How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)

•

8 likes•2,410 views

Almost two thirds of confirmed breaches involve using weak or stolen passwords - it’s not a new threat, but it works. By the end of this talk you will understand the Account Takeover threat, and walk away with some techniques & tools for detection and response within your own web applications.

Technology

How to spot a
wolf in sheep’s
clothing
Protecting your users from
Account Takeover
CC By-ND flickr.com/photos/cwkarl/11972795684

Nick Malcolm
Security Consultant @ SafeStack
Previously CTO @ ThisData
nickmalcolm

What we’ll cover
● What is Account Takeover?
● (Why) Is Account Takeover a problem?
● How can we prevent it?
● How can we detect it?
● How can we respond?

What is Account
Takeover?
It’s when someone takes over …. an account ….
Or, when a wolf has a really good sheep costume!

Credit: github.com/magoo/AuthTables (MIT)

Yahoo - 1 Billion
MySpace - 427M
AdultFriendFinder - 400M
LinkedIn - 167M
Dropbox - 68M

63%
of confirmed data breaches involved attackers using
weak, default, or stolen passwords
(Verizon DBIR 2016, page 20)

A7: “Insufficient Attack Protection”
“involves automatically detecting, logging, responding, and
even blocking exploit attempts”
- OWASP Top 10 2017, Release Candidate

Know
● Know your users / customers
● Know your app
● Does this type of attack apply to me? Probably.
● Is there lower hanging fruit? Probably!

Prevention
Stopping it from happening in the first place

Prevention
● Rate Limiting!
● Don’t rely on just passwords: 2FA
● IP whitelists
● Password policies
● Outsource your authentication: Google SSO, Auth0, etc

Detection
● Goal: learn what “normal” looks like
○ What browser do they use?
○ What locations do they work from?
● The buzzword here is: BEHAVIOURAL ANALYTICS
or ANOMALY DETECTION,
or USER AND ENTITY BEHAVIOUR ANALYTICS (UEBA)
● Simple learning & rules can get you pretty far

AuthTables
● User ID + Cookies and IP Addresses
○ Same cookie, new IP ✓ PASS.
○ New cookie, same IP ✓ PASS.
○ New cookie, new IP ✗ FAIL.
● Can also incorporate IP threat feeds
○ Tor, Spammy IPs, Botnets, etc
● Problem: hard pass or fail

Detection
● IP Address
● Geolocation
● Velocity
● Browser & OS
● Browser fingerprint
● Time of Day
● Cursor movement
● Typing speed
On phones:
● How you walk
● Touch pressure
● Swipe movement
● How you hold your phone
● How you move your phone

Combined features
gave results
10x more reliable
than a fingerprint
alone
“Project Abacus,” at
Google I/O 2015

Detection
● Machine Learning is great when:
○ You have a lot of data
○ You understand your data well
● There are two ways to train it:
○ Supervised: we tell it what’s good and bad (labels)
○ Unsupervised: figures labels out itself

One Class
Support Vector Machine
“Is it them, or not them?”

Detection
● You can do it yourself!
○ Simple pass/fail: AuthTables
○ Smarter: Statistics
○ Smarterer: Machine Learning
● Or you can pay someone to do it for you!

Response
You’ve spotted the wolf. What now?

Response
● Alert the user, out-of-band
○ Email
○ Slack
● Block the activity completely
● Step Up
○ ask for 2FA
○ ask for answers to security questions (shudder)

Distributed Alerting
● Slack uses Slack
● Dropbox liked that, so they made a thing:
dropbox/securitybot

Thanks!
Talk to me on twitter:
@nickmalcolm
CC By-ND flickr.com/photos/cwkarl/11972795684

Title: Enterprise Logging and Log Management: Hot TopicsDate & Time: Thursday, April 1, 2010, 11:00am Eastern Capturing log information is critical to IT organizations for many reasons, including for security incident detection and response, and for compliance with numerous regulations and standards. Join one of the foremost experts on log management, Dr. Anton Chuvakin, as we discuss enterprise logging challenges and issues.

OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)

Avansa Mid- en Zuidwest

This presentation is in English; the announcement (beneath) & talk were in Dutch (NL) OpenTechTalks | Ethisch hacken met Kali Overheden, bedrijven en particulieren worden steeds kwetsbaarder voor aanvallen van black hat hackers, criminelen die de lekken in computers uitbuiten voor geldgewin of louter om schade te veroorzaken. Daartegenover staan de white hat hackers: zij testen computersystemen op fouten en dichten de lekken voordat malafide hackers inbreken. Tijl Deneut (UGent/Howest) geeft een overzicht van welke vormen van cybercriminalteit er bestaan en hoe je je ertegen kunt wapenen. De focus ligt op Kali Linux, een besturingssysteem dat honderden beveiligings- en testprogramma's bundelt. Volgende vragen komen aan bod: hoe installeer je Kali Linux? Hoe kun je in een veilige omgeving testen? Is ethisch hacken eigenlijk wel legaal? Algemene IT-kennis is aangewezen. Achteraf drinken we een glas in het café van Vooruit.

Defcon 21-pinto-defending-networks-machine-learning by pseudor00t

pseudor00t overflow

N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018

Codemotion

Creating a quality web application is hard. It’s hard to gain customers, it’s hard to build your reputation and it’s hard to keep the costs low. Nevertheless, security is often an afterthought. However… Have you considered the cost of fixing security issues later? What about the reputational damage of a security breach? Are you worried about your customers’ data? We will talk about good security coding practices for web applications and how to apply them early on using some real world examples. We will also help you to think about your website’s vulnerabilities from the view of a hacker.

CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...

PROIDEA

According to the very recent research by global technology company Nuix, most of the hackers (88%) can compromise the system in 12 hours and exfiltrate in another 12 hours (81% respondents). Is the situation really so bad? And what about Security Operation Centres, could not they make the bad guys stop? Let’s have a quick look into the hacker’s arsenal and examine SOC defences. Modern cyber warfare is really brilliant, introducing such weapons as gargantuan size DDoS attacks & infected smart devices, defences augmented with “next generation” security devices, Big Data Analytics and Threat Intelligence. Finally, the defenders have new soldier on the battlefield, the Space Marine of cybersecurity - Threat Hunter. What can possibly go wrong? Why are the breaches still happening? Is SOC really failing miserably this war? Let’s try to find the answers.

The cyber security hype cycle is upon us

Jonathan Sinclair

Bio catch

Yanivt

Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,

Sigma Software

Why isn't infosec working? Did you turn it off and back on again?

Rob Fuller

BruCon 2019 Keynote -=> My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.

Secure at Speed @ Solent.tech

Stuart Gunter

Rohit Kapoor

LoginCat - Mini Presentation

Rohit Kapoor

App Security and Securing App

Andreas Schranzhofer

Bulletproof IT Security

London School of Cyber Security

We are delighted to have Gary Miliefsky on our second Hacker Hotshot of 2013! Gary is the Editor of Cyber Defense Magazine, which he recently founded after years of being a cover story author and regular contributor to Hakin9 Magazine. In partnership with UMASS, he started the Cyber Defense Test Labs to perform independent lab reviews of next generation information security products. Gary is also the founder of NetClarity, Inc., which is the world's first next generation agentless, non-inline network access control (NAC) and bring your own device (BYOD) management appliances vendor based on a patented technology which he invented.

