The Industrialization of Fraud Demands a Dynamic Intelligence
Transcription
The Industrialization of Fraud Demands a Dynamic Intelligence
The Industrialization of Fraud Demands a Dynamic Intelligence-Driven Response An ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) White Paper Prepared for RSA, The Security Division of EMC June 2013 IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING The Industrialization of Fraud Demands a Dynamic Intelligence-Driven Response Table of Contents Executive Summary........................................................................................................................... 1 Fraud in 2013: The Continuing Evolution of an Industry................................................................. 1 The Net Result: The Industrialization of Fraud.................................................................................. 3 How to Defend Against an Industry?................................................................................................ 6 Dynamic, Adaptive, and Intelligence-Driven: RSA Fraud and Risk Intelligence Solutions................ 7 At the Core: Intelligence and Expertise........................................................................................ 7 Integrating Real-Time Intelligence with Anti-Fraud Technologies............................................... 8 Before Any Transaction........................................................................................................ 9 Assuring Confidence in Access........................................................................................... 10 After Access is Gained........................................................................................................ 10 Support for a Comprehensive Strategy: RSA FraudAction Service............................................. 12 EMA Perspective.............................................................................................................................. 13 About RSA, The Security Division of EMC.................................................................................... 14 ©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com The Industrialization of Fraud Demands a Dynamic Intelligence-Driven Response Executive Summary As criminals have discovered the profitability of attacks against information systems, the impact of fraud has grown. Adversaries have discovered the lucrative nature of harnessing cyber threats. Their innovations have made it easier to steal from a wider range of victims. This has spurred the commercialization of crimeware and services – which, in turn, has given rise to specialization, competitive pressures, and other factors that illustrate how fraud, abetted by cybercrime, has grown from the unrelated activities of a few into an industry in its own right. This industry has produced a level of automation and sophistication in fraud techniques to rival those of the legitimate business world. The commercial-grade packaging of complex threats makes it possible to readily convert personal systems into pawns that facilitate fraud, often unbeknownst to their rightful owners. Large-scale systems management capitalizes on the ability to harness entire networks of compromised hosts whose masters often avoid detection and defeat through highly nimble evasive tactics. The net result: an industrialized threat that is costing businesses billions of dollars worldwide. If attackers are well organized and well informed, take advantage of the latest innovations in the shadow market of crimeware and automation, and capitalize on intelligence to maintain their advantage, organizations must respond accordingly. In this paper, Enterprise Management Associates (EMA) explores the response organizations must marshal to stand up to this industrialized cybercrime threat. If attackers are well organized and well informed, take advantage of the latest innovations in the shadow market of crimeware and automation, and capitalize on intelligence to maintain their advantage, organizations must respond accordingly. Coordinated strategies embracing multiple tactics to limit exposure and improve effectiveness are now mandated by guidance such as that of the US Federal Financial Institutions Examinations Council and other regulations worldwide affecting businesses targeted by fraud. The RSA Fraud and Risk Intelligence portfolio of solutions offers an example of such a coordinated approach. With its early leadership in technologies and services that integrate intelligence with anti-fraud tactics in real time, the RSA Fraud and Risk Intelligence portfolio gives organizations the tools to enable strategies for confronting an industrialized threat with an industry-wide response. Fraud in 2013: The Continuing Evolution of an Industry In years past, those who sought to perpetrate fraud by exploiting information systems often worked alone. They may have selected their methods, harvested valuable data and carried out fraudulent transactions in relative isolation, working independently for their own gain. Today, the profitability of cybercrime has transformed the nature of the game. Consider phishing attacks alone – which the RSA Anti-Fraud Command Center estimates to have cost businesses over $1.5 billion in global fraud losses in 2012.1 Phishing continues to be a problem that plagues businesses around the globe. According to the Anti-Phishing Working Group, the number of brands hijacked by phishing campaigns continues to grow steadily, increasing by 15% year-over-year by the end of 2012. Payment services as a percentage of all targeted industries doubled over the previous year, second only 1 1 http://www.emc.com/microsites/rsa/phishing/index.htm?pid=features-InteractiveInfographic-022112 ©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com Page 1 The Industrialization of Fraud Demands a Dynamic Intelligence-Driven Response to financial services and displacing both retail and gaming (one of the fastest-growing target sectors) by a significant margin.2 3 The growth in profitability has had the same impact on the business of fraud as it would in any other endeavor: it has given rise to a market as well defined as any in the legitimate business world: • Commercialization: From assortments of exploits collected over time and through the experience of