The Industrialization of Fraud Demands a Dynamic Intelligence

Transcription

The Industrialization of Fraud Demands a Dynamic Intelligence
The Industrialization of Fraud Demands
a Dynamic Intelligence-Driven Response
An ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) White Paper
Prepared for RSA, The Security Division of EMC
June 2013
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
The Industrialization of Fraud Demands a Dynamic
Intelligence-Driven Response
Table of Contents
Executive Summary........................................................................................................................... 1
Fraud in 2013: The Continuing Evolution of an Industry................................................................. 1
The Net Result: The Industrialization of Fraud.................................................................................. 3
How to Defend Against an Industry?................................................................................................ 6
Dynamic, Adaptive, and Intelligence-Driven: RSA Fraud and Risk Intelligence Solutions................ 7
At the Core: Intelligence and Expertise........................................................................................ 7
Integrating Real-Time Intelligence with Anti-Fraud Technologies............................................... 8
Before Any Transaction........................................................................................................ 9
Assuring Confidence in Access........................................................................................... 10
After Access is Gained........................................................................................................ 10
Support for a Comprehensive Strategy: RSA FraudAction Service............................................. 12
EMA Perspective.............................................................................................................................. 13
About RSA, The Security Division of EMC.................................................................................... 14
©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
The Industrialization of Fraud Demands a Dynamic
Intelligence-Driven Response
Executive Summary
As criminals have discovered the profitability of attacks against information systems, the impact of fraud
has grown. Adversaries have discovered the lucrative nature of harnessing cyber threats. Their innovations
have made it easier to steal from a wider range of victims. This has spurred the commercialization of
crimeware and services – which, in turn, has given rise to specialization, competitive pressures, and
other factors that illustrate how fraud, abetted by cybercrime, has grown from the unrelated activities
of a few into an industry in its own right.
This industry has produced a level of automation and sophistication
in fraud techniques to rival those of the legitimate business world. The
commercial-grade packaging of complex threats makes it possible to
readily convert personal systems into pawns that facilitate fraud, often
unbeknownst to their rightful owners. Large-scale systems management
capitalizes on the ability to harness entire networks of compromised hosts
whose masters often avoid detection and defeat through highly nimble
evasive tactics. The net result: an industrialized threat that is costing
businesses billions of dollars worldwide.
If attackers are well
organized and well informed,
take advantage of the
latest innovations in the
shadow market of crimeware
and automation, and
capitalize on intelligence to
maintain their advantage,
organizations must
respond accordingly.
In this paper, Enterprise Management Associates (EMA) explores the response
organizations must marshal to stand up to this industrialized cybercrime
threat. If attackers are well organized and well informed, take advantage of
the latest innovations in the shadow market of crimeware and automation,
and capitalize on intelligence to maintain their advantage, organizations must respond accordingly.
Coordinated strategies embracing multiple tactics to limit exposure and improve effectiveness are now
mandated by guidance such as that of the US Federal Financial Institutions Examinations Council and
other regulations worldwide affecting businesses targeted by fraud. The RSA Fraud and Risk Intelligence
portfolio of solutions offers an example of such a coordinated approach. With its early leadership in
technologies and services that integrate intelligence with anti-fraud tactics in real time, the RSA Fraud
and Risk Intelligence portfolio gives organizations the tools to enable strategies for confronting an
industrialized threat with an industry-wide response.
Fraud in 2013: The Continuing Evolution of an Industry
In years past, those who sought to perpetrate fraud by exploiting information systems often worked
alone. They may have selected their methods, harvested valuable data and carried out fraudulent
transactions in relative isolation, working independently for their own gain.
Today, the profitability of cybercrime has transformed the nature of the game. Consider phishing
attacks alone – which the RSA Anti-Fraud Command Center estimates to have cost businesses over
$1.5 billion in global fraud losses in 2012.1 Phishing continues to be a problem that plagues businesses
around the globe. According to the Anti-Phishing Working Group, the number of brands hijacked by
phishing campaigns continues to grow steadily, increasing by 15% year-over-year by the end of 2012.
Payment services as a percentage of all targeted industries doubled over the previous year, second only
1
1
http://www.emc.com/microsites/rsa/phishing/index.htm?pid=features-InteractiveInfographic-022112
©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
Page 1
The Industrialization of Fraud Demands a Dynamic
Intelligence-Driven Response
to financial services and displacing both retail and gaming (one of the fastest-growing target sectors) by
a significant margin.2 3
The growth in profitability has had the same impact on the business of fraud as it would in any other
endeavor: it has given rise to a market as well defined as any in the legitimate business world:
• Commercialization: From assortments of exploits collected over time and through the experience
of individuals, the profitability of fraud has matured attacks into packaged products and even
product sets made available through covert commercial channels. Frameworks that enable exploits
to be built from components have accelerated the “time to market” of more complex threats,
exhibiting a sophistication in serving a market that directly parallels legitimate software businesses.