Adversary Driven Defense in the Real World

James Wickett

Rohit Kapoor

TEKMONKS

Windows Incident Response is hard, but doesn't have to be

Michael Gough

Data-driven product management

Arseny Kravchenko

We are Digital Puppets

Secpro - Security Professionals

A Recipe for Password Storage: Add Salt to Taste

Nick Malcolm

First presented at OWASP NZ 2020. https://owasp.org/www-event-2020-NewZealandDay/ Storing passwords is as simple as following a recipe when developers use their frameworks, but there are sometimes choices to make when it comes to ingredients and amounts. Argon, PBKDF2? What’s a Salt? How many rounds? Join me on this cooking-themed presentation on password storage! Every time a website gets breached you hope to hear “your password was salted and hashed” instead of “your passwords were stored in plain text” - but what does that actually mean, and why is it a good thing? Wash your hands, don your apron, and join me for as we follow the recipe for storing passwords safely. We’ll learn a bit about cryptography and one-way functions (that’s the hash!), how to source good ingredients (bcrypt, scrypt, argon, oh my!), why adding a pinch of salt helps, how many times must we stir the mix, and what happens if we miss a step? In the face of an attacker, will our delicious password loaf rise to the occasion, or will it fall flat in disappointment and despair?!

How To "Speak Developer"

Nick Malcolm

First presented at AISA Cyber Conference AU in 2018. How to “Speak Developer” and Create a Winning Security Culture in Your Software Development Teams. There aren’t enough security people in the workforce to scale to the demands of our business needs, but there’s an untapped resource already sitting within our organisations: developers and testers. In this session we’ll learn how to speak their language and create a security culture which will support secure development and ultimately enable innovative practices within the business. As security professionals we often battle to make ourselves understood with developers. Maybe we’re too risk oriented. Perhaps we’re only confident talking at a network level. Or our business has adopted an agile methodology and our old practices are being seen as road blockers. Whatever the reason, we need to change the way we interact with development teams. By understanding their context, speaking their language, enabling them with tools, and being seen as a trusted advisor – not the enemy – we can move at a pace and scale where security is baked in to our development culture across the organisation. If you’re a security professional working within an organisation that does software development, or an IT manager looking to make the most of limited resources, this session is for you.

Similar to How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)

Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin

Anton Chuvakin

OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)

Avansa Mid- en Zuidwest

Defcon 21-pinto-defending-networks-machine-learning by pseudor00t

pseudor00t overflow

N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018

Codemotion

CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...

PROIDEA

The cyber security hype cycle is upon us

Jonathan Sinclair

Bio catch

Yanivt

Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,

Sigma Software

Why isn't infosec working? Did you turn it off and back on again?

Rob Fuller

Secure at Speed @ Solent.tech

Stuart Gunter

Rohit Kapoor

LoginCat - Mini Presentation

Rohit Kapoor

App Security and Securing App

Andreas Schranzhofer

Bulletproof IT Security

London School of Cyber Security

Adversary Driven Defense in the Real World

James Wickett

Rohit Kapoor

TEKMONKS

Windows Incident Response is hard, but doesn't have to be

Michael Gough

Data-driven product management

Arseny Kravchenko

We are Digital Puppets

Secpro - Security Professionals

Similar to How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover) (20)

Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin

OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)

Defcon 21-pinto-defending-networks-machine-learning by pseudor00t

N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018

CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...

The cyber security hype cycle is upon us

Bio catch

Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,

Why isn't infosec working? Did you turn it off and back on again?

Secure at Speed @ Solent.tech

LoginCat - Mini Presentation

App Security and Securing App

Bulletproof IT Security

Adversary Driven Defense in the Real World

Windows Incident Response is hard, but doesn't have to be

Data-driven product management

We are Digital Puppets

More from Nick Malcolm

A Recipe for Password Storage: Add Salt to Taste

Nick Malcolm

How To "Speak Developer"

Nick Malcolm

All aboard the Cyber Security Rollercoaster!

Nick Malcolm

Originally presented at ITx 2016: https://itx.nz/Programme/68/All-aboard-the-Cyber-Security-Rollercoaster Not a day goes by where we don't hear of a website being hacked, a few hundred thousand user details being exposed, or another organisation scammed out of a pretty penny. The world of cyber security is hurtling along at break neck pace. Nick Malcolm will push the pause button and look back at the highs and lows of the last year's major security incidents, and see what we can learn from them. He will look at our current position, and in to the future. What are the threat trends and emerging risks we face awaiting us around the bend? He will then show some of technologies and innovations which are helping to keep the web secure, educate the public, and empower IT professionals. It's a rollercoaster, but it doesn't have to be scary - climb aboard and learn how to enjoy the ride!

