Protecting Against Online Fraud F5 SIT Forum Laurent BOUTET FSE France

Everything Evolves Application Security Anti-Fraud, Anti-Malware, Anti-Phishing Network Firewall Access Control DDoS Protection SSL DNS Security 3 evolves, SSL heartbleed, user interact with application : asm, dns security digging into dns protocol and vuln mitm spoof could be exploit by malware ?, malware infiltrate user

Fraud and Malware Remains a Challenge Malware/Fraud Statistics 15% increase in malware - McAfee threat report 2013 196 Million Unique malware samples in 2013 70% of malware targeting financial services companies Phishing Attacks 37.3 million users around the world were subjected to phishing attacks 2012-2013 72,758 unique phishing attacks recorded in 1st half 2013 (worldwide) Mobile Malware 22,750 new modifications of malicious programs target mobile devices throughout the year 99% of newly discovered mobile malware attacks target Android devices Reason : money, customer account, but more and more corporate doing corporate transaction Phising : cheap and easy to do 1,000,000 U.S. computers hit by banking trojan malware - Symantec report, “The State of Financial Trojans: 2013,” “In 2012, more than 40 million Windows systems were infected with malware” – Microsoft (from Five Habits Of Highly Successful Malware: http://www.darkreading.com/advanced-threats/five-habits-of-highly-successful-malware/240154057) Scanners only detect up to 25% of real-world malware, , and only caught 40% of malicious downloads. - Google (from Five Habits Of Highly Successful Malware: http://www.darkreading.com/advanced-threats/five-habits-of-highly-successful-malware/240154057) Symantec State of financial Trojan landscape December 2013 Sources for phishing attacks stats http://media.kaspersky.com/pdf/Kaspersky_Lab_KSN_report_The_Evolution_of_Phishing_Attacks_2011-2013.pdf http://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2013.pdf | source for phishing attacks stats. Pace of mobile malware increasing - 22,750 new modifications of malicious programs targeting mobile devices detected by Kaspersky labs 99% of newly discovered mobile malware attacks Android devices – Kapersky Security Bulletin 2012 33% increase in Android malware samples during the second half of 2013 -- Mc Afee 0.9% of total online revenue is loss to fraud (Cybersource, 2012) 2%-6% of banking customers are infected with financial malware (Gartner, MQ for web a.fraud, May 2012) Data sources include Symantec, Microsoft, Kaspersky, McAfee, DarkReading, Gartner, and Cybersource

Malware Threat Landscape – Growth and Targets 25 Total Malware Samples in the McAfee Labs Database % of real-world malware is caught by anti-virus 50 % of malware code is logic to bypass defenses 79 % existing malware strains are Trojans Reinventing themselves : polymorphisme 1) Only 25% of real-world malware is caught by anti-viruses – Google Research (from Five Habits Of Highly Successful Malware: http://www.darkreading.com/advanced-threats/five-habits-of-highly-successful-malware/240154057) 2) More than half of malware code is to bypass defenses and evade detection. – Palo Alto Analyst (from Five Habits Of Highly Successful Malware: http://www.darkreading.com/advanced-threats/five-habits-of-highly-successful-malware/240154057) 3) 79% of all malware sampled are Trojans – PandaLabs Q1 Report (http://press.pandasecurity.com/usa/news/pandalabs-q1-report-trojans-account-for-80-of-malware-infections-set-new-record/) 4) 82% of malware is reported to an institution by a customer. - ISMG’s 2012 Fraud Survey (https://hive.f5.com/docs/DOC-15262) Monetization of malware – sale off source code – banking trojen, web exploit kits 82 % of institutions learned about fraud incidents from their customers Data sources: Dark Reading, PandaLabs, and ISMG

The Increasing Complexity of Securing Users to Apps issue : complexity, need user interaction, app hosted every where, saas, Cloud, sdn, saas apps – salesforce, concur, complexiity : how application interact together application himself, techno evolving, websockets, http 2.0 (november) security illusion with ssl cross origin resource sharing : CORS multiprotocol TCP