These threat packages continue to evolve, most notably in 2012 with the introduction of Citadel, one
of the most successful upgrades of the Zeus Trojan to date. Among its many other enhancements,
Citadel introduced features such as a “dynamic config” capability that enables operators to create
web injections and use them on the fly, pushing individual exploits to selected bots without the
complications of pushing an entire new configuration file. This allows Citadel to more accurately
mimic the activity of legitimate websites in real time, making fraud attacks both more efficient, and
more effective.4
Distributed Denial of Service (DDoS) capability has become another popular feature of commercial
crimeware, capitalizing on highly distributed threat networks such as botnets to turn compromised
hosts into DDoS amplifiers on an enormous scale. In late 2012, banks suffered from a series of such
attacks that capitalized on DNS system vulnerabilities and web servers compromised by crimeware
tools such as “itsoknoproblembro.”5 In early 2013, one such attack against a major US utility
knocked out an entire online and telephone payment system, forcing 155,000 customers to pay
their bills in person for two days in an incident linked to criminals who use rented botnets to extort
money from victims and steal valuable intellectual property.6
• Commoditization has naturally followed commercialization, as the expertise of a few has become
available to many. Once an attack concept becomes coded as malware, it becomes available to a
much greater number of adversaries who need not be more sophisticated than the original author
(and are often far less). As the tools of fraud have become more widely available, prices have fallen
accordingly. In 2011, RSA research found that the price of a fully functional version of the Zeus
Trojan that may have once sold for $10,000 had fallen to as low as $380 for a “twofer” recompile.7
This commoditization, however, has come at a cost to the criminal. Penetration, prosecution and
disruption of such widespread and highly visible activity by law enforcement and anti-fraud efforts
have led some crimeware organizations to privatize their operations, restricting access to outsiders
and, in some cases, taking commercial offerings off more open markets. Upward pricing pressures
due to increased demand may result.
• Competition places additional pressure on criminals as more competitors and attack platforms
enter, or re-enter, the market. The SpyEye Trojan, for example, became a significant competitor
http://docs.apwg.org/reports/apwg_trends_report_h2_2011.pdf
http://docs.apwg.org/reports/apwg_trends_report_Q4_2012.pdf
4
http://blogs.rsa.com/citadel-v1-3-5-1-enter-the-forts-dungeons/
5
http://www.ehacking.net/2013/01/itsoknoproblembro-toolkit-beast-that.html
6
http://www.economist.com/blogs/babbage/2013/03/crimeware
7
The Year in Crimeware, RSA FraudAction Anti-Trojan Service, January 2012, p. 20
2
3
2
©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
Page 2
The Industrialization of Fraud Demands a Dynamic
Intelligence-Driven Response
to Zeus, with capabilities that displaced Zeus when found on a target. In late 2012, the Carberp
Trojan returned to the commercial malware market to challenge these and other attack platforms,
commanding a price as much as four times the top asking price ever paid for Zeus or SpyEye in the
underground, further reflecting the increased demand for such capability.8
• Specialization: Market pressures as well as new opportunities have also led criminals to add
specialized features to attack platforms, including a new generation of mobile threats. Variants of
many popular attack packages such as Citadel, Zeus, SpyEye and Carberp can now be equipped
with malicious mobile apps that can intercept and forward the SMS messages often used to transmit
one-time authentication codes – likely heralds of significantly increased fraudster investment in
mobile threats to come. Geographically specific malware, meanwhile, continues to advance as
a trend, recognizing that different language and cultural regions may require their own distinct
authentication and attack techniques in order to be effective. Supplemental “off the shelf ” products
have arisen to serve emerging segments of the market, such as “anti-security” software that defends
crimeware against detection and defeat.
• “Fraud as a Service”: The increasing specialization of fraud has also given rise to entrepreneurs
who recognize the value of services to support and enhance fraud activity. Already in its brief but
active history, the landscape of Fraud-as-a-Service has evolved. In the past, malware purveyors
offered what are effectively subscription services where, for example, a provider may have made
injection scripts available for a small fee (such as $5 each), or provided unlimited access to a variety
of modules for $50 per month.9 The increased pressure on criminals to limit the availability of
fraud tools and services, privatize their operations and “play closer to the vest” may, however, have
the effect described earlier of increasing prices in the illicit market – but this, too, will introduce
new opportunities. In 2013, researchers expect to see cybercrime platforms and supporting
plugins, exploit kits, and administrative consoles to be sold in SaaS form at higher prices, rather
than be offered for purchase. Botnet setup and support services will remain in high demand, with
bundled deals of Trojan binaries combined with hosting on hardened servers, encryption, plugin
sets and web injection packages. Criminals may even offer instruction in cybercrime for less skilled
fraudsters.10
The Net Result: The Industrialization of Fraud
These developments make one central fact clear: fraud has grown from a criminal activity into an
industry. In the most recent email metrics report of the Messaging, Malware and Mobile Anti-Abuse
Working Group (M3AAWG), spam and messages that abuse email systems made up 88.8% of mail
volume across more than 400 million mailboxes among the participating member service operators,11
with as much as one-fourth of spam email containing malware12 – and much of that malware targeted
fraud as its objective.
