lastwall:( thepowerof theidentity( firewall( · available at low risk. malware production as an...
TRANSCRIPT
When Identity Matters Most
Lastwall: The Power of the Identity Firewall
Executive Summary
80% of all breaches, representing more than $320Bn per year,
could be prevented if we knew who was behind these blind credentials*
The proliferation of high level attacks over the last few years has produced
an environment where it is no longer safe to assume that just because a
user enters the correct credentials, it is the correct user. With over a billion
usernames and passwords available for sale through grey and black
markets, many new hacking attempts are focusing on attacking end user
accounts, often by simply purchasing username and password lists, and
using bots, scripts or low cost labor to attempt to access hundreds or
thousands of popular web services or fraudulently creating new accounts
that circumvent existing detection systems.
This credential problem is significantly compounded by the rise of advanced
persistent bots, simulated behavior bots and a new generation of advanced
AI bots designed to mimic human cognitive and behavioral patterns. While
many of the elements of these bots have been developed by nation state
actors and are primarily aimed at highly targeted attacks, their release into
the wild has significantly contributed to a new class of malware and bot
design with a much higher level of sophistication. These bots not only wreak
havoc in applications secured by traditional authentication systems but also
have forced deployments of two factor authentication solutions, which
increase customer support costs and come at the expense of end user
convenience.
The Lastwall Identity Firewall approach focuses on positively identifying a
real user from a fraudster or a bot through the use of advanced behavioral
and cognitive biometrics in conjunction with machine profiling, network
analysis and advanced bot detection techniques. This approach ensures
that only the correct users get in, while bots and malicious users do not, all
without any change to the end user experience.
*Source: Verizon Data Breach Investigations Report
Lastwall: The Power of the Identity Firewall
3 Proprietary & Confidential ©Lastwall Networks Inc. 2016
Table of Contents
The Evolution of Web Threats .......................................................................................... 4
Credential Theft, Mules, and Automated Credential Attacks ....................................................... 5
Why These Attacks Work .......................................................................................................... 5
Step 1: Get the credentials ........................................................................................................ 5
Step 2: Check the credentials .................................................................................................... 7
Step 3: Profit ............................................................................................................................. 7
New Fraudulent Account Creation ............................................................................................ 9
The Identity Firewall ......................................................................................................... 10
What is an Identity Firewall .................................................................................................... 10
The Lastwall Platform ....................................................................................................... 12
RISC is Easy to Integrate ......................................................................................................... 14
Coordinating Action with SAVE ............................................................................................... 14
Lastwall: The Power of the Identity Firewall
4 Proprietary & Confidential ©Lastwall Networks Inc. 2016
The Evolution of Web Threats
Cybercrime is a growth industry.
The returns are great, and the risks are low.
We estimate that the likely annual cost to the global economy from cybercrime is more than $400 billion. A conservative estimate would be $375 billion in
losses, while the maximum could be as much��� as $575 billion
Intel Security: Net Losses: Estimating the Global Cost of Cybercrime
As the web continues to change and grow, so too do the attack
vectors that are actively deployed by malicious users and fraudsters.
In the last decade, the field of hacking has rapidly organized and
advanced exponentially from what could have previously been
characterized as a cottage industry of miscreants into a sophisticated,
organized global economic system, primarily due to the huge profits
available at low risk. Malware production as an example has moved
from individualized production to staged environments with organized
group development, often sold with 24x7 support agreements. Hacks
are now rarely perpetrated by a single party, and are often highly
coordinated using advanced cloud infrastructure. Understanding how
these attacks are perpetrated is a first step to understanding how to
prevent them.
Lastwall: The Power of the Identity Firewall
5 Proprietary & Confidential ©Lastwall Networks Inc. 2016
Credential Theft, Mules, and Automated Credential
Attacks
Why These Attacks Work
On average a typical web user has 25 accounts, but only 3-5
passwords. Users are exhausted, and the more stringent password
requirements become, the more likely users are to re-use passwords
across accounts. In conjunction with many systems using email
addresses as a default username, there is inherent value to
credentials from any site, as there is a high statistical probability that
the same credentials will grant access to a variety of other sites. This
type of credential redeployment capability across services has
reduced the skill required to attack a service, and thereby
significantly broadened the attack base.