individuals, the profitability of fraud has matured attacks into packaged products and even product sets made available through covert commercial channels. Frameworks that enable exploits to be built from components have accelerated the “time to market” of more complex threats, exhibiting a sophistication in serving a market that directly parallels legitimate software businesses. These threat packages continue to evolve, most notably in 2012 with the introduction of Citadel, one of the most successful upgrades of the Zeus Trojan to date. Among its many other enhancements, Citadel introduced features such as a “dynamic config” capability that enables operators to create web injections and use them on the fly, pushing individual exploits to selected bots without the complications of pushing an entire new configuration file. This allows Citadel to more accurately mimic the activity of legitimate websites in real time, making fraud attacks both more efficient, and more effective.4 Distributed Denial of Service (DDoS) capability has become another popular feature of commercial crimeware, capitalizing on highly distributed threat networks such as botnets to turn compromised hosts into DDoS amplifiers on an enormous scale. In late 2012, banks suffered from a series of such attacks that capitalized on DNS system vulnerabilities and web servers compromised by crimeware tools such as “itsoknoproblembro.”5 In early 2013, one such attack against a major US utility knocked out an entire online and telephone payment system, forcing 155,000 customers to pay their bills in person for two days in an incident linked to criminals who use rented botnets to extort money from victims and steal valuable intellectual property.6 • Commoditization has naturally followed commercialization, as the expertise of a few has become available to many. Once an attack concept becomes coded as malware, it becomes available to a much greater number of adversaries who need not be more sophisticated than the original author (and are often far less). As the tools of fraud have become more widely available, prices have fallen accordingly. In 2011, RSA research found that the price of a fully functional version of the Zeus Trojan that may have once sold for $10,000 had fallen to as low as $380 for a “twofer” recompile.7 This commoditization, however, has come at a cost to the criminal. Penetration, prosecution and disruption of such widespread and highly visible activity by law enforcement and anti-fraud efforts have led some crimeware organizations to privatize their operations, restricting access to outsiders and, in some cases, taking commercial offerings off more open markets. Upward pricing pressures due to increased demand may result. • Competition places additional pressure on criminals as more competitors and attack platforms enter, or re-enter, the market. The SpyEye Trojan, for example, became a significant competitor http://docs.apwg.org/reports/apwg_trends_report_h2_2011.pdf http://docs.apwg.org/reports/apwg_trends_report_Q4_2012.pdf 4 http://blogs.rsa.com/citadel-v1-3-5-1-enter-the-forts-dungeons/ 5 http://www.ehacking.net/2013/01/itsoknoproblembro-toolkit-beast-that.html 6 http://www.economist.com/blogs/babbage/2013/03/crimeware 7 The Year in Crimeware, RSA FraudAction Anti-Trojan Service, January 2012, p. 20 2 3 2 ©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com Page 2 The Industrialization of Fraud Demands a Dynamic Intelligence-Driven Response to Zeus, with capabilities that displaced Zeus when found on a target. In late 2012, the Carberp Trojan returned to the commercial malware market to challenge these and other attack platforms, commanding a price as much as four times the top asking price ever paid for Zeus or SpyEye in the underground, further reflecting the increased demand for such capability.8 • Specialization: Market pressures as well as new opportunities have also led criminals to add specialized features to attack platforms, including a new generation of mobile threats. Variants of many popular attack packages such as Citadel, Zeus, SpyEye and Carberp can now be equipped with malicious mobile apps that can intercept and forward the SMS messages often used to transmit one-time authentication codes – likely heralds of significantly increased fraudster investment in mobile threats to come. Geographically specific malware, meanwhile, continues to advance as a trend, recognizing that different language and cultural regions may require their own distinct authentication and attack techniques in order to be effective. Supplemental “off the shelf ” products have arisen to serve emerging segments of the market, such as “anti-security” software that defends crimeware against detection and defeat. • “Fraud as a Service”: The increasing specialization of fraud has also given rise to entrepreneurs who recognize the value of services to support and enhance fraud activity. Already in its brief but active history, the landscape of Fraud-as-a-Service has evolved. In the past, malware purveyors offered what are effectively subscription services where, for example, a provider may have made injection scripts available for a small fee (such as $5 each), or provided unlimited access to a variety of modules for $50 per month.9 The increased pressure on criminals to limit the availability of fraud tools and services, privatize their operations and “play closer to the vest” may, however, have the effect described earlier of increasing prices in the illicit market – but this, too, will introduce new opportunities. In 2013, researchers expect to see cybercrime platforms and supporting plugins, exploit kits, and administrative consoles to be sold in SaaS form at higher prices, rather than be offered for purchase. Botnet setup and support services will remain in high demand, with bundled deals of Trojan binaries combined with hosting on hardened servers, encryption, plugin sets and web injection packages. Criminals may even offer instruction in cybercrime for less skilled fraudsters.10 The Net Result: The Industrialization of Fraud These developments make one central fact clear: fraud has grown from a criminal activity into an industry. In the most recent email metrics report of the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), spam and messages that abuse email systems made up 88.8% of mail