Prevent Malware attacks with F5 WebSafe and MobileSafe

Prevent Malware attacks
with F5 WebSafe and
MobileSafe
Alfredo Vistola
Security Solution Architect, EMEA
Malware Threat Landscape – Growth and Targets
%
25
%
50
%
79
%
82
Of real-world malware is
caught by anti-virus
Malware
Of malware code is logic
to bypass defenses
Existing malware
strains are Trojans
Of Institutions learned
about fraud incidents
from their customers
PandaLabs Q1 Report
http://press.pandasecurity.com/usa/news/pandalabs
-q1-report-trojans-account-for-80-of-malwareinfections-set-new-record/
Data sources: Dark Reading, PandaLabs, & ISMG
F5 Agility 2014
2
Malware Threat Landscape – Phishing by Number of Attacks
Phishing Attacks by Industry
• Finance, Government, Shopping, Online
Auctions, and Multiplayer Games.
United States
Amazon
Blizzard Entertainment
eBay
Internal Revenue Service
J.P. Morgan Chase
PayPal
Wells Fargo
United Kingdom
Barclays
HM Revenue & Customs
HSBC
Lloyds TSB
Natwest
Royal Bank of Scotland
Brazil
Banco Bradesco
Banco do Brasil
Banco Itau
Italy
Intesa Sanpaolo
Posteitaliane
UniCredit
Australia
ANZ (Australia and New
Zealand Banking Group)
Westpac Bank
McAfee Threats Report 2013
http://www.mcafee.com/us/resources/reports/rpquarterly-threat-q1-2013.pdf
F5 Agility 2014
3
F5’s Security Services and Solutions
One Platform
Network
Firewall
Traffic
Management
Application
Security
Access
Control
DDoS
Protection
SSL
DNS
Security
Anti-Fraud,
Anti-Malware,
Anti-Phishing
EAL2+
EAL4+ (in process)
F5 Agility 2014
4
Our unique solution
Offers protection to cover the gaps with most security solutions
Site Visit
Device
Fingerprinting
Phishing
Threats
© F5 Networks, Inc
Site Log In
• Geo-location
• Brute Force
Detection
• Behavioral
Analysis
Credential
Grabbing
User
Navigation
Transactions
Transaction
Execution
Behavioral and
Click Analysis
Abnormal Money
Movement
Analysis
Customer Fraud
Alerts
Malware
Injections
PII and CC
Grabbing
Automatic
Transactions
5
F5 Web Fraud Protection
Fraud, phishing & malware
protection
Simple deployment &
supports any device
Application level encryption
Healthcare
Retail
Device and behavioral
analysis
Bank
24x7 SOC research,
investigation & site take
down
End-user and application
transparency
“The knowledge that our online users are protected from fraudsters, wherever they are and at any time, enables our team to
focus on developing new products and services.”
Anti-Fraud Manager , Leumi Bank
F5 Agility 2014
6
WebSafe™ in Action
WebSafe – Clientless and Transparent Anti-Fraud Solution
Only fully transparent Anti-Fraud solution that reduces banking fraud loss
Fraud Detection and
Protection
•
•
•
Detection of targeted malware, BOTs,
MITM/B, form grabbing, Zero-day, …
Monitors and alerts when website is
copied and uploaded to a spoofed
domain (phishing)
Clientless application-layer encryption
of sensitive user data with sessioninitiated randomly rotating keys
F5 Agility 2014
Transaction Protection
•
•
•
Real-time transaction analysis
for automated or human
behavior
Transaction integrity
Comprehensive request analysis
Security Operations
Research Center
•
•
•
•
•
24X7 security reports and alerts
Identifies and investigates attacks
in real-time
Researches and investigates new
global fraud technology &
schemes
Provides detailed incident reports
Optional site take-down
8
WebSafe Implementation Options
Online Customers
A
Local alert server
and/or SIEM
Man-in-theBrowser Attacks
Copied Pages
and Phishing
Web Fraud
Protection
Online Customers
B
Application
Network
Firewall
C
F5 Security
Operations Center
Account
Automated
Transactions
and
Transaction
integrity
Amount
Transfer Funds
Online Customers
Customer Scenarios





Easily deployed
Deploys with no change to applications
Leverages existing F5 resources &
knowledge
Enables IT consolidation
Integrated into BIG-IP GUI in 11.6
A Malware Detection and Protection
B Anti-Phishing
Strategic Point of Control
C Transaction Analysis
F5 Agility 2014
9
Advanced Phishing Attack Detection and Prevention
Identifies phishing threats early-on and stops attacks before emails are sent
Alerts upon usage of copy site on local
computer
1. Copy
website
4. Test
spoofed
site
Alerts upon login and testing of phishing site
Web
Application
Phished user names are sent to the SOC
F5 SOC shuts down identified phishing
websites
Internet 3. Upload