Step 1: Get the credentials
The first step for an attacker to execute a credential attack is to
procure a list of credentials.
Circa 2016, the easiest and least skilled way to procure credentials is
to purchase them. With the aforementioned sophistication of the
attacker ecosystem there are dozens of well-known marketplaces
around the dark web where it is possible to purchase stolen
credentials. In the current market there are over one billion user
names and passwords for sale, with prices ranging from $0.01 per
1000 accounts for older credentials to $5 per account for “freshly
Lastwall: The Power of the Identity Firewall
6 Proprietary & Confidential ©Lastwall Networks Inc. 2016
harvested” credentials which have been tested to work on particular
services.
A second but more difficult way to procure credentials is to breach a
service with a credential repository, or to outsource the breach of a
credential repository to a hired hacker team. The low hanging fruit
for this fresh credential harvesting process is often smaller social or
other boutique sites that require login, typically with a user base of
hundreds of thousands to a few million users. These sites are
routinely attacked, often successfully, because their smaller revenue
figures result in a lower security budget and therefore less stringent
protection. In addition, newer and fast growing sites often have a
somewhat haphazard production process, which produces lower levels
of security sophistication, making them easier targets.
A third way to procure credentials is to steal them directly from
users. This can come in the form of targeted or opportunistic theft.
There are thousands of pieces of malware that opportunistically steal
usernames and passwords from target systems. These credentials
can then be re-used on a target system or sold on in the
marketplace. However for a targeted attack, a common approach is
to prey on the naivety of a user base and to directly run spear
phishing campaigns, where users are presented with a login that
seems similar to the target site, often by using cloned sites with
similar URLs.
Lastwall: The Power of the Identity Firewall
7 Proprietary & Confidential ©Lastwall Networks Inc. 2016
Step 2: Check the credentials
Once a hacker has procured the credentials, they then need to test
the credentials to see where they work. This typically involves using
the credentials to attempt to login to hundreds or thousands of
popular or valuable web services, such as banks, social media sites
and e-commerce portals. Most often this is done through the use of
an account checking program, which is designed to automate this
process, however it is becoming increasingly common in the case of
fresh, high value credentials, that this checking is done by a network
of human mules who will evade automated bot detection systems.
Research shows that between 1-2% of automated login attempts are
successful, however in situations where mules are used in
conjunction with distributed authentic IPv6 nodes, this rate is often
close to 100% as they are able to evade almost all current systems.
After testing and finding valid accounts, the attacker then steals
whatever data is in an account. While the most common actions are
the theft of monetary information and the draining of accounts, it is
worth noting that this could also be the theft of personally identifiable
information (PII), intellectual property or other valuable information.
Step 3: Profit
Finally the attacker monetizes the stolen information again through
the dark markets. This could be in the form of the sale of verified
account credentials for others to misuse, the sale of the stolen
information, such as credit card information or PII, or the direct use
of the stolen information, such as the purchase of gift cards or other
Lastwall: The Power of the Identity Firewall
8 Proprietary & Confidential ©Lastwall Networks Inc. 2016
fungible digital commodities such as virtual goods in the gaming
markets.
Sometimes with the direct use of stolen information, it is more
profitable to purchase physical goods via online or even local retailers
and resell at a steep discount either online through secondary
legitimate sites such as e-Bay or directly via local crime syndicates.
This offline collaboration with traditional organized crime networks
has increased the profitability of the seemingly legitimate purchase of
physical goods via stolen financial data.
The theft of personally identifiable information can often be much
more damaging to the end user than the theft of their current
financial data. Harvested PII can then be used for further and often
devastating identity theft crimes, where new accounts are created
without the authentic user’s knowledge. These new credit card or
other consumer debt accounts are fraudulently issued with all funds
being promptly withdrawn by the attackers before the user realises or
has time to respond. In many jurisdictions this can be covered by
private sector or government backed insurance programs, however
these cases can often be difficult to prove and can take years to
resolve.
In addition, there can also be real risks to the user in the cases of
some specific PII attacks, as with cases of stolen healthcare data,
where real users have been blackmailed, have had their health
savings accounts drained, or their data has been used to gain access
to valuable prescription drugs that can be illegally resold on the dark
web.
