Accessibility of Hacker Tools and the Use of Behavioral Analytics

1© Copyright 2011 EMC Corporation. All rights reserved.
Who are you, and why are we talking?
– Tony Gambacorta
– Head of Field Services for Silver Tail Systems (RSA)
Today’s Goal:
An interactive discussion of the trend toward refinement
and accessibility of tools for online criminals, and how
behavioral analytics can be an effective countermeasure

What is Silver Tail?
Web Session Intelligence Software
• Passively gathers session intelligence
• Models observed behavior
• Isolates the bad guys from the good
guys
• Real-time alerting and mitigation of
threats
• Visibility
Investors

Web Session Intelligence
V I E W E D I N A G G R E G AT E ,
U S E R S F O L L O W L I N E A R
P AT T E R N S
B A D G U Y S D E V I AT E F R O M
T H E S E P AT T E R N S .
S I M P L Y P U T:
B A D G U Y S A C T
D I F F E R E N T L Y
T H A N G O O D G U Y S

Crowd v. User Behavioral Models
Alice Bob Charlie Dan
Hour 1 X
Hour 2 X
Hour 3 X X X X
Hour 4 X
1.) Why is Bob not acting like everyone else?
2.) Why is Bob not acting like Bob?

Why is Bob not acting like everyone else?
Comparison of one user’s behavior against that of his peers

Why is Bob not acting like Bob?
Comparison of one user’s current activity against his past activity

This is weird, even for Bob…
Applying both models provides a well-rounded view.

Refinement and
Accessibility:
Discussion and
Case Studies

Refinement
• Criminal tools are replaced as new defenses render
them obsolete:
• Attempts to thwart malware have lead to
refinement, rather than replacement, of malware:
Online
Passwords
Phishing
Anti-
Phishing
Malware
MFA
Social
Engineering
Coordinated
Malware

Accessibility
• The Internet is doing what it was designed to do
– Efficacious and efficient knowledge transfer
• The bad guys are going with the flow
– Sharing tools, processes and target intelligence
• The good guys are going against the flow
– Holding attack intelligence close to the vest
• To understand what’s happening, think like a bad guy
– How do I get the greatest result for the least amount of effort?

Understanding Accessibility is Critical
The sophistication of the tool is not necessarily
representative of the sophistication of the user.

Accessibility in Action: Opt-in DDoS
• No special skills, and nothing to download
• Very low “what-am-I-getting-myself-into” factor

HULK DDoS = Refinement + Accessibility
• Most DDoS protections defend against carpet bombing,
not surgical strikes
• Spring 2012, Barry Shteiman releases HULK, a DDoS
tool that exploits this vulnerability
• HULK made sophisticated DDoS accessible to the
masses
• Barry put a gun on the sidewalk; it was only a matter of
time before someone picked it up

Refinement + Accessibility = The Future
As time goes on, the usability and accessibility of
sophisticated tools will increase tool adoption, which will
lead to more attacks.
These attacks will take novel forms, but the inherent
difference in behavior between good and bad actors will
make them detectable.
Let’s look at a few examples…

Case Study:
Operation Ababil

Overview
• September 18th, 2012: The Al Qassam Cyber Fighters
(AQCF) threatens banks and posts demands
• AQCF claims responsibility for HULK-style DDoS
attacks launched from individual machines and hosted
servers
• Periodically AQCF issues a target list and demands on
Pastebin
• The attacks successfully disable customer-facing
portions of banking web sites during peak periods of
use

Operation Ababil: Attack-by-Numbers
For this project you will need:
1. Coordinated control of servers and PCs
1. A tool capable of launching the attacks
1. A target list and means of communicating it

1.) Coordinated control of servers and PCs…
Compromised servers
– itsoknoproblembro compromises PHP servers
– Easily accessible (Google)
Opt-in participants
– AQCF claims they are in use…
Malware-infected PCs
– Purchase a kit for a few thousand USD and distribute it
– Botnets can be bought or rented

2.) A tool capable of launching the attacks…
Once we have the Python script, porting
it to JavaScript to create an opt-in attack
platform is…

3.) A target list and means of communicating it…
1. Build a list…
2. Browse the target sites for SSL-encrypted
transactions
1. Open a free pastebin account and post your
messages

Choosing our targets
Just requesting this page will
burn resources as the SSL
session is established.
Target portions
of the site that
involve database
calls

Most DDoS defenses weren’t built for this
The average DDoS attack throws haymakers; HULK
bobs and weaves
– User-Agent strings, referrers, and targets are constantly
changed
– Backend requests are valid, making filtering difficult
– Instead of clogging the pipe, specific functional areas
are targeted