volume across more than 400 million mailboxes among the participating member service operators,11 with as much as one-fourth of spam email containing malware12 – and much of that malware targeted fraud as its objective. RSA FraudAction Quarterly Trojan Report, Q4 2012, p. 18 The Year in Crimeware, p. 20 10 RSA FraudAction Quarterly Trojan Report, Q4 2012, p. 34 11 Messaging Anti-Abuse Working Group (MAAWG) Email Metrics Report, First, Second and Third Quarter 2011, http://www.maawg.org/sites/maawg/files/news/MAAWG_2011_Q1Q2Q3_Metrics_Report_15.pdf 12 http://redmondmag.com/articles/2011/08/18/spam-hiding-malware-increases-in-august.aspx 8 9 3 ©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com Page 3 The Industrialization of Fraud Demands a Dynamic Intelligence-Driven Response How have the malicious been able to dominate this much of legitimate IT? Through the sophistication of attacks made possible by an industrial ecosystem: • Multifunctional attacks that encompass a variety of ways to compromise victims have been made possible by readily used frameworks for their construction, and crimeware of a quality similar to commercial-grade off-the-shelf software in packaging, delivery and support. These developments make one central fact clear: fraud has grown from a criminal activity into an industry. • Sophisticated automation rivaling the scale and efficiency of enterprise-class IT management systems that enables the fluid control of large-scale networks of compromised hosts. • Tools that harness the power of the Internet to further expand fraud on a similarly global scale. Compromised hosts can, for example, become spam or phishing amplifiers, dramatically increasing the likelihood of successful exploit. • Websites – malicious as well as legitimate sites whose vulnerabilities have been exploited – can be engaged to further propagate attacks, by enabling a compromised host to download additional crimeware at the command of a remote manipulator, often without the victim’s knowledge. The reach of sites can be further extended through techniques such as search engine manipulation. • What cannot be automated can be accomplished by an industry that can recruit large numbers of people to perform often straightforward yet lucrative tasks, such as enabling cross-border money transfers that might lead to identification of foreign criminals if out-of-country fraudsters were to attempt to transfer funds directly via remote control. Economic pressures can make it that much easier for fraudsters to recruit these “mules” with the promise of easy money in exchange for absorbing this aspect of their employers’ risk. This is in addition to what may be considered a “mule” of another sort: an unsuspecting individual whose personal system has been compromised to perform essentially the same function remotely, typically without the user’s awareness, and using the individual’s (legitimate) credentials. • At this industrial level, fraud becomes an efficient business of opportunity. Each one of millions of compromised victims can become a source of information that can be exploited to siphon off material assets – or perhaps to access even more valuable data such as intellectual property or other assets whose compromise could seriously damage a victim – regardless whether an individual or a global enterprise. • The tactics of industrialized fraud give criminals access to a wide range of targets – from the usernames and passwords of legitimate account holders, to data that enables fraudsters to successfully impersonate victims in applying for credit or access to tangible assets. • Access alone is not the only risk. Once access is gained, organizations must maintain vigilance over transactions to assure that access was not gained through fraud, or that fraud is not the objective of what appears to be legitimate access. • This, in turn, indicates the level of intelligence defenders must muster to match the intelligence capabilities of criminals in control of millions of compromised victims. These professionals are able to evade detection through nimble techniques such as the ability to move botnets quickly from one mass of compromised systems to another, or to hide behind complex abstractions of IP addresses and hostnames that change dynamically in response to attempts to detect and expose fraud activity. 4 ©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com Page 4 The Industrialization of Fraud Demands a Dynamic Intelligence-Driven Response Given these capabilities, it is hardly surprising that: • 92 percent of breaches analyzed in the 2013 Verizon Data Breach Investigations Report are attributable to external agents, or that 75 percent resulted from “opportunistic” attacks13 – the very sort of exploit that large-scale automation and commercial-quality crimeware are designed to capitalize upon. • Large-scale cybercrime rivals even the greatest achievements of legitimate efforts. At its peak, variants of the Conficker worm had compromised as many as 7 million unique IP addresses.14 This is more than twice as large as SETI@Home, one of the largest legitimate distributed computing efforts to date, which currently numbers approximately 3.4 million hosts.15 Disturbingly, Conficker remains the “worm that refuses to die.” Even though this distributed attack was effectively decapitated by concerted industry efforts between 2008 and 2010, Microsoft had detected 1.6 million instances of Conficker-compromised systems in late 2011.16 By the end of 2012, Microsoft researchers found that Conficker was still number two among malware detected on domain-joined computers – a figure that actually increased from the previous quarter.17 These facts describe the nature of concern manifested in guidance issued in 2011 by the US Federal Financial Institutions Examinations Council (FFIEC) in its Supplement to Authentication in an Internet Banking Environment, which noted that: The Agencies [of the FFIEC] are concerned that customer authentication methods and controls implemented in conformance with the Guidance several years ago have become less effective. Hence, the institution and its customers may face significant risk where periodic risk assessments and appropriate control enhancements have not routinely occurred.18 These concerns are shared by regulators worldwide, including the Reserve Bank of India, South Korea’s Financial Supervisory Service, the Infocomm Development Authority of Singapore, Mexico’s National Banking and Securities Commission, and the People’s Bank of China – all of which have responded since early 2010 with regulation targeting much the same objectives as the guidance of the US FFIEC. This concern extends beyond financial fraud alone. It should be noted that once criminals have access to sensitive data linked to tangible assets, they might not stop at fraud. The access to additional sensitive information made possible by the tactics of industrialized fraud – such as usernames, passwords, access information, sensitive intellectual property or other valuable information assets – could be exploited to commit other crimes, which could cause even greater problems for individuals and organizations alike. It should be noted that once criminals have access to sensitive data linked to tangible assets, they might not stop at fraud. 