
Account 2 Account 3
compromised
Device with BAD-reputation with
access to accounts
compromised
compromised
Account 1
Account 2 Account 3
compromised
Device exhibiting risky behavior – access to
multiple accounts, but with NO bad-reputation
compromised
compromised
Attackers use evasion techniques having access to
accounts TOR
Emulators
Geo mismatch
Account 1
Account 2
compromised
compromised
Compromised Accounts Report
© 2015 Imperva, Inc. All rights reserved.17
Account Takeover: Banking Customer Example
PROBLEMS• Bot, DDoS, MITB, and Phishing attacks on the rise• Brute-force attacks using stolen credentials• Denial-of-service - automated account lockouts• Security Ops and Fraud Team overwhelmed with
manual analysis of alerts/logs (reactive approach)
BENEFITS OF IMPERVA SOLUTION• Proactive detection BEFORE fraud is committed• Improved frictionless user experience• Reduced workload for Security Ops• Actionable device intelligence usable for Fraud IR
SOLUTION NEEDS• Detect ATO based on known user/device activity• Visibility to humans versus bot traffic• Visibility into compromised user accounts• Reduce (friction) need for step-up authentication• Device threat intelligence that can be used by
backend fraud investigation teams
• One of the largest banks• Losing $500K / month in ATO and/or fraud• 20% of on-line payments need investigation
© 2015 Imperva, Inc. All rights reserved.18
KnownAttackers
Anonymous ProxiesTOR Networks, Bots
OWASP Top-10Web Attacks
Undesirable Geo-locations
Web Fraud
App DDoS
Scrapers
Phishing Sites
Comment Spammers
Web AppVulnerabilities
Web Apps
Web App Firewall
Complete Protection Against Web Threats
Suspicious DevicesCredential Stuffing
© 2015 Imperva, Inc. All rights reserved.
Gartner “Magic Quadrant for Web Application Firewalls” by Jeremy D'Hoinne, Adam Hils, Greg Young, Nicole Papadopoulos, 15 June 2015.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Imperva. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
THE ONLY LEADER
TWO CONSECUTIVE YEARS
Gartner Magic Quadrant for Web Application
Firewalls
20 © 2015 Imperva, Inc. All rights reserved.
Web Account Takeover
Questions?4
21 © 2015 Imperva, Inc. All rights reserved.
Imperva Technical Deep Dive Demo Series
Upcoming Demos: • September 29: Imperva Incapsula DDoS Protection• October 6: Imperva Skyfence• October 13: Imperva SecureSphere Web Application Firewall• October 20: Imperva SecureSphere Database Activity Monitor
Register Now: www.imperva.com/Resources/Videos
4