Detecting Fraudulent Activity
... A Recipe!
BruCON / Sep 2010
An e-Commerce company
Complex IT infrastructure
Increasing demand in security
By the management
By the business (compliance)
Security tools and procedures in place
(I hope ;-)
How to improve the detection of suspicious
How to reduce false positives?
Restricted and overloaded security team
(if there is one!).
The eCommerce company makes business
Implement security monitoring rules using
Example: detect sessions started from ... (*)
(*) Insert your favorite suspicious countries here.
No political engagement ;-)
OSSEC to the Rescue
OSSEC is ”an Open Source Host
Intrusion Detection System. It performs log
analysis, file integrity checking, policy
monitoring, rootkit detection, real
alerting and active response
Application OSSEC Fraud
Log Parser Alert!
Configure OSSEC for your application log file
Create an “Active-Response” action to trigger
when an denied access is detected
The “Active-Response” script will perform a
geoIP lookup using the source IP address
If the IP address belongs to another country,
inject a new event into OSSEC
OSSEC generates an alert based on this
Adds value to the collected events.
Reduce the amount of alerts to process.
Better reaction time.
This lightning talk idea came from a post on
my blog: http://blog.rootshell.be/
More info? Maltego!