2013 Data Breach Investigations Report, Verizon Business et al, p. 5-6. Conficker Working Group Lessons Learned document (http://confickerworkinggroup.org/wiki/uploads Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf) 15 http://boincstats.com/en/stats/0/project/detail as of May 9, 2013 16 Microsoft Security Intelligence Report, Vol. 12 17 Microsoft Security Intelligence Report, Vol. 14 18 http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf 13 14 5 ©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com Page 5 The Industrialization of Fraud Demands a Dynamic Intelligence-Driven Response How to Defend Against an Industry? Strategists should take note of the common themes in these aspects of industrialized fraud: • An industry enables efficient, large-scale operations. Sophisticated automation backed by integrated capabilities from multiple sources speaks to how the fraud landscape has matured. Global complexity is managed deftly when the tools of industry make it possible. • Broad intelligence capabilities inform and refine fraud techniques and drive further evolution of the fraud industry. Enabled by large-scale automation, criminals collect intelligence from millions of victims, and from successful as well as unsuccessful exploits. This enables them to understand the victim’s common weaknesses and the most successful tactics for achieving objectives and evading fraud defense. • Identity is key. Fraud, after all, is about exploiting legitimate access to, and control over, valuable assets – and the technologies that handle them. What many organizations may have overlooked in the growing industrialization of fraud, however, is that protecting identity has come to mean much more that just strengthening a login or password. Today, it means greater protection for both individuals and institutions, and not just at login. From assuring identity in the provisioning of access, through validating legitimate activity throughout transaction processes and defending transactions against abuse, identity has become a pervasive factor in protecting organizations from fraud risk. This also highlights the pivotal role of identity in a “layered” approach to security, such as that described by the US FFIEC. From assuring identity in the provisioning of access, through validating legitimate activity throughout transaction processes and defending transactions against abuse, identity has become a pervasive factor in protecting organizations from fraud risk. Defenders must respond accordingly: • Confronting an industry requires a response up to the task. Organizations require industry-wide intelligence and action in order to make the most of effective techniques for detection and defense. • The harnessing of dynamic intelligence is vital. Today, intelligence, detection and defense are coming together as never before. Defenders must have broad as well as detailed insight into activity across the fraud landscape – but this means more than just awareness. Today’s most advanced techniques for protecting assets harness that intelligence in real time, from equipping expert antifraud analyst teams with up-to-the-moment insight, to automating the decision to permit, block or more closely monitor transactions when evidence of potential or actual fraud is found. Today, the application of new technologies that optimize behavioral analytics across large and dynamic bodies of data open new vistas to fraud analysts and real-time defense alike. • Identity is key. If fraud is about exploiting legitimate access to, and control over, valuable assets, defending identity and strengthening authentication must be paramount. When fused with the evolution of intelligence-driven defense, this means an entirely new approach to protecting identity and defending against unauthorized or criminal access. It means arming identity and access management with a dynamic, intelligence-driven response to detected or attempted fraud, from the outer defenses of application systems, through the lifecycles of sensitive transactions. It also means establishing a higher confidence in identity based on informed insight. 6 ©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com Page 6 The Industrialization of Fraud Demands a Dynamic Intelligence-Driven Response Such an approach is consistent with the “layered security” concept described in the US FFIEC’s 2011 supplement to its Authentication in an Internet Banking Environment guidance first issued in 2005: Layered security is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control. Layered security can substantially strengthen the overall security of Internet-based services and be effective in protecting sensitive customer information, preventing identity theft, and reducing account takeovers and the resulting financial losses.19 The FFIEC supplement further identifies two key areas of focus: detection and response to suspicious activity, and control over privileged access to financial information systems. This suggests the strong linkage between intelligence and identity, and the need for strategy and tactics that unite both. Dynamic, Adaptive, and IntelligenceDriven: RSA Fraud and Risk Intelligence Solutions With its long history in fraud defense, the RSA family of Fraud and Risk Intelligence solutions counters the evolution of fraud with a comprehensive set of capabilities that herald a growing trend of intelligence integrated