RSA FraudAction Quarterly Trojan Report, Q4 2012, p. 18
The Year in Crimeware, p. 20
10
RSA FraudAction Quarterly Trojan Report, Q4 2012, p. 34
11
Messaging Anti-Abuse Working Group (MAAWG) Email Metrics Report, First, Second and Third Quarter 2011,
http://www.maawg.org/sites/maawg/files/news/MAAWG_2011_Q1Q2Q3_Metrics_Report_15.pdf
12
http://redmondmag.com/articles/2011/08/18/spam-hiding-malware-increases-in-august.aspx
8
9
3
©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
Page 3
The Industrialization of Fraud Demands a Dynamic
Intelligence-Driven Response
How have the malicious been able to dominate this much of legitimate
IT? Through the sophistication of attacks made possible by an industrial
ecosystem:
• Multifunctional attacks that encompass a variety of ways to
compromise victims have been made possible by readily used
frameworks for their construction, and crimeware of a quality similar
to commercial-grade off-the-shelf software in packaging, delivery
and support.
These developments make
one central fact clear: fraud
has grown from a criminal
activity into an industry.
• Sophisticated automation rivaling the scale and efficiency of enterprise-class IT management
systems that enables the fluid control of large-scale networks of compromised hosts.
• Tools that harness the power of the Internet to further expand fraud on a similarly global scale.
Compromised hosts can, for example, become spam or phishing amplifiers, dramatically increasing
the likelihood of successful exploit.
• Websites – malicious as well as legitimate sites whose vulnerabilities have been exploited – can be
engaged to further propagate attacks, by enabling a compromised host to download additional
crimeware at the command of a remote manipulator, often without the victim’s knowledge. The
reach of sites can be further extended through techniques such as search engine manipulation.
• What cannot be automated can be accomplished by an industry that can recruit large numbers of
people to perform often straightforward yet lucrative tasks, such as enabling cross-border money
transfers that might lead to identification of foreign criminals if out-of-country fraudsters were
to attempt to transfer funds directly via remote control. Economic pressures can make it that
much easier for fraudsters to recruit these “mules” with the promise of easy money in exchange
for absorbing this aspect of their employers’ risk. This is in addition to what may be considered a
“mule” of another sort: an unsuspecting individual whose personal system has been compromised
to perform essentially the same function remotely, typically without the user’s awareness, and using
the individual’s (legitimate) credentials.
• At this industrial level, fraud becomes an efficient business of opportunity. Each one of millions
of compromised victims can become a source of information that can be exploited to siphon off
material assets – or perhaps to access even more valuable data such as intellectual property or other
assets whose compromise could seriously damage a victim – regardless whether an individual or a
global enterprise.
• The tactics of industrialized fraud give criminals access to a wide range of targets – from
the usernames and passwords of legitimate account holders, to data that enables fraudsters to
successfully impersonate victims in applying for credit or access to tangible assets.
• Access alone is not the only risk. Once access is gained, organizations must maintain vigilance over
transactions to assure that access was not gained through fraud, or that fraud is not the objective of
what appears to be legitimate access.
• This, in turn, indicates the level of intelligence defenders must muster to match the intelligence
capabilities of criminals in control of millions of compromised victims. These professionals are able
to evade detection through nimble techniques such as the ability to move botnets quickly from one
mass of compromised systems to another, or to hide behind complex abstractions of IP addresses
and hostnames that change dynamically in response to attempts to detect and expose fraud activity.
4
©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
Page 4
The Industrialization of Fraud Demands a Dynamic
Intelligence-Driven Response
Given these capabilities, it is hardly surprising that:
• 92 percent of breaches analyzed in the 2013 Verizon Data Breach Investigations Report are
attributable to external agents, or that 75 percent resulted from “opportunistic” attacks13 – the
very sort of exploit that large-scale automation and commercial-quality crimeware are designed to
capitalize upon.
• Large-scale cybercrime rivals even the greatest achievements of legitimate efforts. At its peak, variants
of the Conficker worm had compromised as many as 7 million unique IP addresses.14 This is more
than twice as large as SETI@Home, one of the largest legitimate distributed computing efforts to
date, which currently numbers approximately 3.4 million hosts.15 Disturbingly, Conficker remains
the “worm that refuses to die.” Even though this distributed attack was effectively decapitated by
concerted industry efforts between 2008 and 2010, Microsoft had detected 1.6 million instances
of Conficker-compromised systems in late 2011.16 By the end of 2012, Microsoft researchers found
that Conficker was still number two among malware detected on domain-joined computers – a
figure that actually increased from the previous quarter.17
These facts describe the nature of concern manifested in guidance issued in 2011 by the US Federal
Financial Institutions Examinations Council (FFIEC) in its Supplement to Authentication in an Internet
Banking Environment, which noted that:
The Agencies [of the FFIEC] are concerned that customer authentication methods and controls
implemented in conformance with the Guidance several years ago have become less effective.
