stop account takeover attacks, right in their tracks

© 2015 Imperva, Inc. All rights reserved.

Stop Account Takeover Attacks,Right in Their TracksNarayan MakaramDirector, Product Marketing, Application SecuritySeptember 22, 2015

© 2015 Imperva, Inc. All rights reserved.2

Speaker

Narayan MakaramDir., Product Marketing, Imperva


Agenda

• Account Takeover – A Real Problem• Anatomy of Account Takeover Attack• Best Practices

– Protecting Web Applications– Real-time Threat Intelligence

• Account Takeover Protection– Credential and Device Intelligence– Customer Use-Case

• Questions?

4 © 2015 Imperva, Inc. All rights reserved.

Web Account Takeover

A Real Problem1


Adobe36,000,000

Target70,000,000

EBAY145,000,000

Anthem80,000,000

Home Depot56,000,000

JPMC76,000,000

US OPM21,000,000

201520142013

Evernote50,000,000

Primera11,000,000

AshleyMadison39,000,000

Majority of Security Breaches Caused by Web App Attacks

• 75% of cyber-attacks target web applications1

• 79 average number of serious vulnerabilities / website2

• 1 in 5 vulnerabilities on websites allowed attackers access to sensitive data3

$ 5.85M in 2014 average cost of a data breach in US alone, up from $5.4M in 20134

1. Gartner Research 2. WhiteHat Website Security Statistics Report, 12th Edition

3. 2015 Internet Security Threat Report4. 2014 Ponemon Cost of Breach Report


Majority of Web Attacks Involve Account Takeover

Cyber criminals are using stolen credentials to login as genuine customers and perform unauthorized transactions without the victim’s knowledge

Source: Verizon 2015 DBIR Report

50%of web attacks

are using stolen credentials


Anatomy of Account Takeover Attack

HARVEST CREDENTIALS

Hacker

Stolencredentials

TEST CREDENTIALS

Botnet

ControlServer

Joe

Mary

Elvis

xxxxx

xxxxx

xxxxx

GAIN ACCESS

Web Servers

new

MITB/Phishing

STEAL ASSETS

Assets

MedicalRecords

IntellectualProperty

BankingFinancial


Web Server

TR

Database Server

NGFirewall

Perimeter Defenses Are Not Enough

Non-HTTPAttacks

IPSIDS

HTTP/HTTPS

Traffic

Attacks

Perimeter Defenses DO NOT Prevent:

• SQL Injection• Cross-Site Scripts• Direct Object Ref.• Session Hijacking• Exploit Known Vulns.• Site-Scraping• Comment Spam• DDoS Attacks• Account Takeovers• Transactional Fraud

60%of web attackspass through

perimeter defenses



Best Practices for- Protecting Web Applications- Crowd-sourced Threat Intelligence

2


Web Server

TR

Database Server

NGFirewall

SecureSphere WAF: Prevents Web Application Attacks

Non WebAttacks

IPSIDS

Web App Attacksincluding

Account Takeover

HTTP/HTTPS

Traffic

Crowd-Sourced Threat Intelligence

• Reputation Service• Bot & DDoS Protection• Account Takeover Protection

SecureSphereWeb App Firewall

new


ThreatRadar: Crowd-sourced Threat Intelligence

ReputationService

Phishing URLs

Anonymous proxies

TOR networks

Bad IP Geo-locationsMalicious IP addresses

Comment Spammers

Prevents Bad Sources (IP’s)

Bot & DDoSProtection

Classifies Bots or Humans

Good or Bad Bots

App (Layer 7) DDoS Attacks

Eliminates 30% of Unwanted Bot Traffic

Account TakeoverProtectionPrevents Credential Reconnaissance

Credential Stuffing Attacks

Brute-force Dictionary Attacks

Privileged Account Attacks

Detects Suspicious Device BehaviorDevice ReputationDevice Evasion TechniquesDevice-Account AssociationsDevice detection/mitigation policies