with tactics for confronting the fraud industry. Testifying to these capabilities are RSA’s accomplishments in defeating fraud. According to the RSA Anti-Fraud Command Center, RSA has shut down more than 800,000 online attacks across 185 countries and continues to have an impact worldwide. As this capability has grown in response to the growth of fraud as an industry, it has led to the development of a coordinated set of capabilities required to counteract well-organized threats to valuable assets. With its long history in fraud defense, the RSA family of Fraud and Risk Intelligence solutions counters the evolution of fraud with a comprehensive set of capabilities that herald a growing trend of intelligence integrated with tactics for confronting the fraud industry. At the Core: Intelligence and Expertise RSA’s anti-fraud strengths are centered on a foundation of intelligence with insight throughout the fraud landscape. This intelligence is collected and delivered by analysts with significant expertise in the study of fraud activity and tactics, and in the techniques required for effective response: • Analysts at the RSA Anti-Fraud Command Center (AFCC) work around the clock, every day of the year, to identify and shut down sources of fraud, cybercrime and communications channels that enable attacks such as phishing and malware distribution. They conduct intensive forensic work in order to understand the granular details of fraud essential to informing strategies and tactics, mounting an appropriate response to incidents, and recovering credentials when compromised. The AFCC has established relationships with multiple network service providers worldwide, and maintains expertise in nearly 200 languages to better detect and counter fraud activity where found. • This expertise informs intelligence-driven RSA services for sharpening the ability to recognize fraud and defeat it before it has a damaging impact, such as the RSA eFraudNetwork, which maintains 19 7 http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf ©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com Page 7 The Industrialization of Fraud Demands a Dynamic Intelligence-Driven Response a continuously updated repository of fraud patterns gleaned from throughout RSA’s network of customers, service providers, and third party sources worldwide. The RSA eFraudNetwork tracks cybercriminal profiles, patterns and behavior across 185 countries and maintains this data in a shared repository accessible to customers to keep them alerted to current trends in fraud activity. This information enables customers to better recognize fraud early and intervene more effectively to protect valuable assets from abuse. • The RSA FraudAction Service provides round-the-clock detection, alerting, shutdown and reporting on fraud activity that provides a foundation on which effective fraud countermeasures can then build to strengthen defense against industrialized fraud. Analysts at the RSA Anti-Fraud Command Center provide these services to protect organizations against phishing, pharming and Trojan attacks, and to supplement anti-fraud strategies with focused expertise in the field. These capabilities can further help to round out a comprehensive strategy (as described in a later section of this report). Integrating Real-Time Intelligence with Anti-Fraud Technologies RSA’s fraud intelligence capabilities do more than inform customers of fraud activity. Today’s emerging anti-fraud technologies also integrate intelligence directly into real-time defense. • The RSA Risk Engine offers a significant example of this capability. Central to a number of RSA technologies for defeating fraud, protecting identity and verifying transactions, the RSA Risk Engine detects online activity, analyzes it for evidence of potentially fraudulent or malicious behavior, and scores this activity in real time. The RE collects and analyzes large amounts of data from multiple sources. It evaluates online activity for more than 150 indicators of actual or potential fraud in real time, and assigns a unique risk score between 0 and 1,000 to each activity. Factors include user behavior, authentication and transaction activity, device and access context and more. It employs both a self-learning statistical model to maintain currency and accuracy of assessment. When combined with a policy manager that enables organizations to define their own risk management criteria, the RSA Risk Engine provides a layered approach to automating assessment of the integrity of observed access attempt and transaction behavior. This risk assessment serves as the basis for allowing transparent authentication, allowing the majority of transactions to pass unhindered, and identifying only the most risky transactions or activity for additional authentication. These capabilities are directly consumed in RSA anti-fraud and authentication technologies to manage online activity, dynamically protect access to reduce risk, identify new fraud trends and defend against them in real time as they develop. 8 ©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com RSA’s fraud intelligence capabilities do more than inform customers of fraud activity. Today’s emerging anti-fraud technologies also integrate intelligence directly into real-time defense. This capability is directly consumed in RSA anti-fraud and authentication technologies to manage online activity, dynamically protect access to reduce risk, identify new fraud trends and defend against them in real time as they develop. Page 8 The Industrialization of Fraud Demands a Dynamic Intelligence-Driven Response • RSA Silver Tail complements RSA’s family of fraud-aware identity protection technologies with dynamic insight into malicious activity. Where the RSA Risk Engine is central to Adaptive Authentication and Transaction Monitoring, RSA Silver Tail gathers forensic data, identifies behavioral norms, recognizes anomalies and gives organizations the intelligence they need to defend against fraud and business logic abuse occurring in the online channel in real time – before users log in, while the user is logged into an account, and everything that occurs after the user logs out of an account. Rather than authenticating the user, however, RSA Silver Tail identifies anomalous behavior that may be indicative of disruptive or fraudulent