Lastwall: The Power of the Identity Firewall
9 Proprietary & Confidential ©Lastwall Networks Inc. 2016
New Fraudulent Account Creation
New account signup has been a popular fraud vector for a number of
years. It has been a particularly intense “cat and mouse” security
scenario, as new accounts are particularly prized for a variety of
reasons, including for their ability to avoid many types of money
transfer restrictions. New accounts also often confer promotional
offers that are designed for legitimate new users, which can be very
lucrative for a hacker if they can resell these benefits in some other
form.
As companies have realised the problems presented by hackers and
have deployed counter technologies such as bot detection systems
and web application firewalls in an attempt to reduce fraudulent
activities, the hacking eco-system has adapted and developed novel
new approaches to circumventing anti-fraud systems. The attacker
community regularly coordinate efforts to circumvent technologies
that prevent fraudulent account creation. Tools such as captchas that
were once very effective are being bypassed using novel techniques
such as offshore low cost mule networks. These networks work in
conjunction with new account creation bots, and often have
reasonably high speed API services, where teams of low paid
unskilled workers are employed to solve captcha puzzles in parallel,
allowing for thousands of new fraudulent accounts to be created per
hour. This type of pseudo-automated account signup has resulted in
many companies not knowing which users are real users, and which
have been created by the mule networks.
Lastwall: The Power of the Identity Firewall
10 Proprietary & Confidential ©Lastwall Networks Inc. 2016
The Identity Firewall
The Lastwall Platform focuses on shutting down these types of credential
stuffing, account take over and new fraudulent account creation attempts.
Most systems tend to focus on keeping bots and bad actors out, but the
problem with this approach is that identification of the bad actors is
becoming increasingly difficult as their sophistication level rises. As the
saying goes, you don’t know what you don’t know and that goes for users in
this cyber-attack-oriented age.
What is an Identity Firewall?
The Lastwall Identity Firewall approach as highlighted in the figure below,
focuses in on understanding the authentic user, and only letting a positively
identified user into the account. In the same way that next generation
network firewalls transitioned from simply blacklisting bad ports to blocking
all ports and whitelisting and opening actively used ports when they need to
be used, the Lastwall Identity Firewall approach blocks all access attempts
by default, and only lets the correct user in. It does this by using new
cognitive biometric, behavioral biometric and behavioral analysis techniques
in conjunction with machine, network and usage pattern identification, to
create a unique profile of all the behavior and patterns associated with how
the correct user legitimately accesses their account. This whitelisting
approach is much more effective than traditional bot detection or malicious
actor detection approaches, which focus on keeping known malicious
behavior out. This is because the Identity Firewall whitelisting approach
catches all the things that aren’t a user, which means it catches things that
are not known in conjunction with catching the known types of threats.
Lastwall: The Power of the Identity Firewall
11 Proprietary & Confidential ©Lastwall Networks Inc. 2016
In addition to profiling and whitelisting authentic users, Lastwall uses the
identity firewall data in aggregate to create new models of how authentic
users interact with their devices and the web, and uses this data to create
new types of dynamic filters using advanced machine learning techniques,
which can stop suspicious or bot based activity before it even begins to
cause damage. This dynamic filtering approach is highly adept at catching
fraudulent new account creation and by using cognitive behavioral biometric
profiling can even catch human mules that are using stolen data to create
fraudulent accounts. The Lastwall Identity Firewall approach provides a first
line of defence for application security and can be layered on top of the vast
majority of existing systems and authentication schemes to reduce risk and
deter fraud, all without changing the user experience for the 99% of users
who are authentic consumers.
Lastwall: The Power of the Identity Firewall
12 Proprietary & Confidential ©Lastwall Networks Inc. 2016
The Lastwall Platform
Overview
The Lastwall Platform is a cloud based Identity Firewall system, which
focuses on delivering end-user risk based access control and anti-fraud
capabilities through a powerful but lightweight set of cloud based APIs. The
primary function of the system is to provide an easy to integrate flexible
platform that uses a variety of proprietary behavioral biometric and
cognitive biometric scoring techniques, combined with advanced network
detection and device fingerprinting to provide a comprehensive view of end
user activity. This next generation platform provides detection and
prevention capabilities, primarily targeted to use cases that span across
web based new user account fraud, advanced bot based fraud, and
compromised credential based account take over.