Hence, the institution and its customers may face significant risk where periodic risk assessments
and appropriate control enhancements have not routinely occurred.18
These concerns are shared by regulators worldwide, including the Reserve Bank of India, South Korea’s
Financial Supervisory Service, the Infocomm Development Authority of Singapore, Mexico’s National
Banking and Securities Commission, and the People’s Bank of China – all of which have responded
since early 2010 with regulation targeting much the same objectives as the guidance of the US FFIEC.
This concern extends beyond financial fraud alone. It should be noted
that once criminals have access to sensitive data linked to tangible
assets, they might not stop at fraud. The access to additional sensitive
information made possible by the tactics of industrialized fraud – such as
usernames, passwords, access information, sensitive intellectual property
or other valuable information assets – could be exploited to commit
other crimes, which could cause even greater problems for individuals
and organizations alike.
It should be noted that
once criminals have access
to sensitive data linked
to tangible assets, they
might not stop at fraud.
2013 Data Breach Investigations Report, Verizon Business et al, p. 5-6.
Conficker Working Group Lessons Learned document
(http://confickerworkinggroup.org/wiki/uploads Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf)
15
http://boincstats.com/en/stats/0/project/detail as of May 9, 2013
16
Microsoft Security Intelligence Report, Vol. 12
17
Microsoft Security Intelligence Report, Vol. 14
18
http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf
13
14
5
©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
Page 5
The Industrialization of Fraud Demands a Dynamic
Intelligence-Driven Response
How to Defend Against an Industry?
Strategists should take note of the common themes in these aspects of industrialized fraud:
• An industry enables efficient, large-scale operations. Sophisticated automation backed by
integrated capabilities from multiple sources speaks to how the fraud landscape has matured.
Global complexity is managed deftly when the tools of industry make it possible.
• Broad intelligence capabilities inform and refine fraud techniques and drive further evolution
of the fraud industry. Enabled by large-scale automation, criminals collect intelligence from
millions of victims, and from successful as well as unsuccessful exploits. This enables them to
understand the victim’s common weaknesses and the most successful tactics for achieving objectives
and evading fraud defense.
• Identity is key. Fraud, after all, is about exploiting legitimate access
to, and control over, valuable assets – and the technologies that
handle them. What many organizations may have overlooked in
the growing industrialization of fraud, however, is that protecting
identity has come to mean much more that just strengthening
a login or password. Today, it means greater protection for both
individuals and institutions, and not just at login. From assuring
identity in the provisioning of access, through validating legitimate
activity throughout transaction processes and defending transactions
against abuse, identity has become a pervasive factor in protecting
organizations from fraud risk. This also highlights the pivotal role of
identity in a “layered” approach to security, such as that described by
the US FFIEC.
From assuring identity
in the provisioning of
access, through validating
legitimate activity throughout
transaction processes and
defending transactions
against abuse, identity has
become a pervasive factor
in protecting organizations
from fraud risk.
Defenders must respond accordingly:
• Confronting an industry requires a response up to the task. Organizations require industry-wide
intelligence and action in order to make the most of effective techniques for detection and defense.
• The harnessing of dynamic intelligence is vital. Today, intelligence, detection and defense are
coming together as never before. Defenders must have broad as well as detailed insight into activity
across the fraud landscape – but this means more than just awareness. Today’s most advanced
techniques for protecting assets harness that intelligence in real time, from equipping expert antifraud analyst teams with up-to-the-moment insight, to automating the decision to permit, block or
more closely monitor transactions when evidence of potential or actual fraud is found. Today, the
application of new technologies that optimize behavioral analytics across large and dynamic bodies
of data open new vistas to fraud analysts and real-time defense alike.
• Identity is key. If fraud is about exploiting legitimate access to, and control over, valuable assets,
defending identity and strengthening authentication must be paramount. When fused with
the evolution of intelligence-driven defense, this means an entirely new approach to protecting
identity and defending against unauthorized or criminal access. It means arming identity and
access management with a dynamic, intelligence-driven response to detected or attempted fraud,
from the outer defenses of application systems, through the lifecycles of sensitive transactions. It
also means establishing a higher confidence in identity based on informed insight.
6
©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
Page 6
The Industrialization of Fraud Demands a Dynamic
Intelligence-Driven Response
Such an approach is consistent with the “layered security” concept described in the US FFIEC’s 2011
supplement to its Authentication in an Internet Banking Environment guidance first issued in 2005:
Layered security is characterized by the use of different controls at different points in a transaction
process so that a weakness in one control is generally compensated for by the strength of a different
control. Layered security can substantially strengthen the overall security of Internet-based services
and be effective in protecting sensitive customer information, preventing identity theft, and
reducing account takeovers and the resulting financial losses.19
The FFIEC supplement further identifies two key areas of focus: detection and response to suspicious
activity, and control over privileged access to financial information systems. This suggests the strong
linkage between intelligence and identity, and the need for strategy and tactics that unite both.
Dynamic, Adaptive, and IntelligenceDriven: RSA Fraud and Risk Intelligence
Solutions
With its long history in fraud defense, the RSA family of Fraud and Risk
Intelligence solutions counters the evolution of fraud with a comprehensive
set of capabilities that herald a growing trend of intelligence integrated
with tactics for confronting the fraud industry.