use of the website. RSA Silver Tail helps filter out legitimate behavior so that threats stand out, allowing customers to turn their attention to potential or realized threats rather than the activities of legitimate users. Before Any Transaction Before any entity can be trusted with valuable assets, its identity and authorization must be verified. Criminals often seek to exploit weaknesses in proving identity in order to masquerade as legitimate parties or to gain unauthorized access to assets. It is thus an important first step, before establishing any relationship between individuals or organizations and their assets, to assure high confidence in the identity of asset owners and custodians. This assurance depends on intelligence-based distinction of those who are who they claim to be from those who are not. • RSA Identity Verification, from LexisNexis, offers a consumer service that confirms a user’s identity in real time. It incorporates dynamic knowledge-based authentication that presents users with a series of questions that are formed based on information accessible from dozens of public and commercially available sources. This capability can deliver a high-confidence confirmation of identity within seconds, even if no prior relationship has been established with the user. RSA Identity Verification exemplifies techniques that directly integrate intelligence with strengthening fraud prevention in real time. It can, for example, determine that the potential for fraud may be increased based on identity fraud alert monitoring which checks for recent public records searches and “identity velocity” or for high volumes of activity associated with one individual at several businesses. Based on the outcome of these checks, an alert can be sent, or the authentication process can be terminated. • RSA Silver Tail complements the process of identity assurance pre-login through the collection of forensic data gathered from interactions with customer-facing websites and business applications. RSA Silver Tail monitors each click and all HTTP/HTTPS data for every active web session on a site, for comprehensive session intelligence and context in real time. RSA Silver Tail offers a self-learning risk engine which then uses this data to develop population-based behavioral profiles. This allows individual user behavior to be compared to a population profile. Anomalous behavior is then recognized and flagged. Because website interactions and usage patterns may vary according to a number of factors, this capability is dynamic, adapting the recognition of normal activity as that activity itself changes. For example, site traffic may grow and change in response to seasonal variation, new marketing programs, or increased referrals from sites such as news outlets in response to a current event. RSA Silver Tail recognizes these changes in “normal” behavior as they happen, adapting its analytics to minimize the false positives that may arise from static approaches and better refine the recognition of threats that stand out. 9 ©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com Page 9 The Industrialization of Fraud Demands a Dynamic Intelligence-Driven Response Assuring Confidence in Access Once identity is established, protection depends on assuring that fraudulent attempts to access valuable assets are prevented, and that legitimate access is limited only to those authorized. As attackers have increased their ability to capture login credentials and exploit many common authentication techniques, organizations must consider the ways in which today’s fraud countermeasures can better defend against authentication exploit. • RSA Adaptive Authentication responds to these concerns with a dynamic approach that measures fraud risk when and where access is attempted, and adjusts the rigor of authentication accordingly. Its risk-based authentication technology is informed by the RSA eFraudNetwork and powered by the RSA Risk Engine. Currently in use by more than 8,000 organizations in multiple industries, RSA Adaptive Authentication supports strong, multi-factor authentication using a combination of forensic data regarding the endpoint device and behavioral analysis in addition to the intelligence of the RSA eFraudNetwork. RSA Adaptive Authentication often functions transparently to users, who may be unaware of its activity. This reduces the friction of adopting stronger authentication techniques, preserving customer convenience as well as enhancing confidence in defense against more advanced fraud tactics. For instance, in most implementations, over 95% of customer logins are not “challenged” by Adaptive Authentication. The RSA Policy Manager enables organizations to customize authentication policies to meet their specific needs. Together, a dynamic, intelligence-driven approach combined with granular control over policy definition provides organizations with a high degree of flexibility in advanced authentication technology. This flexibility is further supported by the availability of RSA Adaptive Authentication in both Software-as-a-Service (SaaS) and on-premises models, giving organizations the options they need to match needed control with attractive options for administration and support. RSA Adaptive Authentication protects websites, portals, SSL VPNs and web access management (WAM) applications. In addition, RSA Adaptive Authentication for eCommerce offers a single fraud prevention solution for card issuers, with support for the 3D Secure protocol and a wide range of authentication and card security products including Verified by Visa®, MasterCard SecureCode™ and JCB J/Secure™. • RSA Silver Tail further complements these capabilities with visibility into the authentication path, providing analytics specific to recognizing account takeover, brute force and password guessing attacks. These attacks can then be flagged and mitigated using Silver Tail technology to identify issues and improve the efficiency of response. After Access is Gained Strengthening authentication alone, however, may not always defend assets against fraud. Consider, for example, the class of attacks known as “man-in-the-browser” that echo earlier “man-in-the-middle” tactics of intercepting communications for eavesdropping, picking up sensitive information, and other nefarious purposes – except that “man-in-thebrowser” attacks can do all this on a compromised personal endpoint system alone. When a criminal has direct access to an individual’s sensitive communications with financial systems, visibility into transaction anomalies is required to distinguish legitimate activity from fraud. 