c:\fakepath-6 09 10 financial fraud webinar
Post on 19-Oct-2014
512 views
DESCRIPTION
Webinar promovido pela empresa ArcSight sobre fraudes financeirasTRANSCRIPT
Detect Advanced Crime in the
Financial Sector
Ryan Kalember
Director, Product Marketing
Fraud Detection is More Challenging Than Ever
You Need to See…
… Networked Systems
… Zero-day Threats
… Critical Data Stores
… Privileged Users
… Network Connections
… Fraud Techniques
… Application Activity
2www.arcsight.com © 2010 ArcSight Confidential
Cybercrime Keeps Growing
100 Million Credit Cards$130 Million Cost
45 Million Credit Cards$250 Million Cost
1.5 Million Debit CardsProcessing License Revoked
$73 Billion Risked by Rogue Trader$7 Billion Lost
www.arcsight.com © 2010 ArcSight Confidential 3
Modern Breaches Share a Pattern
Acquire target, sneak in, hop around(Perimeter doesn’t help)
Get privileged access to critical assets(Impact takes time)
Conduct the crime for an extended time(Early detection matters)
www.arcsight.com © 2010 ArcSight Confidential 4
Today’s Cybercrime Is Different
Smart Humans
High Value Targets
Signatures Ineffective
No Choke Point
Key Systems Unwatched
Key Users Unwatched
Attacks
Defenses
Vulnerabilities
www.arcsight.com
Business faces more risk than ever.
Traditional defenses won’t work.
A different approach is required.
© 2010 ArcSight Confidential 5
Modern Threats
6© 2010 ArcSight Confidentialwww.arcsight.com
1. Spear-Phishing1. Spear-Phishing
2. Hackers and Coordinated Attacks2. Hackers and Coordinated Attacks
3. Malware/Bot Infiltration3. Malware/Bot Infiltration
4. Man in the Browser Attacks (MITB)4. Man in the Browser Attacks (MITB)
5. Insider Attacks5. Insider Attacks
6. Insider Theft6. Insider Theft
Spear-Phishing Threat Vectors
www.arcsight.com 7© 2010 ArcSight Confidential
MyFriend This is hilarious: bit.ly/p0wn3d
Myfriend2010
RT@myotherfriend best thing I’ve read all day bit.ly/p0wn3dabout 39 minutes ago from web
From:
To:
[email protected]@mycompany.com
[email protected]@mycompany.com
Report.pdf210 KB
Report.pdf210 KB
PDFPDF
Thought you’d find this report interesting.
Hackers and Coordinated Attacks
© 2010 ArcSight Confidential 8www.arcsight.com
Detection Techniques
www.arcsight.com 9© 2010 ArcSight Confidential
RBS WorldPay Breach
10© 2010 ArcSight Confidentialwww.arcsight.com
RBS WorldPay Breach
Breach:Hack Perimeter Security
Privilege Escalation:Access Debit Card System
Monetize:ATM Network Fraud
© 2010 ArcSight Confidential 11www.arcsight.com
Malware Beaconing
12
BOTBOT
© 2010 ArcSight Confidentialwww.arcsight.com
Man in the Browser: Zeus Bot
© 2010 ArcSight Confidentialwww.arcsight.com 13
Bot Detection Event Sequencing
Normal Transaction:
Fraudulent Transaction:
© 2010 ArcSight Confidentialwww.arcsight.com 14
Insider Attacks
ID: JOHN
PWD: ******
ID: JOHN
PWD: ******
Login Successful
Welcome User: JOHN
Alert: Unauthorized use
of account JOHN
JOHN
Windows user SAM 9-08-09 12:38SAP user JOHN 9-08-09 12:39
SAM
© 2010 ArcSight Confidentialwww.arcsight.com 15
Insider Theft
© 2010 ArcSight Confidentialwww.arcsight.com 16
ID: AdminPWD: Pa$$wd
Admin/Pa$$wd
Who extracted the confidential files?
Admin/Pa$$wd
Admin/Pa$$wd
Admin/Pa$$wd
Detecting Hackers and Coordinated Attacks
www.arcsight.com 17© 2010 ArcSight Confidential
Convert Transactions into Events
Mainframe Transaction:
5000000 4857382225004272 4857382225000247 20081201 20081201 651227 999999998 74857388336478441246882083360000002199 5411 000000000000000 ATM TXN REV MARLOW BE 74857388336478441246882 34800000000000001411113480000000000000141111 000000000000000000 000000001.00001NN 000000000000000000 0000000000000000001 D0000005 0000000000000000001 000070053 4857382225000247 3822250042727485738833647844124688283369500000069
© 2010 ArcSight Confidentialwww.arcsight.com 18
Analyze Transactions for Patterns
© 2010 ArcSight Confidentialwww.arcsight.com 19
Pattern Investigation: Accounts vs. Amounts vs. Types
© 2010 ArcSight Confidentialwww.arcsight.com 20
Two accounts are making very similar sets of transactions through the retail channel
Cross-Channel Attack
Uses Harvested
Web Credentials
Get Personal Data
from Autoforms
Authenticate using
Personal Details
Request Transfer
Card Application
AccountBalance
My Accounts
Call CenterAccount ID 12345678
Passcodes rover12
2-Factor Auth ?