Timing Attacks and Ruby on Rails

Nick Malcolm

Protecting the Front Door

Nick Malcolm

We can do a lot to secure our web-app backends, but ultimately our users email and password are the front door, and they're notoriously insecure. This talk quickly shows you how to mitigate this attack vector by detecting and responding to login anomalies using ThisData's Login Intelligence API. This talk was originally presented as at Ruby Nights Auckland on March 24 2016: http://www.meetup.com/aucklandruby/events/228852539/

Adding Two Factor Authentication to your App with Authy

Nick Malcolm

Our CloudFlare experience

Nick Malcolm

More from Nick Malcolm (7)

A Recipe for Password Storage: Add Salt to Taste

How To "Speak Developer"

All aboard the Cyber Security Rollercoaster!

Timing Attacks and Ruby on Rails

Protecting the Front Door

Adding Two Factor Authentication to your App with Authy

Our CloudFlare experience

Recently uploaded

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

Product School

When stars align: studies in data quality, knowledge graphs, and machine lear...

Elena Simperl

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Product School

How world-class product teams are winning in the AI era by CEO and Founder, P...

Product School

Bits & Pixels using AI for Good.........

Alison B. Lowndes

PHP Frameworks: I want to break free (IPC Berlin 2024)

Ralf Eggert

In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development. This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.

Connector Corner: Automate dynamic content and events by pushing a button

DianaGray10

Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to: Create a campaign using Mailchimp with merge tags/fields Send an interactive Slack channel message (using buttons) Have the message received by managers and peers along with a test email for review But there’s more: In a second workflow supporting the same use case, you’ll see: Your campaign sent to target colleagues for approval If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team But—if the “Reject” button is pushed, colleagues will be alerted via Slack message Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors. And... Speakers: Akshay Agnihotri, Product Manager Charlie Greenberg, Host

"Impact of front-end architecture on development cost", Viktor Turskyi

Fwdays

I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.

DevOps and Testing slides at DASA Connect

Kari Kakkonen

Key Trends Shaping the Future of Infrastructure.pdf

Cheryl Hung

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Product School

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

UiPath Test Automation using UiPath Test Suite series, part 4

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap. The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies. Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques What will you get from this session? 1. Insights into SAP testing best practices 2. Heatmap utilization for testing 3. Optimization of testing processes 4. Demo Topics covered: Execution from the test manager Orchestrator execution result Defect reporting SAP heatmap example with demo Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

Search and Society: Reimagining Information Access for Radical Futures

Bhaskar Mitra

The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.

The Future of Platform Engineering

Jemma Hussein Allen

Leading Change strategies and insights for effective change management pdf 1.pdf

OnBoard

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Abida Shariff

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

Recently uploaded (20)

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

When stars align: studies in data quality, knowledge graphs, and machine lear...

Mission to Decommission: Importance of Decommissioning Products to Increase E...

How world-class product teams are winning in the AI era by CEO and Founder, P...

Bits & Pixels using AI for Good.........

PHP Frameworks: I want to break free (IPC Berlin 2024)

Connector Corner: Automate dynamic content and events by pushing a button

"Impact of front-end architecture on development cost", Viktor Turskyi

DevOps and Testing slides at DASA Connect

Key Trends Shaping the Future of Infrastructure.pdf

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

UiPath Test Automation using UiPath Test Suite series, part 4

Epistemic Interaction - tuning interfaces to provide information for AI support

Search and Society: Reimagining Information Access for Radical Futures

The Future of Platform Engineering

Leading Change strategies and insights for effective change management pdf 1.pdf

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)

1. How to spot a wolf in sheep’s clothing Protecting your users from Account Takeover CC By-ND flickr.com/photos/cwkarl/11972795684

2. Nick Malcolm Security Consultant @ SafeStack Previously CTO @ ThisData nickmalcolm

3. What we’ll cover ● What is Account Takeover? ● (Why) Is Account Takeover a problem? ● How can we prevent it? ● How can we detect it? ● How can we respond?