Testifying to these capabilities are RSA’s accomplishments in defeating
fraud. According to the RSA Anti-Fraud Command Center, RSA has
shut down more than 800,000 online attacks across 185 countries and
continues to have an impact worldwide. As this capability has grown
in response to the growth of fraud as an industry, it has led to the
development of a coordinated set of capabilities required to counteract
well-organized threats to valuable assets.
With its long history in
fraud defense, the RSA
family of Fraud and Risk
Intelligence solutions
counters the evolution of
fraud with a comprehensive
set of capabilities that
herald a growing trend
of intelligence integrated
with tactics for confronting
the fraud industry.
At the Core: Intelligence and Expertise
RSA’s anti-fraud strengths are centered on a foundation of intelligence with insight throughout the
fraud landscape. This intelligence is collected and delivered by analysts with significant expertise in the
study of fraud activity and tactics, and in the techniques required for effective response:
• Analysts at the RSA Anti-Fraud Command Center (AFCC) work around the clock, every day of
the year, to identify and shut down sources of fraud, cybercrime and communications channels that
enable attacks such as phishing and malware distribution. They conduct intensive forensic work
in order to understand the granular details of fraud essential to informing strategies and tactics,
mounting an appropriate response to incidents, and recovering credentials when compromised.
The AFCC has established relationships with multiple network service providers worldwide, and
maintains expertise in nearly 200 languages to better detect and counter fraud activity where found.
• This expertise informs intelligence-driven RSA services for sharpening the ability to recognize fraud
and defeat it before it has a damaging impact, such as the RSA eFraudNetwork, which maintains
19
7
http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf
©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
Page 7
The Industrialization of Fraud Demands a Dynamic
Intelligence-Driven Response
a continuously updated repository of fraud patterns gleaned from throughout RSA’s network of
customers, service providers, and third party sources worldwide. The RSA eFraudNetwork tracks
cybercriminal profiles, patterns and behavior across 185 countries and maintains this data in a
shared repository accessible to customers to keep them alerted to current trends in fraud activity.
This information enables customers to better recognize fraud early and intervene more effectively
to protect valuable assets from abuse.
• The RSA FraudAction Service provides round-the-clock detection, alerting, shutdown and
reporting on fraud activity that provides a foundation on which effective fraud countermeasures
can then build to strengthen defense against industrialized fraud. Analysts at the RSA Anti-Fraud
Command Center provide these services to protect organizations against phishing, pharming and
Trojan attacks, and to supplement anti-fraud strategies with focused expertise in the field. These
capabilities can further help to round out a comprehensive strategy (as described in a later section
of this report).
Integrating Real-Time Intelligence with Anti-Fraud Technologies
RSA’s fraud intelligence capabilities do more than inform customers of fraud activity. Today’s emerging
anti-fraud technologies also integrate intelligence directly into real-time defense.
• The RSA Risk Engine offers a significant example of this capability.
Central to a number of RSA technologies for defeating fraud,
protecting identity and verifying transactions, the RSA Risk
Engine detects online activity, analyzes it for evidence of potentially
fraudulent or malicious behavior, and scores this activity in real time.
The RE collects and analyzes large amounts of data from multiple
sources. It evaluates online activity for more than 150 indicators
of actual or potential fraud in real time, and assigns a unique risk
score between 0 and 1,000 to each activity. Factors include user
behavior, authentication and transaction activity, device and access
context and more. It employs both a self-learning statistical model
to maintain currency and accuracy of assessment. When combined
with a policy manager that enables organizations to define their own
risk management criteria, the RSA Risk Engine provides a layered
approach to automating assessment of the integrity of observed
access attempt and transaction behavior. This risk assessment serves
as the basis for allowing transparent authentication, allowing the
majority of transactions to pass unhindered, and identifying only
the most risky transactions or activity for additional authentication.
These capabilities are directly consumed in RSA anti-fraud and
authentication technologies to manage online activity, dynamically
protect access to reduce risk, identify new fraud trends and defend
against them in real time as they develop.
8
©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
RSA’s fraud intelligence
capabilities do more than
inform customers of fraud
activity. Today’s emerging
anti-fraud technologies
also integrate intelligence
directly into real-time
defense. This capability
is directly consumed
in RSA anti-fraud and
authentication technologies
to manage online activity,
dynamically protect access
to reduce risk, identify
new fraud trends and
defend against them in
real time as they develop.
Page 8
The Industrialization of Fraud Demands a Dynamic
Intelligence-Driven Response
• RSA Silver Tail complements RSA’s family of fraud-aware identity protection technologies
with dynamic insight into malicious activity. Where the RSA Risk Engine is central to Adaptive
Authentication and Transaction Monitoring, RSA Silver Tail gathers forensic data, identifies
behavioral norms, recognizes anomalies and gives organizations the intelligence they need to
defend against fraud and business logic abuse occurring in the online channel in real time – before
users log in, while the user is logged into an account, and everything that occurs after the user logs
out of an account.