10 ©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com When a criminal has direct access to an individual’s sensitive communications with financial systems, visibility into transaction anomalies is required to distinguish legitimate activity from fraud. Page 10 The Industrialization of Fraud Demands a Dynamic Intelligence-Driven Response This, too, is in keeping with the FFIEC guidance to adopt a layered approach to security. When intelligence includes visibility into transactions, it helps to eliminate what may otherwise be a blind spot in fraud prevention. • RSA Transaction Monitoring combines risk-based analysis of transaction behavior and Trojan detection capabilities with out-of-band authentication techniques. This layered approach enables organizations to increase the level of authentication needed when fraud risk is detected. Multiple transaction types can be protected, from bill payments to address changes to password resets. When RSA Transaction Monitoring suspects a Trojan or other threat creating a fraudulent transaction to a “mule” account, out-of-band authentication with specific transaction verification through the phone, email or SMS channel can be deployed automatically to thwart the attempt and prevent damage. Call forwarding detection can also be activated to prevent criminals who attempt to intercept the challenge call by forwarding the genuine user’s phone number to their own. • RSA Silver Tail complements RSA Adaptive Authentication and RSA Transaction Monitoring by constructing behavioral profiles for individual users in much the same way that Silver Tail constructs a profile for the site population. Once a known user logs into their account, current behavior is compared to past behavior and deviations are highlighted. This allows organizations to recognize malicious or fraudulent behavior in a specific case of activity rather than examining all web sessions simultaneously, enabling highly efficient detection of a range of today’s more sophisticated threats. For example, if the majority of clicks for a particular website are typically 3-5 seconds apart, a web session with an unusually high percentage of clicks less than a half-second apart would be assigned a high velocity score that may indicate robotic activity. Similarly, if during a web session the end user inputs additional information (such as user name, password, PIN and account number rather than just user name and password as expected), the session would be assigned a likelihood of being a man-in-the-browser attack, possibly indicating that malware designed to capture account information had been surreptitiously installed on the end user’s browser. RSA Silver Tail also provides a real-time rules engine to enforce dynamic protection enabled by RSA fraud and threat analytics and allows businesses to enforce organizational or other custom policies as well as determine how to respond to different levels and types of threats. Because it integrates with existing infrastructure, RSA Silver Tail provides a high degree of flexibility for responding to both potential and realized threats. Features of the RSA Silver Tail rules engine include: ◦◦ One-Click Rules that support the deployment of rules across all pages of a website without having to code pages individually ◦◦ Rule Tags for identifying rule owners, functional group membership, threat type, and other criteria to enhance reporting capabilities ◦◦ Automated Alert Generation for the immediate transmission of real-time alerts to firewalls, Security Information and Event Management (SIEM) systems and authentication tools as well as to fraud and information security analysts. ◦◦ Time Function In Rules allow for rules to be created with time of day in mind so that an administrator can look for different things such as activity at the opening bell of the stock exchange, as opposed to the middle of the night where traffic patterns differ greatly. ◦◦ Incidents allow for rules to designate that a particular action create a case that can be managed from within the Silver Tail User Interface when issues need to be tracked. 11 ©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com Page 11 The Industrialization of Fraud Demands a Dynamic Intelligence-Driven Response Support for a Comprehensive Strategy: RSA FraudAction Service Maintaining an effective strategy against modern fraud requires more than a deployment of technologies or practices within an individual business. Confronting an industry requires capabilities that counteract fraud at its source. In addition, when incidents occur, specialized expertise in fraud analysis may be required for the proper forensic response. This highlights the role of services that unite expertise and intelligence with action, further extending the concept of layered security beyond narrowly focused protections. • The RSA FraudAction Service offers a set of managed services that provide organizations with the ability to help prevent fraud threats from reaching their targets. This service provides roundthe-clock detection, alerting, shutdown and reporting on fraud activity. RSA FraudAction also provides forensic capabilities, countermeasures, and comprehensive blocking of access to known infection points. Analysts at the RSA Anti-Fraud Command Center provide these services to protect organizations against phishing, pharming and Trojan attacks, and to supplement anti-fraud strategies with focused expertise in the field. Capabilities of the RSA FraudAction Service include: • The RSA Anti-Phishing Service, which employs the expertise of the RSA AFCC to monitor, detect and alert on phishing activity that plays a central role in extending the reach of fraud. With intelligence gathered from over 3 billion emails per day, this service provides real-time alerts and reporting, site blocking and shutdown, forensic analysis and credential recovery, and countermeasures against phishing attacks. When an attack is detected, pre-defined criteria trigger an alert to the AFCC. If an attack is confirmed, customers are immediately notified. Blocking