(complexity of apps) Cloud, sdn, saas apps – salesforce, concur, The way we as business extend our applications to customers

BotNets and Server Malware Hackers and Hacktivism State sponsored espionage (complexity of securing users to apps) Blended attacks Traditional network devices are failing under load…

Traditional Malware Solutions Focus on the Enterprise Rising Security Threats/Attacks Enterprise Copied Pages and Phishing Enterprise Anti-Malware Hacktivism Firewall Internet [Some protection] Malware DMZ Applications DMZ Database State Sponsored Attacks [Unprotected] Attacker

Securing Against Banking Fraud Can Be Complex Ownership Customers expect the banks to secure against all forms of fraud regardless of devices used or actions taken Browser the weakest link Trojans, MitB attack the client browser or device where the bank has no security footprint Changing threats Increasing in complexity requiring full threat reconnaissance Attack visibility Often lacking details to truly track and identify attacks and their source Endless customer devices Desktop, laptop, tablet, phone, internet café, game consoles, smart TVs Compliance Ensuring compliance with regulations and FFIEC requirements As well as the technical challenges we have to consider the business requirements These challenges are prevalent but not exclusive to banking increasingly affect all verticals not only banking : ecommerce application , transaction human is the weaken link using http/https how implement our protection as close to the user/browser

Web Fraud Protection

Protecting Against Fraud, Phishing, and Malware Site Visit Site Log In User Navigation Transactions Transaction Execution Device ID Generic malware detection Phishing and MitM detection Credential protection Targeted malware (injections) Behavioral and click analysis Automatic transaction Transaction integrity checks Customer fraud alerts Current protection (typical) in organizations we speak with provide security in each phase of a transaction process. (CLICK) Protections are focused on these areas. (click) With WebSafe and MobileSafe you can feel in the gaps where attackers target with malware. Transition to Mark/Scot for handoff on Implementation slide & demo Phishing Threats Credential Grabbing Malware Injections Transaction Manipulation Automatic Transactions

Anti-Fraud, Anti-Phishing, Anti-Malware Best practices for anti-fraud, -phishing, and -malware services Prevent Fraud Protect Online User On All Devices Full Transparency In Real Time Security Operations Center Targeted malware, MitB, zero-days, MitM, phishing automated transactions Clientless solution, enabling 100% coverage Application level encryption Desktop, tablets, and mobile devices No software or user involvement required Alerts and customisable rules 24x7 research, investigation, and site take-down …specifically securing online users against advanced fraud that may threaten accounts, transactions and funds in real time

Generic and Targeted Malware Detection Identify compromised sessions, malicious scripts, phishing attacks, and malware Including MitM, MitB, Bots, and fraudulent transactions with real-time analysis Analyse browser for traces of common malware (Zeus, Citadel, Carberp, etc.) Detect browser redressing Perform checks on domain and other components --We have code that stimulate the malware to send us signals and identify itself -- Identifies changes to the way the page should have been displayed to the user (for example injections, pop-ups or new windows) we don t want to load /download and install anything (bdst practice) we want something clientless, send as part of the app redressing : click jacking signature is not enough/ behaviour

Advanced Application-Layer Encryption Secure the credentials and other valuable data submitted on webforms Encrypt any sensitive information at the message level Encrypt then submitt user credentials and information Decrypt data using web fraud protection solution Render intercepted information useless to MitM attacker silent malware, into the browser, using browser api once again we want something clientless, send as part of the app

Automatic Transaction Detection Analyse the way users interact with browser Analyse the way users interact with website Conduct track site navigation Trigger alerts upon detecting non-human behavior My Bank.com Gather client details related to the transaction Run a series of checks to identify suspicious activity Assign risk score to transaction Send alert based on score Apply L7 encryption to all communications between client and server My Bank.com Visualization of user is interacting with the browser and a bOT -- typing -- Simulate detecting both cases