Lastwall: The Power of the Identity Firewall
13 Proprietary & Confidential ©Lastwall Networks Inc. 2016
The Lastwall Platform comprises of two primary components, the Real Time
Risk Identification and Scoring Capability (RISC) subsystem and the
Secondary Authentication and Verification Engine (SAVE) subsystem. While
each of these systems can be used separately, they provide maximum
benefit when used in tandem.
The primary function of RISC as shown in the image above is to detect real
time risk at the moment of user login or registration. While it is possible to
call the RISC API at other times, the vast majority of use cases revolve
around the login and account creation processes. In its default
configuration, the RISC API is called immediately after the user submits
their credentials, (such as username and password, or token) in a standard
login process or on completion of a new account application. After
analysing the captured data, the API returns a heuristic risk score, which
can then be used to perform a variety of actions based on RISC’s
configuration.
Lastwall: The Power of the Identity Firewall
14 Proprietary & Confidential ©Lastwall Networks Inc. 2016
RISC is Easy to Integrate
RISC does not require deep integration that would mandate making
significant changes to all pages. This approach was based on strong
customer preferences, which indicated that ease of deployment was of
paramount importance. The single page quick snapshot approach that
Lastwall uses is in stark contrast to other systems that deploy technologies
that track users through all the pages of a site, or change the data on every
page served, which often introduces tremendous amounts of work and can
be very time consuming to deploy. In most circumstances Lastwall can be
implemented in a very short time, making sure even the busiest of security
teams can fit it into their schedule.
Coordinating Action with SAVE
In a standalone configuration RISC can form the basis of further in-house
authentication decisions, such as denying access or calling a client hosted
secondary authentication solution on a sufficiently high-risk score that
would indicate a malicious actor or bot.
However, in its most secure form, RISC can be configured to call Lastwall’s
Secondary Authentication and Verification Engine (SAVE) via API. SAVE is
the Lastwall companion authentication subsystem that can use either third
party (such as a RFC 6238 OTP service like Google Authenticator), client in-
house, or a Lastwall pre-built 2-step verification service that can be called
at configurable risk thresholds.
This makes the Lastwall Platform well suited to clients who wish to be able
to rapidly deploy and live test new end user authentication technologies,
such as mobile device based biometric solutions or password-less
authentication schemes. Instead of directly integrating the new test
technology, a client can configure Lastwall to trigger the new test
technology on certain risk scores. For example if a client wishes to test a
Lastwall: The Power of the Identity Firewall
15 Proprietary & Confidential ©Lastwall Networks Inc. 2016
new password-less program to see if it quantitatively increases sales,
Lastwall can be configured to direct the users to the password-less system
on very low risk scores, deliver the standard service on normal risk scores,
and force a 2-step break if there is elevated risk. After testing these
technologies live with users, if a client wishes to remove them, as they do
not find the technology appropriate, these technologies can be easily
removed from the platform and replaced with other technologies. As such,
Lastwall enables rapid deployment of new test technologies by drastically
reducing the time required to deploy which decreases exposure risks of
deployment of new authentication solutions.
SAVE can also be configured to escalate through increasingly strong
verification methods on increasing risk levels, which is useful when there
are multiple active risks. For example, SAVE could be configured to trigger
a client system to send an email or text message to a registered account or
device on a medium-low risk threshold, to trigger calling a user’s mobile
phone and requiring keyed input to verify on a medium risk threshold, and
to trigger a voice or video call to a call-centre on a high risk threshold. This
can also help reduce costs by decreasing the amount of expensive 2-step
processes that are deployed. Lastwall also has a high-end proprietary
relationship based authentication system that can solve what Google calls
the “Achilles heel” of 2FA, where the seed device is stolen, damaged, or
compromised. This solution allows for strong identity recertification, and
closes the door on social engineering attacks during authentication and
authorization processes.
To find out more about the Lastwall Platform or schedule a demo,
please contact your account representative, or email [email protected]