Rather than authenticating the user, however, RSA Silver Tail identifies anomalous behavior that
may be indicative of disruptive or fraudulent use of the website. RSA Silver Tail helps filter out
legitimate behavior so that threats stand out, allowing customers to turn their attention to potential
or realized threats rather than the activities of legitimate users.
Before Any Transaction
Before any entity can be trusted with valuable assets, its identity and authorization must be verified.
Criminals often seek to exploit weaknesses in proving identity in order to masquerade as legitimate
parties or to gain unauthorized access to assets. It is thus an important first step, before establishing
any relationship between individuals or organizations and their assets, to assure high confidence in the
identity of asset owners and custodians. This assurance depends on intelligence-based distinction of
those who are who they claim to be from those who are not.
• RSA Identity Verification, from LexisNexis, offers a consumer service that confirms a user’s
identity in real time. It incorporates dynamic knowledge-based authentication that presents users
with a series of questions that are formed based on information accessible from dozens of public
and commercially available sources. This capability can deliver a high-confidence confirmation of
identity within seconds, even if no prior relationship has been established with the user.
RSA Identity Verification exemplifies techniques that directly integrate intelligence with
strengthening fraud prevention in real time. It can, for example, determine that the potential
for fraud may be increased based on identity fraud alert monitoring which checks for recent
public records searches and “identity velocity” or for high volumes of activity associated with one
individual at several businesses. Based on the outcome of these checks, an alert can be sent, or the
authentication process can be terminated.
• RSA Silver Tail complements the process of identity assurance pre-login through the collection of
forensic data gathered from interactions with customer-facing websites and business applications.
RSA Silver Tail monitors each click and all HTTP/HTTPS data for every active web session on
a site, for comprehensive session intelligence and context in real time. RSA Silver Tail offers a
self-learning risk engine which then uses this data to develop population-based behavioral profiles.
This allows individual user behavior to be compared to a population profile. Anomalous behavior
is then recognized and flagged.
Because website interactions and usage patterns may vary according to a number of factors, this
capability is dynamic, adapting the recognition of normal activity as that activity itself changes.
For example, site traffic may grow and change in response to seasonal variation, new marketing
programs, or increased referrals from sites such as news outlets in response to a current event. RSA
Silver Tail recognizes these changes in “normal” behavior as they happen, adapting its analytics to
minimize the false positives that may arise from static approaches and better refine the recognition
of threats that stand out.
9
©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
Page 9
The Industrialization of Fraud Demands a Dynamic
Intelligence-Driven Response
Assuring Confidence in Access
Once identity is established, protection depends on assuring that fraudulent attempts to access valuable
assets are prevented, and that legitimate access is limited only to those authorized. As attackers have
increased their ability to capture login credentials and exploit many common authentication techniques,
organizations must consider the ways in which today’s fraud countermeasures can better defend against
authentication exploit.
• RSA Adaptive Authentication responds to these concerns with a dynamic approach that measures
fraud risk when and where access is attempted, and adjusts the rigor of authentication accordingly.
Its risk-based authentication technology is informed by the RSA eFraudNetwork and powered by
the RSA Risk Engine. Currently in use by more than 8,000 organizations in multiple industries,
RSA Adaptive Authentication supports strong, multi-factor authentication using a combination of
forensic data regarding the endpoint device and behavioral analysis in addition to the intelligence
of the RSA eFraudNetwork.
RSA Adaptive Authentication often functions transparently to users, who may be unaware of
its activity. This reduces the friction of adopting stronger authentication techniques, preserving
customer convenience as well as enhancing confidence in defense against more advanced fraud
tactics. For instance, in most implementations, over 95% of customer logins are not “challenged”
by Adaptive Authentication. The RSA Policy Manager enables organizations to customize
authentication policies to meet their specific needs. Together, a dynamic, intelligence-driven
approach combined with granular control over policy definition provides organizations with a high
degree of flexibility in advanced authentication technology. This flexibility is further supported
by the availability of RSA Adaptive Authentication in both Software-as-a-Service (SaaS) and
on-premises models, giving organizations the options they need to match needed control with
attractive options for administration and support.
RSA Adaptive Authentication protects websites, portals, SSL VPNs and web access management
(WAM) applications. In addition, RSA Adaptive Authentication for eCommerce offers a single
fraud prevention solution for card issuers, with support for the 3D Secure protocol and a wide range
of authentication and card security products including Verified by Visa®, MasterCard SecureCode™
and JCB J/Secure™.
• RSA Silver Tail further complements these capabilities with visibility into the authentication path,
providing analytics specific to recognizing account takeover, brute force and password guessing
attacks. These attacks can then be flagged and mitigated using Silver Tail technology to identify
issues and improve the efficiency of response.
After Access is Gained
Strengthening authentication alone, however, may not always defend
assets against fraud. Consider, for example, the class of attacks known
as “man-in-the-browser” that echo earlier “man-in-the-middle” tactics
of intercepting communications for eavesdropping, picking up sensitive
information, and other nefarious purposes – except that “man-in-thebrowser” attacks can do all this on a compromised personal endpoint
system alone. When a criminal has direct access to an individual’s sensitive
communications with financial systems, visibility into transaction
anomalies is required to distinguish legitimate activity from fraud.
