lastwall:( thepowerof theidentity( firewall( · available at low risk. malware production as an...

When Identity Matters Most

Lastwall: The Power of the Identity Firewall

Executive Summary

80% of all breaches, representing more than $320Bn per year,

could be prevented if we knew who was behind these blind credentials*

The proliferation of high level attacks over the last few years has produced

an environment where it is no longer safe to assume that just because a

user enters the correct credentials, it is the correct user. With over a billion

usernames and passwords available for sale through grey and black

markets, many new hacking attempts are focusing on attacking end user

accounts, often by simply purchasing username and password lists, and

using bots, scripts or low cost labor to attempt to access hundreds or

thousands of popular web services or fraudulently creating new accounts

that circumvent existing detection systems.

This credential problem is significantly compounded by the rise of advanced

persistent bots, simulated behavior bots and a new generation of advanced

AI bots designed to mimic human cognitive and behavioral patterns. While

many of the elements of these bots have been developed by nation state

actors and are primarily aimed at highly targeted attacks, their release into

the wild has significantly contributed to a new class of malware and bot

design with a much higher level of sophistication. These bots not only wreak

havoc in applications secured by traditional authentication systems but also

have forced deployments of two factor authentication solutions, which

increase customer support costs and come at the expense of end user

convenience.

The Lastwall Identity Firewall approach focuses on positively identifying a

real user from a fraudster or a bot through the use of advanced behavioral

and cognitive biometrics in conjunction with machine profiling, network

analysis and advanced bot detection techniques. This approach ensures

that only the correct users get in, while bots and malicious users do not, all

without any change to the end user experience.

*Source: Verizon Data Breach Investigations Report


3 Proprietary & Confidential ©Lastwall Networks Inc. 2016

Table of Contents

The Evolution of Web Threats .......................................................................................... 4

Credential Theft, Mules, and Automated Credential Attacks ....................................................... 5

Why These Attacks Work .......................................................................................................... 5

Step 1: Get the credentials ........................................................................................................ 5

Step 2: Check the credentials .................................................................................................... 7

Step 3: Profit ............................................................................................................................. 7

New Fraudulent Account Creation ............................................................................................ 9

The Identity Firewall ......................................................................................................... 10

What is an Identity Firewall .................................................................................................... 10

The Lastwall Platform ....................................................................................................... 12

RISC is Easy to Integrate ......................................................................................................... 14

Coordinating Action with SAVE ............................................................................................... 14



The Evolution of Web Threats

Cybercrime is a growth industry.

The returns are great, and the risks are low.

We estimate that the likely annual cost to the global economy from cybercrime is more than $400 billion. A conservative estimate would be $375 billion in

losses, while the maximum could be as much�� as $575 billion

Intel Security: Net Losses: Estimating the Global Cost of Cybercrime

As the web continues to change and grow, so too do the attack

vectors that are actively deployed by malicious users and fraudsters.

In the last decade, the field of hacking has rapidly organized and

advanced exponentially from what could have previously been

characterized as a cottage industry of miscreants into a sophisticated,

organized global economic system, primarily due to the huge profits

available at low risk. Malware production as an example has moved

from individualized production to staged environments with organized

group development, often sold with 24x7 support agreements. Hacks

are now rarely perpetrated by a single party, and are often highly

coordinated using advanced cloud infrastructure. Understanding how

these attacks are perpetrated is a first step to understanding how to

prevent them.



Credential Theft, Mules, and Automated Credential

Attacks

Why These Attacks Work

On average a typical web user has 25 accounts, but only 3-5

passwords. Users are exhausted, and the more stringent password

requirements become, the more likely users are to re-use passwords

across accounts. In conjunction with many systems using email

addresses as a default username, there is inherent value to

credentials from any site, as there is a high statistical probability that

the same credentials will grant access to a variety of other sites. This

type of credential redeployment capability across services has

reduced the skill required to attack a service, and thereby

significantly broadened the attack base.

Step 1: Get the credentials

The first step for an attacker to execute a credential attack is to

procure a list of credentials.

Circa 2016, the easiest and least skilled way to procure credentials is

to purchase them. With the aforementioned sophistication of the

attacker ecosystem there are dozens of well-known marketplaces

around the dark web where it is possible to purchase stolen

credentials. In the current market there are over one billion user

names and passwords for sale, with prices ranging from $0.01 per

1000 accounts for older credentials to $5 per account for “freshly



harvested” credentials which have been tested to work on particular

services.

A second but more difficult way to procure credentials is to breach a

service with a credential repository, or to outsource the breach of a

credential repository to a hired hacker team. The low hanging fruit

for this fresh credential harvesting process is often smaller social or

other boutique sites that require login, typically with a user base of

hundreds of thousands to a few million users. These sites are

routinely attacked, often successfully, because their smaller revenue

figures result in a lower security budget and therefore less stringent

protection. In addition, newer and fast growing sites often have a

somewhat haphazard production process, which produces lower levels

of security sophistication, making them easier targets.

A third way to procure credentials is to steal them directly from

users. This can come in the form of targeted or opportunistic theft.