Address 12 Acacia Ave.
D.O.B. 1/12/1966
Products Current, Card
Mother’s Name Smith
Cross-Channel Attack
Card Application
AccountBalance
My Accounts
Call Center
Sources:
CRM/VOIP Fraud Mobile List ApplicationServers
Web Servers
Detect Strange
Browsing Pattern
Put Account on
Watch List
Detect Xfer by
Phone Banking
Elevated Risk =
Txn Blocked
Account ID 12345678
Passcodes rover12
2-Factor Auth ?
Address 12 Acacia Ave.
D.O.B. 1/12/1966
Products Current, Card
Detecting Bot Malware Beaconing
www.arcsight.com 23© 2010 ArcSight Confidential
Malware Beacon Detection – Behavioral Analysis
24© 2010 ArcSight Confidentialwww.arcsight.com
Detecting MITB Attacks
25© 2010 ArcSight Confidentialwww.arcsight.com
Identity Correlation
� Correlate common identifiers such as email address, badge ID, phone extension
� Events occurring across devices that identify users by different attributes
� Attribute the event to a unique “identity” allowing correlation across any type of device
© 2010 ArcSight Confidentialwww.arcsight.com 26
Identifiers
RobertJackson
Identity
rjackson
348924323
robertj
rjackson_dba
510-555-1212
Detecting Role Violation Attacks
© 2010 ArcSight Confidentialwww.arcsight.com 27
Role Violations by Department and Employee Type
Detecting Attacks in Shared Admin Accounts
Application Access: Source: 10.10.10.10
[02.5.2009 10:33:46] Login Success 10.10.10.1010.10.10.1010.10.10.1010.10.10.10 fmadminfmadminfmadminfmadmin
Application Access: Source: 192.168.10.6
[02.5.2009 11:21:51] Login Success 192.168.10.6192.168.10.6192.168.10.6192.168.10.6 fmadminfmadminfmadminfmadmin
?
?
© 2010 ArcSight Confidentialwww.arcsight.com 28
IP Address Identity
10.12.23.7 haroldr
10.12.23.23 czfb12
10.12.22.35 bobc
192.168.10.6 katie
10.10.10.10 jimmyj
Detecting Attacks in Shared Admin Accounts
Application Access: Source: 10.10.10.10
[02.5.2009 10:33:46] Login Success 10.10.10.1010.10.10.1010.10.10.1010.10.10.10 fmadminfmadminfmadminfmadmin
Application Access: Source: 192.168.10.6
[02.5.2009 11:21:51] Login Success 192.168.10.6192.168.10.6192.168.10.6192.168.10.6 fmadminfmadminfmadminfmadmin
© 2010 ArcSight Confidentialwww.arcsight.com 29
Detecting Terminated User Attacks
© 2010 ArcSight Confidentialwww.arcsight.com 30
Why is he accessing the finance file server?
Terminated
HR
Finance
Conclusion
www.arcsight.com 31© 2010 ArcSight Confidential
ArcSight
Analyst RecognitionCompany Background
• Founded May 2000
• 2000+ Clients
• 500+ employees, offices worldwide
• NASDAQ: ARST
#1 In-use for both SIEM and Log Management
#1 in Market Share –Last three reports
SIEM Leader’s Quadrant -SEVEN years running
Industry Recognition
© 2010 ArcSight Confidentialwww.arcsight.com 32
Enterprise Threat and Risk Management:
Comprehensive View of Business Risk
FW, IDS, AV, Proxy, VA Internal Apps, DLP, Email, Web, Badge
Customer Transactions, Web Logs, Mainframe, CRM
Global Reporting by Lines of Business
Security
IncidentsHigh Risk
Users
High Risk
Transactions
Security
- DoS- SQL Injection
- Malware- External Threats
Identity
- Insider Threat- PII/IP Protection- Privileged Users- Internal Fraud
Transactions
- 1st and 3rd Party- Online Banking
- AML- Trading
www.arcsight.com 34© 2010 ArcSight Confidential
Thank You for Attending