10
©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
When a criminal has direct
access to an individual’s
sensitive communications
with financial systems,
visibility into transaction
anomalies is required
to distinguish legitimate
activity from fraud.
Page 10
The Industrialization of Fraud Demands a Dynamic
Intelligence-Driven Response
This, too, is in keeping with the FFIEC guidance to adopt a layered approach to security. When
intelligence includes visibility into transactions, it helps to eliminate what may otherwise be a blind
spot in fraud prevention.
• RSA Transaction Monitoring combines risk-based analysis of transaction behavior and Trojan
detection capabilities with out-of-band authentication techniques. This layered approach enables
organizations to increase the level of authentication needed when fraud risk is detected. Multiple
transaction types can be protected, from bill payments to address changes to password resets. When
RSA Transaction Monitoring suspects a Trojan or other threat creating a fraudulent transaction to
a “mule” account, out-of-band authentication with specific transaction verification through the
phone, email or SMS channel can be deployed automatically to thwart the attempt and prevent
damage. Call forwarding detection can also be activated to prevent criminals who attempt to
intercept the challenge call by forwarding the genuine user’s phone number to their own.
• RSA Silver Tail complements RSA Adaptive Authentication and RSA Transaction Monitoring by
constructing behavioral profiles for individual users in much the same way that Silver Tail constructs
a profile for the site population. Once a known user logs into their account, current behavior is
compared to past behavior and deviations are highlighted. This allows organizations to recognize
malicious or fraudulent behavior in a specific case of activity rather than examining all web sessions
simultaneously, enabling highly efficient detection of a range of today’s more sophisticated threats.
For example, if the majority of clicks for a particular website are typically 3-5 seconds apart, a
web session with an unusually high percentage of clicks less than a half-second apart would be
assigned a high velocity score that may indicate robotic activity. Similarly, if during a web session
the end user inputs additional information (such as user name, password, PIN and account
number rather than just user name and password as expected), the session would be assigned a
likelihood of being a man-in-the-browser attack, possibly indicating that malware designed to
capture account information had been surreptitiously installed on the end user’s browser. RSA
Silver Tail also provides a real-time rules engine to enforce dynamic protection enabled by RSA
fraud and threat analytics and allows businesses to enforce organizational or other custom policies
as well as determine how to respond to different levels and types of threats. Because it integrates
with existing infrastructure, RSA Silver Tail provides a high degree of flexibility for responding to
both potential and realized threats.
Features of the RSA Silver Tail rules engine include:
◦◦ One-Click Rules that support the deployment of rules across all pages of a website without
having to code pages individually
◦◦ Rule Tags for identifying rule owners, functional group membership, threat type, and other
criteria to enhance reporting capabilities
◦◦ Automated Alert Generation for the immediate transmission of real-time alerts to firewalls,
Security Information and Event Management (SIEM) systems and authentication tools as well
as to fraud and information security analysts.
◦◦ Time Function In Rules allow for rules to be created with time of day in mind so that an
administrator can look for different things such as activity at the opening bell of the stock
exchange, as opposed to the middle of the night where traffic patterns differ greatly.
◦◦ Incidents allow for rules to designate that a particular action create a case that can be managed
from within the Silver Tail User Interface when issues need to be tracked.
11
©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
Page 11
The Industrialization of Fraud Demands a Dynamic
Intelligence-Driven Response
Support for a Comprehensive Strategy: RSA FraudAction Service
Maintaining an effective strategy against modern fraud requires more than a deployment of technologies
or practices within an individual business. Confronting an industry requires capabilities that counteract
fraud at its source. In addition, when incidents occur, specialized expertise in fraud analysis may be
required for the proper forensic response. This highlights the role of services that unite expertise and
intelligence with action, further extending the concept of layered security beyond narrowly focused
protections.
• The RSA FraudAction Service offers a set of managed services that provide organizations with
the ability to help prevent fraud threats from reaching their targets. This service provides roundthe-clock detection, alerting, shutdown and reporting on fraud activity. RSA FraudAction also
provides forensic capabilities, countermeasures, and comprehensive blocking of access to known
infection points. Analysts at the RSA Anti-Fraud Command Center provide these services to
protect organizations against phishing, pharming and Trojan attacks, and to supplement anti-fraud
strategies with focused expertise in the field.
Capabilities of the RSA FraudAction Service include:
• The RSA Anti-Phishing Service, which employs the expertise of the RSA AFCC to monitor,
detect and alert on phishing activity that plays a central role in extending the reach of fraud.
With intelligence gathered from over 3 billion emails per day, this service provides real-time
alerts and reporting, site blocking and shutdown, forensic analysis and credential recovery, and
countermeasures against phishing attacks. When an attack is detected, pre-defined criteria trigger
an alert to the AFCC. If an attack is confirmed, customers are immediately notified. Blocking and
shut-down is supported through partnerships with many of the world’s leading ISPs and browser
developers, while countermeasures such as baiting techniques help identify criminals and provide
deeper insight into fraud activity.