image to
spoofed site
2. Save
image to
computer
© F5 Networks, Inc
Alerts at all stages of
phishing site development
10
Generic and Targeted Malware Detection
With real-time analysis and a variety of checks WebSafe identifies compromised sessions,
malicious scripts, phishing attacks and malware including MITM/B, BOTs, fraudulent
transactions
• Analyzes browser for traces of
common malware (i.e., Zeus, citadel,
Carberp, etc)
•
Detects browser redressing
• Performs checks on domain and other
components
© F5 Networks, Inc
11
Malware Detection – Web Injection Examples
F5 Agility 2014
12
Malware Detection – Web Injection Examples
Targeted malware web injection
F5 Agility 2014
13
Malware Detection – Web Injection Examples
Targeted malware web injection
F5 Agility 2014
14
Malware Detection – Web Injection Examples
F5 Agility 2014
15
Malware Detection – Web Injection Examples
F5 Agility 2014
16
Clientless Application-Level Encryption
WebSafe secures credentials and other valuable data submitted on web forms
© F5 Networks, Inc
17
Clientless Application-Layer Encryption
WebSafe secures credentials and other valuable data submitted on web forms
• Any sensitive information can be
encrypted at the message level
• User credentials & information is
submitted & encrypted with public
key
• Data is decrypted on BIG-IP
WebSafe using the private key
• Intercepted information rendered
useless to attacker
© F5 Networks, Inc
18
WebSafe™
BIG-IP GUI Integration
WebSafe : BIG-IP Integration 11.6
Easily turn on WebSafe anti-fraud protection from BIG-IP
• Define anti-fraud profile for each
domain
• Configure alert server
• Enable and disable individual
detection/protection modules
o
o
o
o
© F5 Networks, Inc
Phishing detection
Malware detection
Application layer encryption
Automated transaction protection
20
Anti-Fraud Profiles
F5 Agility 2014
21
Virtual Server Security Policy Configuration
F5 Agility 2014
22
MobileSafe™ In Action
Attack Mitigations (1 of 2)
• Man in the middle
• DNS spoofing
• The target domain is checked against a pre-loaded list of known IPs
• Certificate forging
• The target certificate is compared against a pre-loaded certificate
• Jailbreak / rooted devices
• Detection of a jailbreak and rooted device
F5 Agility 2014
24
Attack Mitigations (2 of 2)
• OS security
• Unpatched version with known vulnerabilities will raise the device risk score
(sent when the app is loaded)
• App integrity
• Android - MobileSafe will check the application signature (Checksum)
• IOS – this check is disabled
• Keyloggers – virtual keyboard
• Network sniffing at the OS level (before the SSL) vCrypt
F5 Agility 2014
25
MobileSafe Architecture / Data Flow
Download app
F5 SOC (Cloud)
F5 Configuration
Server
Device to application
User
communication
F5 SOC
Data Center
Alerts
BIG-IP
(message encryption)
F5 Agility 2014
servers
26
F5 Security Operations Center
F5 Security Operations Center
Always on the watch
24x7x365 fraud analysis team that extends
your security team
Researches and investigates new global
fraud technology & schemes
Detailed incident reports
Provides detailed threat analysis & incident
reports
Real-time alerts activated by phone, sms
and email
Optional site take-down:
 Phishing sites
© F5 Networks, Inc
28
F5 SOC: Phishing Site Take-Down Service
Quickly identify and shut down brand abuse websites
Always available F5 monitoring and
response team
Complete attack assessment & postpartum attack report
Leverage relationships with ISPs,
anti-phishing groups and key
international agencies
Malicious site take-down in minimal
time
Recommendations for counter
security measures
© F5 Networks, Inc
29
Real-Time Alerts Dashboard
F5 Agility 2014
30
F5’s Anti-Fraud Solutions
Prevent Fraud
Targeted malware, MITB,
zero-days, MITM,
phishing, automated
transactions…
Protect Online User
On All Devices
Full Transparency
In Real Time
Clientless solution, enabling
100% coverage
Desktop, tablets & mobile
devices
No software or user
involvement required
Alerts and customizable
rules
If I can be of further assistance please contact me:
[email protected]
Demo
Demo of Clientless Application-Level Encryption
Web
application
Login Information
Username + password
Infected
PC
Login Information
Username + password
Internet
Dropzone and
C&C on the
server at the
ISP
F5 Agility 2014
33
Questions?
F5 Agility 2014
34