and shut-down is supported through partnerships with many of the world’s leading ISPs and browser developers, while countermeasures such as baiting techniques help identify criminals and provide deeper insight into fraud activity. • The RSA Anti-Trojan Service leverages intelligence from a network of technology partners, thirdparty sources, and techniques such as automated discovery to find, analyze and reverse-engineer detected malware and crimeware worldwide. This service also provides credential recovery, to enable mitigation of any possible theft and infection. The Anti-Trojan service equips customers with early recognition of active or emerging Trojan threats that are often involved in credential theft or abuse – intelligence without which this class of threat may go unrecognized and undetected, causing real harm. • The RSA FraudAction Intelligence Service provides detailed reports on the activities of the cybercriminal underground including forum posts, threat trends and organization-specific information. • The RSA CyberCrime Intelligence Service informs organizations regarding corporate endpoints, network resources, access credentials or other information that may have been compromised by malware. This intelligence is derived from RSA Trojan Research Labs analysis and a network of security technology crawling partners in antivirus, network security and Web defense that provide RSA with current malware information. Clients are informed of potential compromises through a variety of weekly reports including recovered data related to an organization’s corporate URLs, email communications, or IP address ranges. The RSA CyberCrime Intelligence Service also offers two daily reports on blacklisted sites used by criminals to launch attacks and communicate updates 12 ©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com Page 12 The Industrialization of Fraud Demands a Dynamic Intelligence-Driven Response to malware in the wild. Reports are delivered in an XML format that can be easily downloaded through a dedicated portal, providing clients with the insight they need into malware activity affecting their organization, and helping them to make the most of their security investments. Together, these capabilities highlight how a comprehensive approach extends the concepts of layered security envisioned by guidance such as that of the FFIEC: • From the gathering of intelligence and expertise • To putting that expertise directly to work in the technologies of defense • From identity provisioning to adaptive authentication before transactions are initiated • Through protection for transactions once access is gained • To complementing the approach with comprehensive defenses that employ intelligence and expertise to combat industrialized fraud. EMA Perspective In technologies such as risk-based authentication, web session intelligence, and the automation of risk analysis in anti-fraud techniques, EMA sees the heralds of a new, intelligence-driven approach to information security that signal a turning point for the industry. As criminals continually challenge the effectiveness of legacy defenses, insight into malicious activity is becoming central to any effective approach to security and fraud defense. The long view of this trend is the integration of intelligence directly in the technologies of defense, in order to make countermeasures more directly dependent on dynamic data sources to sharpen their effectiveness in real time. In this, the technologies that combat fraud have shown early leadership. Techniques such as risk-based authentication and web session intelligence were among the first to recognize the value of integrating intelligence directly into strengthening the protection of access to valuable assets, to recognize fraud before it is attempted, and to defeat it once transactions are in process. In technologies such as riskbased authentication and the automation of risk analysis in anti-fraud techniques, EMA sees the heralds of a new, intelligence-driven approach to information security that signal a turning point for the industry. With its investment in intelligence-driven technologies for identity protection and fraud defense, RSA has become a recognized leader in this field. Its portfolio of products and services that embrace a comprehensive approach to fraud defense do more than extend the concepts of layered security that have become the mandate for financial institutions, and a pattern for more effective defense beyond. With a comprehensive approach to fraud and risk intelligence that extends across multiple areas of concern, RSA offers an example that recognizes the scope of the challenge, equipping organizations with the level of response needed to extend the concept of layered security to the confrontation of what has become an industrialized threat. 13 ©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com Page 13 About RSA, The Security Division of EMC RSA, The Security Division of EMC, is a premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world’s leading organizations solve complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining controls in identity assurance, encryption & key management, SIEM, Data Loss Prevention, Continuous Network Monitoring, and Fraud Protection with eGRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.EMC.com/RSA. About Enterprise Management Associates, Inc. Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that provides deep insight across the full spectrum of IT and data management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help its clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise line of business users, IT professionals and IT vendors at www.enterprisemanagement.com or blogs.enterprisemanagement.com. You can also follow EMA on Twitter or Facebook. This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. “EMA” and “Enterprise Management Associates” are trademarks of Enterprise Management Associates, Inc. in the United States and other countries. ©2013 Enterprise Management Associates, Inc. All Rights Reserved. EMA™, ENTERPRISE MANAGEMENT ASSOCIATES®, and the mobius symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc. Corporate Headquarters: 1995 North 57th Court, Suite 120 Boulder, CO 80301 Phone: +1 303.543.9500 Fax: +1 303.543.7687 www.enterprisemanagement.com 2708.060313