• The RSA Anti-Trojan Service leverages intelligence from a network of technology partners, thirdparty sources, and techniques such as automated discovery to find, analyze and reverse-engineer
detected malware and crimeware worldwide. This service also provides credential recovery, to enable
mitigation of any possible theft and infection. The Anti-Trojan service equips customers with early
recognition of active or emerging Trojan threats that are often involved in credential theft or abuse
– intelligence without which this class of threat may go unrecognized and undetected, causing real
harm.
• The RSA FraudAction Intelligence Service provides detailed reports on the activities of the
cybercriminal underground including forum posts, threat trends and organization-specific
information.
• The RSA CyberCrime Intelligence Service informs organizations regarding corporate endpoints,
network resources, access credentials or other information that may have been compromised by
malware. This intelligence is derived from RSA Trojan Research Labs analysis and a network of
security technology crawling partners in antivirus, network security and Web defense that provide
RSA with current malware information. Clients are informed of potential compromises through
a variety of weekly reports including recovered data related to an organization’s corporate URLs,
email communications, or IP address ranges. The RSA CyberCrime Intelligence Service also offers
two daily reports on blacklisted sites used by criminals to launch attacks and communicate updates
12
©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
Page 12
The Industrialization of Fraud Demands a Dynamic
Intelligence-Driven Response
to malware in the wild. Reports are delivered in an XML format that can be easily downloaded
through a dedicated portal, providing clients with the insight they need into malware activity
affecting their organization, and helping them to make the most of their security investments.
Together, these capabilities highlight how a comprehensive approach extends the concepts of layered
security envisioned by guidance such as that of the FFIEC:
• From the gathering of intelligence and expertise
• To putting that expertise directly to work in the technologies of defense
• From identity provisioning to adaptive authentication before transactions are initiated
• Through protection for transactions once access is gained
• To complementing the approach with comprehensive defenses that employ intelligence and
expertise to combat industrialized fraud.
EMA Perspective
In technologies such as risk-based authentication, web session intelligence,
and the automation of risk analysis in anti-fraud techniques, EMA sees
the heralds of a new, intelligence-driven approach to information security
that signal a turning point for the industry. As criminals continually
challenge the effectiveness of legacy defenses, insight into malicious
activity is becoming central to any effective approach to security and
fraud defense. The long view of this trend is the integration of intelligence
directly in the technologies of defense, in order to make countermeasures
more directly dependent on dynamic data sources to sharpen their
effectiveness in real time.
In this, the technologies that combat fraud have shown early leadership.
Techniques such as risk-based authentication and web session intelligence
were among the first to recognize the value of integrating intelligence
directly into strengthening the protection of access to valuable assets, to
recognize fraud before it is attempted, and to defeat it once transactions
are in process.
In technologies such as riskbased authentication and the
automation of risk analysis
in anti-fraud techniques,
EMA sees the heralds of
a new, intelligence-driven
approach to information
security that signal a turning
point for the industry.
With its investment in intelligence-driven technologies for identity protection and fraud defense, RSA
has become a recognized leader in this field. Its portfolio of products and services that embrace a
comprehensive approach to fraud defense do more than extend the concepts of layered security that
have become the mandate for financial institutions, and a pattern for more effective defense beyond.
With a comprehensive approach to fraud and risk intelligence that extends across multiple areas of
concern, RSA offers an example that recognizes the scope of the challenge, equipping organizations
with the level of response needed to extend the concept of layered security to the confrontation of what
has become an industrialized threat.
13
©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
Page 13
About RSA, The Security Division of EMC
RSA, The Security Division of EMC, is a premier provider of security, risk and compliance management
solutions for business acceleration. RSA helps the world’s leading organizations solve complex and
sensitive security challenges. These challenges include managing organizational risk, safeguarding
mobile access and collaboration, proving compliance, and securing virtual and cloud environments.
Combining controls in identity assurance, encryption & key management, SIEM, Data Loss Prevention,
Continuous Network Monitoring, and Fraud Protection with eGRC capabilities and robust consulting
services, RSA brings visibility and trust to millions of user identities, the transactions that they perform
and the data that is generated. For more information, please visit www.EMC.com/RSA.
About Enterprise Management Associates, Inc.
Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that provides deep insight across the full spectrum
of IT and data management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best
practices, and in-depth knowledge of current and planned vendor solutions to help its clients achieve their goals. Learn more about EMA research,
analysis, and consulting services for enterprise line of business users, IT professionals and IT vendors at www.enterprisemanagement.com or
blogs.enterprisemanagement.com. You can also follow EMA on Twitter or Facebook.
This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission
of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change
without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. “EMA” and
“Enterprise Management Associates” are trademarks of Enterprise Management Associates, Inc. in the United States and other countries.
©2013 Enterprise Management Associates, Inc. All Rights Reserved. EMA™, ENTERPRISE MANAGEMENT ASSOCIATES®, and the
mobius symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc.
Corporate Headquarters:
1995 North 57th Court, Suite 120
Boulder, CO 80301
Phone: +1 303.543.9500
Fax: +1 303.543.7687
www.enterprisemanagement.com
2708.060313