There are thousands of pieces of malware that opportunistically steal

usernames and passwords from target systems. These credentials

can then be re-used on a target system or sold on in the

marketplace. However for a targeted attack, a common approach is

to prey on the naivety of a user base and to directly run spear

phishing campaigns, where users are presented with a login that

seems similar to the target site, often by using cloned sites with

similar URLs.



Step 2: Check the credentials

Once a hacker has procured the credentials, they then need to test

the credentials to see where they work. This typically involves using

the credentials to attempt to login to hundreds or thousands of

popular or valuable web services, such as banks, social media sites

and e-commerce portals. Most often this is done through the use of

an account checking program, which is designed to automate this

process, however it is becoming increasingly common in the case of

fresh, high value credentials, that this checking is done by a network

of human mules who will evade automated bot detection systems.

Research shows that between 1-2% of automated login attempts are

successful, however in situations where mules are used in

conjunction with distributed authentic IPv6 nodes, this rate is often

close to 100% as they are able to evade almost all current systems.

After testing and finding valid accounts, the attacker then steals

whatever data is in an account. While the most common actions are

the theft of monetary information and the draining of accounts, it is

worth noting that this could also be the theft of personally identifiable

information (PII), intellectual property or other valuable information.

Step 3: Profit

Finally the attacker monetizes the stolen information again through

the dark markets. This could be in the form of the sale of verified

account credentials for others to misuse, the sale of the stolen

information, such as credit card information or PII, or the direct use

of the stolen information, such as the purchase of gift cards or other



fungible digital commodities such as virtual goods in the gaming

markets.

Sometimes with the direct use of stolen information, it is more

profitable to purchase physical goods via online or even local retailers

and resell at a steep discount either online through secondary

legitimate sites such as e-Bay or directly via local crime syndicates.

This offline collaboration with traditional organized crime networks

has increased the profitability of the seemingly legitimate purchase of

physical goods via stolen financial data.

The theft of personally identifiable information can often be much

more damaging to the end user than the theft of their current

financial data. Harvested PII can then be used for further and often

devastating identity theft crimes, where new accounts are created

without the authentic user’s knowledge. These new credit card or

other consumer debt accounts are fraudulently issued with all funds

being promptly withdrawn by the attackers before the user realises or

has time to respond. In many jurisdictions this can be covered by

private sector or government backed insurance programs, however

these cases can often be difficult to prove and can take years to

resolve.

In addition, there can also be real risks to the user in the cases of

some specific PII attacks, as with cases of stolen healthcare data,

where real users have been blackmailed, have had their health

savings accounts drained, or their data has been used to gain access

to valuable prescription drugs that can be illegally resold on the dark

web.



New Fraudulent Account Creation

New account signup has been a popular fraud vector for a number of

years. It has been a particularly intense “cat and mouse” security

scenario, as new accounts are particularly prized for a variety of

reasons, including for their ability to avoid many types of money

transfer restrictions. New accounts also often confer promotional

offers that are designed for legitimate new users, which can be very

lucrative for a hacker if they can resell these benefits in some other

form.

As companies have realised the problems presented by hackers and

have deployed counter technologies such as bot detection systems

and web application firewalls in an attempt to reduce fraudulent

activities, the hacking eco-system has adapted and developed novel

new approaches to circumventing anti-fraud systems. The attacker

community regularly coordinate efforts to circumvent technologies

that prevent fraudulent account creation. Tools such as captchas that

were once very effective are being bypassed using novel techniques

such as offshore low cost mule networks. These networks work in

conjunction with new account creation bots, and often have

reasonably high speed API services, where teams of low paid

unskilled workers are employed to solve captcha puzzles in parallel,

allowing for thousands of new fraudulent accounts to be created per

hour. This type of pseudo-automated account signup has resulted in

many companies not knowing which users are real users, and which

have been created by the mule networks.



The Identity Firewall

The Lastwall Platform focuses on shutting down these types of credential

stuffing, account take over and new fraudulent account creation attempts.

Most systems tend to focus on keeping bots and bad actors out, but the

problem with this approach is that identification of the bad actors is

becoming increasingly difficult as their sophistication level rises. As the

saying goes, you don’t know what you don’t know and that goes for users in

this cyber-attack-oriented age.

What is an Identity Firewall?

The Lastwall Identity Firewall approach as highlighted in the figure below,

focuses in on understanding the authentic user, and only letting a positively

identified user into the account. In the same way that next generation

network firewalls transitioned from simply blacklisting bad ports to blocking

all ports and whitelisting and opening actively used ports when they need to

be used, the Lastwall Identity Firewall approach blocks all access attempts

by default, and only lets the correct user in. It does this by using new

cognitive biometric, behavioral biometric and behavioral analysis techniques

in conjunction with machine, network and usage pattern identification, to

create a unique profile of all the behavior and patterns associated with how

the correct user legitimately accesses their account. This whitelisting

approach is much more effective than traditional bot detection or malicious

actor detection approaches, which focus on keeping known malicious

behavior out. This is because the Identity Firewall whitelisting approach

catches all the things that aren’t a user, which means it catches things that

are not known in conjunction with catching the known types of threats.