Advanced Phishing Attack Detection and Prevention Identify phishing threats early on and stop attacks before emails are sent Alert of extensive site copying or scanning Alert on uploads to a hosting server or company Alert upon login and testing of phishing site Shut down identified phishing server sites during testing Capture user credentials 4. Test spoofed site 1. Copy website Web Application Internet 3. Upload copy to spoofed site Key part of our strategy Animate the attack Copy a website Put it some where else Test it Send an email blast User starts using it. Alert on download of image Alert on upload to a hosting company User log in to the phishing website we get an alert with details Shut down phishing proxy before email sent to victims The minute hacker starts to test we shut it down. Alert at each stage of phishing site development 2. Save copy to computer

Key Features of a Web Fraud Protection Solution Provide transparent anti-fraud solution Simplify product rollout Protect users data in use Protect all customers on all devices clientless : we inject code as reverse proxy Ensures Regulatory Compliance Satisfies PCI-DSS Requirement 1.3.7 GLB ACT Consolidates infrastructure and maintenance costs Single integrated solution (BIG-IP, VIPRION, VE) vs. multi-box solutions Total cost of ownership savings between 29% - 72%, depending on service option selected, subscription length, and number of users Combine fraud detection and protection Ensure compliance Prevent phishing attacks

Security Operations Center fraud analysis team

Security Operations Center (SOC) Leverage a 24x7x365 fraud analysis team that extends your security team Research and investigate new global fraud technology and schemes Provide detailed incident reports Offer continuous web fraud component checks Send real-time alerts by phone, SMS, and email Take down phishing sites and brand abuse sites

Cyber Intelligence Always on cyber research and analysis Source information from a variety of resources Analyse malware files and research drop zones Provide quarterly dedicated reports Deliver the right information Identify attackers, command & control, drop zones, mule accounts, compromised users Identify social network scheming, sophisti- cated online fraud and brand abuse

Phishing Site Take-Down Service Quickly identify and shut down brand abuse websites monitoring and response team Complete attack assessment and post-partum attack report Leverage relationships with ISPs, anti-phishing groups, and key international agencies Offer malicious site take-down in minimal time Provide recommendations for counter security measures

Key Benefits of Using a Security Operations Center Provide 24x7 expert security watch Integrate with SIEM and risk management systems Turn on services immediately Only web gateway to secure against inbound and outbound malware Maps and tracks user identity to network addresses Fully tracks activity by user identity and their device Links user identity with endpoint integrity, assuring endpoint health prior to and after Web access One-stop for all access policy, inbound and outbound Reduces chances of human error Strengthens policies Reduces overhead Increases security posture Delivers consolidated policy views – both inbound and outbound Ensures Regulatory Compliance Satisfies PCI-DSS Requirement 1.3.7 GLB ACT Consolidates infrastructure and maintenance costs Single integrated solution (BIG-IP, VIPRION, VE) vs. multi-box solutions Total cost of ownership savings between 29% - 72%, depending on service option selected, subscription length, and number of users Offer immediate phishing site shutdown Provide up-to-date threat intelligence Reduce fraud loss

Example Architecture

Example of a Web Fraud Protection Architecture Local alert server and/or SIEM Online Customers A Man-in-the- Browser Attacks Copied Pages and Phishing Web Fraud Protection Online Customers B Network Firewall Application C Security Operations Center Account Automated Transactions and Transaction integrity Amount Highlight the multi tenancy of the F5 SOC, webGUI, reports,… Referenz Architecture Fraud detection and protection components are stored and configured on BIG-IP Transfer Funds Online Customers Customer Scenarios Malware detection and protection Anti-phishing Transaction analysis A B C

Anti-Fraud, Anti-Phishing, Anti-Malware Prevent Fraud Protect Online User On All Devices Full Transparency In Real Time Security Operations Center

Solutions for an Application World.