35
64
https://blog.dashlane.com/infographic-online-overload-its-worse-than-you-thought/
Attacker Motivations• Financial Fraud
• Virtual Currency
• Warranty Fraud
• SPAM
• Influence / Political Motivations
Financial Fraud and Theft
• Directly Stealing Cash
• Direct Theft of Physical Goods
Warranty Fraud
Virtual Currency
• As good as cash
• Easily Monitized
SPAM
• Nobody Likes SPAM
• Fresh accounts have the most restrictions
• An account with a good history and existing connections is far more valuable for SPAM
Influence &Political Motivations
Impact
Attack Techniques• Credential Stuffing
• Brute Force
• Code Vulnerabilities
• Phishing
• Malware
Credential Stuffing
• Hundreds of millions of leaked credentials available online
• More than 50% of users reuse passwords on multiple websites
• Little or no protection on many sites
http://www.verizonenterprise.com/verizon-insights-lab/dbir/
https://haveibeenpwned.com/PwnedWebsites
Brute Force
Code VulnerabilitiesAll your favourites:
• SQL Injection
• Cross Site Scripting (XSS)
• Session Fixation/Hijack
Phishing
Prevention & Detection
• Strengthen Your Login Process
• Have a “Plan B” to use when auth is suspect
• Majority of attacks require large volumes of requests - generally require automation
• Prevent attacks by stopping automated Bots
• Detect compromised accounts with behaviour profiling.
Multi Factor
Plan B
• Disable Account Access
• Force Password Reset through verified Email
• Security Questions
• Ask details about account
CAPTCHA
• Very difficult for a bot to bypass
• Easy (but annoying) for a human
Rate Limiting
• Count volume of events in a sliding time window
• Take action when the threshold is exceeded
Threat Intelligence• Many Botnets are available for rent by
attackers• Each bot IP may end up attacking
many different sites• Threat Intel feeds aggregate
information about bad IP addresses
Browser Fingerprinting
• Web browsers are very complex.
• Very difficult for a Bot script to replicate the entire behaviour of a browser
• Ask browser to do many different tasks. Use the results to distinguish human from bot
FingerprinTLS
https://github.com/LeeBrotherston/tls-fingerprinting
Behaviour Profiling
• Usual devices
• Usual geolocation
• Typical usage behaviour
• For significant changes, ask for additional verification
Sentry MBA
http://engineering.shapesecurity.com/2016/03/a-look-at-sentry-mba.html
Other Resourceshttps://www.owasp.org/images/3/33/Automated-threat-handbook.pdfhttp://www.darkreading.com/endpoint/anatomy-of-an-account-takeover-attack/a/d-id/
1324409
https://www.immun.io/use-case-account-takeover-protection
https://www.owasp.org/index.php/Credential_stuffing
https://www.owasp.org/index.php/Brute_force_attack
