CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT...
-
Upload
nguyencong -
Category
Documents
-
view
218 -
download
0
Transcript of CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT...
![Page 1: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/1.jpg)
Session ID:
Session Classification:
Jason Sloderbeck Silver Tail Systems, Part of RSA
SPO1-W22
General Track
CUSTOMERS & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO IS WHO’ ONLINE
![Page 2: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/2.jpg)
Do criminals in a retail store behave differently from typical customers?
Question
![Page 3: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/3.jpg)
Security Guard – stop
shoplifters
Cashier – Protect & Ensure sales
Security camera-
capture events
Shoplifter- Taking items
Price tag swapper-
Mis-representing prices
Retail Circa 2013
![Page 4: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/4.jpg)
Do criminals on your web site behave differently from typical customers?
Question
![Page 5: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/5.jpg)
The Web Has Evolved
Web Transaction vs Web Interaction
![Page 6: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/6.jpg)
Big Data Meets Web Sessions
Full Session Data • Click-by-click visibility • Entire HTTP request insight • Understand behavior
Just Logs • Limited transaction visibility • No traceability into behavior • Disconnected story
![Page 7: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/7.jpg)
Behavioral Analytics
![Page 8: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/8.jpg)
Population-based Behavior
![Page 9: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/9.jpg)
Man-in-the-Browser Attack
Criminals Look Different than Customers
• Velocity • Page Sequence • Origin • Contextual Information
![Page 10: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/10.jpg)
Business Logic Abuse
![Page 11: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/11.jpg)
► “Business logic abuse results … when a criminal uses the legitimate pages of the website to perpetrate cyber attacks, hacks or fraud.”
What is Business Logic Abuse?
Source: Ponemon Institute ‘The Risk of Business Logic Abuse: U.S. Study’ (September 2012)
![Page 12: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/12.jpg)
Scope of Business Logic Abuse
► Site Scraping ► Account Hijacking ► Password Guessing ► Pay-per-click Fraud ► Testing Stolen Credit Cards ► Denial of Service ► eCoupons
► eWallet Abuse ► App Store Abuse ► Mass Registration ► Fraudulent Money
Movement ► Vulnerability Probing
![Page 13: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/13.jpg)
Survey of US IT Executives
90% Report lost revenue due to Business
Logic Abuse
74% Can’t tell if a web session is a
customer or a criminal
64% No clear visibility into
their web session traffic
1/3 Do not know who is
responsible for addressing business logic abuse
![Page 14: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/14.jpg)
Real-world Examples
![Page 15: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/15.jpg)
Vulnerability Probing What were they doing?
► Jiggling doorknobs
► Probing for vulnerabilities ► Site reconnaissance
What looked suspicious?
► Sub-second clicks ► Modified user-agent strings ► Alphabetical page requests ► Multiple password reset attempts ► Requests for non-existent pages
![Page 16: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/16.jpg)
Horizontal Password Guessing
What was happening? ► Testing a common password e.g. Faceb00k!
What looked suspicious?
► Spike in login page hits ► Multiple login attempts with one
password ► Scripted variability ► Elevated behavior scores for
sessions driving the spike
![Page 17: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/17.jpg)
Mobile Account Penetration
What were they doing? ► Stealing credentials on public
WiFi from low-security mobile application
► Spoofing mobile user agents What looked suspicious? ► Cluster of IPs generated a high
behavior score ► Clickstream showed the same
cookie being used by two devices
Same Cookie
Different UA Strings
![Page 18: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/18.jpg)
Fraudulent Money Movement
What where they doing? ► Compromising accounts with malware ► Creating a virtual account number
(VAN) ► Receiving a new line of credit ► Maxing credit limit with fraudulent
purchases What looked suspicious?
► High Man-in-the-Middle score ► Fast clicks ► Multiple IP addresses in one session ► IPs traced to disparate geographies ► User-agent variation
Clickstream shows different IPs, UA strings and activities intermingled
![Page 19: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/19.jpg)
E-Commerce Fraud
The customer knew the “what”… ► Omniture reported revenue drop for affiliate
orders
Behavior exposed the “how” in minutes… ► Users added a sale item to their cart ► The sale price persisted in the cart after the
sale ended ► Users stacked the next promotion in their cart ► Inconsistent price floors were exploited ► Accepted orders were sub-floor or negative
value
New Seasonal Promotion
Cart Logic Flaw
Staring at a six-figure loss in an
Afternoon
![Page 20: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/20.jpg)
Session DDoS
What where they doing? ► Application resource exhaustion ► Botnets sending Search, Login New
Account, Purchase queries What looked suspicious?
► Device ID / User-Agent randomization
► Thousands of IP addresses were acting in concert
► Identical activity on a specific set of pages
![Page 21: CUSTOMERS & CRIMINALS: USE WEB SESSION … & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT ‘WHO ... Big Data Meets Web Sessions . ... Spike in login page hits](https://reader031.fdocuments.net/reader031/viewer/2022022515/5afce2c17f8b9a434e8cc0a8/html5/thumbnails/21.jpg)
Spectrum of Threats
New Account Registration
Fraud
Account Takeover Password Guessing
Parameter Injection Man In The Browser
Man In The Middle Fraudulent Money
Movement
Unauthorized Account Activity
Promotion Abuse
High Risk Checkout
Site Scraping
Vulnerability Probing
DDOS Attacks
Beginning of Web Session
Login Transaction and Logout