4. KNOW PREVENT RESPOND DETECT

5. What is Account Takeover?

6. What is Account Takeover? It’s when someone takes over …. an account …. Or, when a wolf has a really good sheep costume!

8. How does it happen?

9. Credit: github.com/magoo/AuthTables (MIT)

10. Is it a problem? Why?

11. Yahoo - 1 Billion MySpace - 427M AdultFriendFinder - 400M LinkedIn - 167M Dropbox - 68M

12.

13. 63% of confirmed data breaches involved attackers using weak, default, or stolen passwords (Verizon DBIR 2016, page 20)

14. A7: “Insufficient Attack Protection” “involves automatically detecting, logging, responding, and even blocking exploit attempts” - OWASP Top 10 2017, Release Candidate

15. KNOW PREVENT RESPOND DETECT

16. Know ● Know your users / customers ● Know your app ● Does this type of attack apply to me? Probably. ● Is there lower hanging fruit? Probably!

17. KNOW PREVENT RESPOND DETECT

18. Prevention Stopping it from happening in the first place

19. Prevention ● Rate Limiting! ● Don’t rely on just passwords: 2FA ● IP whitelists ● Password policies ● Outsource your authentication: Google SSO, Auth0, etc

20. KNOW PREVENT RESPOND DETECT

21. Detection Spotting the wolf

22. Detection ● Goal: learn what “normal” looks like ○ What browser do they use? ○ What locations do they work from? ● The buzzword here is: BEHAVIOURAL ANALYTICS or ANOMALY DETECTION, or USER AND ENTITY BEHAVIOUR ANALYTICS (UEBA) ● Simple learning & rules can get you pretty far

23. magoo/AuthTables

24. Credit: github.com/magoo/AuthTables (MIT)

25. AuthTables ● User ID + Cookies and IP Addresses ○ Same cookie, new IP ✓ PASS. ○ New cookie, same IP ✓ PASS. ○ New cookie, new IP ✗ FAIL. ● Can also incorporate IP threat feeds ○ Tor, Spammy IPs, Botnets, etc ● Problem: hard pass or fail

26. Detection ● IP Address ● Geolocation ● Velocity ● Browser & OS ● Browser fingerprint ● Time of Day ● Cursor movement ● Typing speed On phones: ● How you walk ● Touch pressure ● Swipe movement ● How you hold your phone ● How you move your phone

27. Combined features gave results 10x more reliable than a fingerprint alone “Project Abacus,” at Google I/O 2015

28. MACHINE LEARNING

29. Detection ● Machine Learning is great when: ○ You have a lot of data ○ You understand your data well ● There are two ways to train it: ○ Supervised: we tell it what’s good and bad (labels) ○ Unsupervised: figures labels out itself

30. One Class Support Vector Machine “Is it them, or not them?”

31. STATISTICS

32. Detection ● You can do it yourself! ○ Simple pass/fail: AuthTables ○ Smarter: Statistics ○ Smarterer: Machine Learning ● Or you can pay someone to do it for you!

33. KNOW PREVENT RESPOND DETECT

34. Response You’ve spotted the wolf. What now?

35. Response ● Alert the user, out-of-band ○ Email ○ Slack ● Block the activity completely ● Step Up ○ ask for 2FA ○ ask for answers to security questions (shudder)

36.

37. Distributed Alerting ● Slack uses Slack ● Dropbox liked that, so they made a thing: dropbox/securitybot

38. KNOW PREVENT RESPOND DETECT

39. Detection and Response as Prevention

40. Thanks! Talk to me on twitter: @nickmalcolm CC By-ND flickr.com/photos/cwkarl/11972795684

How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)

Recommended

Recommended

More Related Content

Similar to How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)

Similar to How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover) (20)

More from Nick Malcolm

More from Nick Malcolm (7)

Recently uploaded

Recently uploaded (20)

How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)