Bad actors are inherently different
• Normal users don’t:
– Execute sub-second clicks
– Change their User-Agent string with each click
– Maniacally focus on specific functional areas
– Have different referrers than their peers for the same page
• HULK’s countermeasures make it vulnerable to
behavioral analytics
• Let’s take a look at what Silver Tail saw during a HULK
attack at a major U.S.-based Financial Institution…

HULK Flows
Signin
Home
View
Account
Make
Transfer
Confirm
Transfer
Forgot
Password
Secret
Questions
Change
Password
New Password
Confirmed

What we learned:
• ≈2.6 million hits were made to
the login page in one hour.
• 213,098 of those hits came from
a single IP address.
How we used it:
• Knowing the login page is under
attack, we next looked for threat
clusters focused on that page.
Silver Tail v. HULK
Using Page Details to isolate the targeted page
The login page is being hit 52 times more frequently than the
subsequent landing page.

What we learned:
• 43 IPs were clustered in this hour
• Subsequent hours clustered as few
as 1, and as many as 320 IPs per
hour
How we used it.
• Threat cluster renamed to “DDoS” to
speed future identification
• Drilling into this cluster gave per-IP
click data
Silver Tail v. HULK
Using Threat Clustering to isolate the bad actors

What we learned:
• A single IP made 1.2M clicks in 12
hours
• Average click delta was < 0.5
seconds
• Traffic volumes varied between IPs;
timing did not.
How we used it:
• Now that we know this is clearly not
legitimate traffic, we can use the
clickstream to see exactly what the
bad actors are doing.
Silver Tail v. HULK
The Summary View gives a high level review of individual bad actors

What we learned:
• The clicks are sub-second, and
changing the User-Agent string with
nearly every click.
How we used it:
• We have classified the attack, and
can now write mitigation rules to
thwart it.
Silver Tail v. HULK
The clickstream shows the pattern, and markers tell us where to look.

• In less than 5 minutes, Silver Tail
gave the what, where, how and when
of the attack.
• Going forward, the customer will have
three advantages:
1. Rules will catch HULK activity in real time
2. Using the named threat cluster, this
pattern of behavior can be quickly
recognized and mitigated should it recur
3. Using EDS and rules, an alert will be sent
if any of the bad actor IP addresses show
elevated behavior scores
Silver Tail v. HULK
Summary and next steps
Page details reveal the
target.
Threat clustering isolates
and groups the bad actors.
Threat summary confirms
traffic is not legitimate.
Clickstream allows for
rapid analysis of attack
signature.

Silver Tail v. Operation Ababil Notes
• The strengths of these attacks become weaknesses
when behavioral analytics are in play
• Real-time recognition and mitigation of the attacks is
possible; we aren’t fighting the bogeyman
• Because their actions are inherently different from valid
traffic, future refinements of this attack will also be
caught

Case Study:
eCommerce
Web Logic Abuse

Case Study: eCommerce Logic Abuse
One of our analysts led training for an eCommerce
customer that was interrupted by the customer’s
head of operations.
A graph that should look like
this…
Instead looked like this.

eCommerce: Logic Abuse
The customer knew the “what”…
• Omniture reported a revenue drop for
affiliate orders
Silver tail exposed the “how” in minutes…
1. Users added a sale item to their cart
2. A flaw allowed discounts to be
stacked
3. Users stacked the next promotion in
their cart
4. Inconsistent price floors were
exploited
5. Sub-floor and negative value orders
were accepted.
Promo Code Abuse
Cart Logic
Flaw
Broken Price
Floors
Staring at a
$64K Loss in
an Afternoon
Silver Tail
Saves the Day

eCommerce: Information Security
What happened?
• Brute force eCoupon code guessing on a
regular schedule
• High value codes stolen
• Customer was blind to the activity
How did we catch it?
• Behavior scores
• Cyclical spikes
• Clickstream provided details
Promo Code Guessing
“High value customers have been complaining that
their one-time use coupon codes don’t work.”

eCommerce Logic Abuse
During the investigation of this issue, two distinct groups of
actors were recognized:
• An initial wave of high quantity orders from mass-
registered accounts
• A subsequent wave of “normal” users placing low quantity
orders
HTTP headers showed this second group frequently came
directly from the domain of a Chinese-language web forum…

Where’d you learn that trick?
Here’s how to double-dip coupon codes…
Now:
1. Clear all cookies
2. Click rebate site
to shop, add
items to cart, and
close all browser
windows
3. Click the rebate
site again to
shop, go directly
to cart to check
out
These sites have
rebate offers