WAF Correlation: Improves Efficiency and Productivity

SecureSphere WAF Correlation EngineP

roto

col V

alid

atio

n

Atta

ck S

igna

ture

s

App

licat

ion

Pro

filin

g

TR R

eput

atio

n D

etec

tion

TR B

ot/D

DoS

Pro

tect

ion Increases Accuracy

Improves SOC Efficiency

Removes Unwanted Traffic

Reduces Threats

TR A

TO P

rote

ctio

n

NEW

Improve User Protection/Experience



Account Takeover Protection- Credential Intelligence- Device Intelligence

3


Detecting Account TakeoverUsing Credential Intelligence

www.bank.com

Test credentialsAttacker uses bots to test • Stolen credentials• Weak passwords• Privileged accounts

Suspicious Activity

• Attacker uses bots to test stolen credentials• Repeated login failures triggers checks

against ThreatRadar Cloud• Successful match confirms stolen/weak

credentials were used• Sources are are automatically blocked

Check failed credentials

Stolen credentials

Weak passwords

PrivilegedAccounts

ThreatRadar

Login failures

Med-Risk (ALERT) = (Failed Logins to Multiple Accounts) + (Brute-Force attack Weak Passwords) High-Risk (BLOCK) = (Failed Logins to Multiple Accounts) + (Evidence of Stolen Credentials)

+ (TR Bot Protection detected known bot client)

WAF Mitigation Rules


Detecting Account TakeoverUsing Device Intelligence

www.webstore.com

ThreatRadar

Med-Risk (ALERT) = Device (w/ prior fraud) + Device (associated multiple accounts) High-Risk (BLOCK) = Device (w/ prior fraud) + Device (associated w/ multiple accounts)

+ (TR known bot client)

WAF MITIGATION RULES:

Device Profiling1

identification1

Device Risk EvaluationReturns deviceRisk-Score

2

Device Risk Score = Low/Medium/High

reputation

association

evasion

2

3 WAF Mitigation RulesCorrelates deviceRisk-Score with other TR servicesto Alert or Block

3


Account Takeover – ReportsIdentifies Compromised Accounts

Account 1

Account 2 Account 3

compromised

Device with BAD-reputation with

access to accounts

compromised

compromised

Account 1

Account 2 Account 3

compromised

Device exhibiting risky behavior – access to

multiple accounts, but with NO bad-reputation

compromised

compromised

Attackers use evasion techniques having access to

accounts TOR

Emulators

Geo mismatch

Account 1

Account 2

compromised

compromised

Compromised Accounts Report


Account Takeover: Banking Customer Example

PROBLEMS• Bot, DDoS, MITB, and Phishing attacks on the rise• Brute-force attacks using stolen credentials• Denial-of-service - automated account lockouts• Security Ops and Fraud Team overwhelmed with

manual analysis of alerts/logs (reactive approach)

BENEFITS OF IMPERVA SOLUTION• Proactive detection BEFORE fraud is committed• Improved frictionless user experience• Reduced workload for Security Ops• Actionable device intelligence usable for Fraud IR

SOLUTION NEEDS• Detect ATO based on known user/device activity• Visibility to humans versus bot traffic• Visibility into compromised user accounts• Reduce (friction) need for step-up authentication• Device threat intelligence that can be used by

backend fraud investigation teams

• One of the largest banks• Losing $500K / month in ATO and/or fraud• 20% of on-line payments need investigation


KnownAttackers

Anonymous ProxiesTOR Networks, Bots

OWASP Top-10Web Attacks

Undesirable Geo-locations

Web Fraud

App DDoS

Scrapers

Phishing Sites

Comment Spammers

Web AppVulnerabilities

Web Apps

Web App Firewall

Complete Protection Against Web Threats

Suspicious DevicesCredential Stuffing

© 2015 Imperva, Inc. All rights reserved.

Gartner “Magic Quadrant for Web Application Firewalls” by Jeremy D'Hoinne, Adam Hils, Greg Young, Nicole Papadopoulos, 15 June 2015.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Imperva. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

THE ONLY LEADER

TWO CONSECUTIVE YEARS

Gartner Magic Quadrant for Web Application

Firewalls



Questions?4


Imperva Technical Deep Dive Demo Series

Upcoming Demos: • September 29: Imperva Incapsula DDoS Protection• October 6: Imperva Skyfence• October 13: Imperva SecureSphere Web Application Firewall• October 20: Imperva SecureSphere Database Activity Monitor

Register Now: www.imperva.com/Resources/Videos

4

http://www.imperva.com/Resources/Videos

http://www.imperva.com/Resources/Videos

stop account takeover attacks, right in their tracks

Technology