In addition to profiling and whitelisting authentic users, Lastwall uses the

identity firewall data in aggregate to create new models of how authentic

users interact with their devices and the web, and uses this data to create

new types of dynamic filters using advanced machine learning techniques,

which can stop suspicious or bot based activity before it even begins to

cause damage. This dynamic filtering approach is highly adept at catching

fraudulent new account creation and by using cognitive behavioral biometric

profiling can even catch human mules that are using stolen data to create

fraudulent accounts. The Lastwall Identity Firewall approach provides a first

line of defence for application security and can be layered on top of the vast

majority of existing systems and authentication schemes to reduce risk and

deter fraud, all without changing the user experience for the 99% of users

who are authentic consumers.



The Lastwall Platform

Overview

The Lastwall Platform is a cloud based Identity Firewall system, which

focuses on delivering end-user risk based access control and anti-fraud

capabilities through a powerful but lightweight set of cloud based APIs. The

primary function of the system is to provide an easy to integrate flexible

platform that uses a variety of proprietary behavioral biometric and

cognitive biometric scoring techniques, combined with advanced network

detection and device fingerprinting to provide a comprehensive view of end

user activity. This next generation platform provides detection and

prevention capabilities, primarily targeted to use cases that span across

web based new user account fraud, advanced bot based fraud, and

compromised credential based account take over.



The Lastwall Platform comprises of two primary components, the Real Time

Risk Identification and Scoring Capability (RISC) subsystem and the

Secondary Authentication and Verification Engine (SAVE) subsystem. While

each of these systems can be used separately, they provide maximum

benefit when used in tandem.

The primary function of RISC as shown in the image above is to detect real

time risk at the moment of user login or registration. While it is possible to

call the RISC API at other times, the vast majority of use cases revolve

around the login and account creation processes. In its default

configuration, the RISC API is called immediately after the user submits

their credentials, (such as username and password, or token) in a standard

login process or on completion of a new account application. After

analysing the captured data, the API returns a heuristic risk score, which

can then be used to perform a variety of actions based on RISC’s

configuration.



RISC is Easy to Integrate

RISC does not require deep integration that would mandate making

significant changes to all pages. This approach was based on strong

customer preferences, which indicated that ease of deployment was of

paramount importance. The single page quick snapshot approach that

Lastwall uses is in stark contrast to other systems that deploy technologies

that track users through all the pages of a site, or change the data on every

page served, which often introduces tremendous amounts of work and can

be very time consuming to deploy. In most circumstances Lastwall can be

implemented in a very short time, making sure even the busiest of security

teams can fit it into their schedule.

Coordinating Action with SAVE

In a standalone configuration RISC can form the basis of further in-house

authentication decisions, such as denying access or calling a client hosted

secondary authentication solution on a sufficiently high-risk score that

would indicate a malicious actor or bot.

However, in its most secure form, RISC can be configured to call Lastwall’s

Secondary Authentication and Verification Engine (SAVE) via API. SAVE is

the Lastwall companion authentication subsystem that can use either third

party (such as a RFC 6238 OTP service like Google Authenticator), client in-

house, or a Lastwall pre-built 2-step verification service that can be called

at configurable risk thresholds.

This makes the Lastwall Platform well suited to clients who wish to be able

to rapidly deploy and live test new end user authentication technologies,

such as mobile device based biometric solutions or password-less

authentication schemes. Instead of directly integrating the new test

technology, a client can configure Lastwall to trigger the new test

technology on certain risk scores. For example if a client wishes to test a



new password-less program to see if it quantitatively increases sales,

Lastwall can be configured to direct the users to the password-less system

on very low risk scores, deliver the standard service on normal risk scores,

and force a 2-step break if there is elevated risk. After testing these

technologies live with users, if a client wishes to remove them, as they do

not find the technology appropriate, these technologies can be easily

removed from the platform and replaced with other technologies. As such,

Lastwall enables rapid deployment of new test technologies by drastically

reducing the time required to deploy which decreases exposure risks of

deployment of new authentication solutions.

SAVE can also be configured to escalate through increasingly strong

verification methods on increasing risk levels, which is useful when there

are multiple active risks. For example, SAVE could be configured to trigger

a client system to send an email or text message to a registered account or

device on a medium-low risk threshold, to trigger calling a user’s mobile

phone and requiring keyed input to verify on a medium risk threshold, and

to trigger a voice or video call to a call-centre on a high risk threshold. This

can also help reduce costs by decreasing the amount of expensive 2-step

processes that are deployed. Lastwall also has a high-end proprietary

relationship based authentication system that can solve what Google calls

the “Achilles heel” of 2FA, where the seed device is stolen, damaged, or

compromised. This solution allows for strong identity recertification, and

closes the door on social engineering attacks during authentication and

authorization processes.

To find out more about the Lastwall Platform or schedule a demo,

please contact your account representative, or email [email protected]

lastwall:( thepowerof theidentity( firewall( · available at low risk. malware production as an...

Documents