Here’s how to get around the anti-fraud rules…
You’ll need an
American Express
card
You can get around
the requirement for a
US-based billing
address by…
Here’s a freight
forwarder who’ll ship
to a Hong Kong
warehouse

Here’s how I got a sales rep to push my order through…
I’m having trouble
with my AMEX card
on your site
Oh, but I have a
lower price in my
cart.
Please use my saved
cart to place the
order.
Not to worry, I can
place this order from
the backend

Wrap Up
• Refinement and accessibility are lowering the
barriers to entry to commit crime on the Internet
• Modeling good behavior allows us to isolate the bad
• The bad guys are sharing data- the good guys
should too!

Appendix
Additional Use Cases and Findings

Financial: Information Security
What were they doing?
– General reconnaissance
– Probing for vulnerabilities
What looked suspicious to us?
– High velocity score (sub second clicks)
– Modified user-agent strings
– Alphabetically ordered page requests
– Multiple password reset attempts
– Requests for non-existent pages
Jiggling Doorknobs: Detecting Vulnerability Probing

Financial Services: Fraud
What where they doing?
– Compromising accounts with malware
– Creating a virtual account number (VAN)
– Receiving a new line of credit
– Maxing credit limit with fraudulent
purchases
– High MiM score
– Fast clicks
– Multiple IP addresses in one session
– IPs traced to disparate geographies
– User-agent variation
Man-in-the-Middle Attack Detected With Scoring
Clickstream shows different
IPs, UA strings, and activities
intermingled

Compromised Accounts: Financial Services
What were they doing?
– Stealing credentials
– Spoofing mobile user agents
– Cluster of IPs generated a high
behavior score
– Clickstream showed the same
cookie being used by two
devices
Mobile Account Penetration
Same Cookie
Different
UA Strings

eCommerce: Fraud – A Different Game
What was happening?
– 50% of chargebacks were auto-
approved by existing solution
– Customer had visibility into the “what”
but not the “how” of order
transactions
– Difficulty: We can only look at 20
additional orders per day
– High velocity scores
– High behavior scores
– Targeted sessions
– Scripted sessions
– Dry runs / testing
Stolen Credit Cards
Week
Beginning
Orders
Cancelled
Number of
Items
Value of
Blocked
Orders
July 30th 30 59 $52,236.06
August 6th 37 57 $56,939.75
August 13th 38 53 $51,857.04
August 20th 22 39 $42,129.89
August 27th 32 74 $52,703.11
Total 158 282 $255,865.85

What was happening?
– 15,000 login attempts against 11,300
users
– Single IP had a high hit count to the login
page
– UserIDs entered alphabetically
– ≈50% of hits were at sub-second deltas
Compromised Accounts: Brute Force Guessing

Financial Services: Information Security
• The net
– Monitor for password guessing events
– Alert on successful logins
• The catch
– 48,000 accounts successfully peeked
• Now that we’ve got them…
– 48,000 accounts loaded via EDS
– Alert if high risk activity detected
Compromised Accounts: Peeking
Obtain
Compromised
Account List
Validate a
Subset
Sell List
and/or Initiate
Transactions

What was happening?
– Multiple login attempts with one password
– Scripted variability
– Spike in login page hits
– Elevated behavior scores for sessions driving
the spike
Compromised Accounts: Horizontal Guessing

• High behavior scores on email-my-
cart page
• Chinese IPs sent 12 carts per minute
• Clickstream showed spam messages
Normal Users Don’t Email Their Carts 12 Times Per Minute.
“We’d heard reports of spam,
but figured someone was
spoofing us.”

• Peaked at 330 page hits per day
• 3,960 messages per week
• Reporting raised visibility, opened
budget for a fix
Spam – How much are we talking?
0
200
400
600
800
1000
1200
Alerts
Page Hits
Messages

What happened?
• Site performance problems
• Item catalog time outs
What we found:
• Misconfigured site performance tool
• Bursty pattern of 1.6M hits over 7 days
Denial-of-Service: Self-Inflicted

THANK YOUTHANK YOU

Accessibility of Hacker Tools and the Use of Behavioral Analytics

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (19)

Similar to Accessibility of Hacker Tools and the Use of Behavioral Analytics

Similar to Accessibility of Hacker Tools and the Use of Behavioral Analytics (20)

Recently uploaded

Recently uploaded (20)

Accessibility of Hacker Tools and the Use of Behavioral Analytics

Editor's Notes