Prevent Malware attacks
with F5 WebSafe and
MobileSafe
Alfredo Vistola
F5 Agility 2014 2
Malware Threat Landscape – Growth and Targets
Existing malware strains are Trojans
%
79
Of malware code is logic to bypass defenses
%
50
Of Institutions learned about fraud incidents from their customers
%
82
Of real-world malware is caught by anti-virus%
25
Data sources: Dark Reading, PandaLabs, & ISMG
PandaLabs Q1 Report
http://press.pandasecurity.com/usa/news/pandalabs
-q1-report-trojans-account-for-80-of-malware-infections-set-new-record/
F5 Agility 2014 3
Malware Threat Landscape – Phishing by Number of Attacks
Phishing Attacks by Industry
• Finance, Government, Shopping, Online Auctions, and Multiplayer Games.
United States
Amazon
Blizzard Entertainment eBay
Internal Revenue Service J.P. Morgan Chase
PayPal
Wells Fargo
United Kingdom
Barclays
HM Revenue & Customs HSBC
Lloyds TSB Natwest
Royal Bank of Scotland
Brazil Banco Bradesco Banco do Brasil Banco Itau Italy Intesa Sanpaolo Posteitaliane UniCredit Australia
ANZ (Australia and New Zealand Banking Group) Westpac Bank
McAfee Threats Report 2013
http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2013.pdf
F5 Agility 2014 4
F5’s Security Services and Solutions
EAL2+ EAL4+ (in process)
Network Firewall
One Platform
Traffic
Management ApplicationSecurity
DNS Security SSL Access Control DDoS Protection Anti-Fraud, Anti-Malware, Anti-Phishing
© F5 Networks, Inc 5
Our unique solution
Offers protection to cover the gaps with most security solutions
Device Fingerprinting • Geo-location • Brute Force Detection • Behavioral Analysis Behavioral and Click Analysis Abnormal Money Movement Analysis Site Visit Site Log In User
Navigation Transactions Transaction Execution
Customer Fraud Alerts Phishing Threats Credential Grabbing Malware Injections Automatic Transactions PII and CC Grabbing
F5 Agility 2014 6
Fraud, phishing & malware protection
Application level encryption
End-user and application transparency
24x7 SOC research, investigation & site take down
Simple deployment & supports any device
F5 Web Fraud Protection
Healthcare
Retail Bank
Device and behavioral analysis
“The knowledge that our online users are protected from fraudsters, wherever they are and at any time, enables our team to focus on developing new products and services.”
F5 Agility 2014 8
WebSafe – Clientless and Transparent Anti-Fraud Solution
Transaction Protection Security Operations Research Center Fraud Detection and
Protection
• Real-time transaction analysis for automated or human
behavior
• Transaction integrity
• Comprehensive request analysis
• 24X7 security reports and alerts • Identifies and investigates attacks
in real-time
• Researches and investigates new global fraud technology &
schemes
• Provides detailed incident reports • Optional site take-down
• Detection of targeted malware, BOTs, MITM/B, form grabbing, Zero-day, …
• Monitors and alerts when website is copied and uploaded to a spoofed domain (phishing)
• Clientless application-layer encryption of sensitive user data with session-initiated randomly rotating keys
F5 Agility 2014 9
WebSafe Implementation Options
Strategic Point of Control
Web Fraud Protection Online Customers A B C Online Customers Online Customers F5 Security Operations Center A B C Customer Scenarios
Malware Detection and Protection Anti-Phishing Transaction Analysis Account Amount Transfer Funds Network Firewall Copied Pages and Phishing Man-in-the-Browser Attacks Application Automated Transactions and Transaction integrity Easily deployed
Deploys with no change to applications Leverages existing F5 resources &
knowledge
Enables IT consolidation
Integrated into BIG-IP GUI in 11.6
Local alert server and/or SIEM
© F5 Networks, Inc 10
Advanced Phishing Attack Detection and Prevention
Alerts upon usage of copy site on local computer
Alerts upon login and testing of phishing site Phished user names are sent to the SOC F5 SOC shuts down identified phishing websites
Identifies phishing threats early-on and stops attacks before emails are sent
Internet Web Application 1. Copy website 2. Save image to computer 3. Upload image to spoofed site 4. Test spoofed site
Alerts at all stages of
© F5 Networks, Inc 11
Generic and Targeted Malware Detection
• Analyzes browser for traces of
common malware (i.e., Zeus, citadel, Carberp, etc)
• Detects browser redressing
• Performs checks on domain and other components
With real-time analysis and a variety of checks WebSafe identifies compromised sessions, malicious scripts, phishing attacks and malware including MITM/B, BOTs, fraudulent
F5 Agility 2014 12
F5 Agility 2014 13
Malware Detection – Web Injection Examples
Targeted malware web injection
F5 Agility 2014 14
Malware Detection – Web Injection Examples
Targeted malware web injection
F5 Agility 2014 15
F5 Agility 2014 16
© F5 Networks, Inc 17
Clientless Application-Level Encryption
© F5 Networks, Inc 18
Clientless Application-Layer Encryption
WebSafe secures credentials and other valuable data submitted on web forms
• Any sensitive information can be encrypted at the message level • User credentials & information is
submitted & encrypted with public key
• Data is decrypted on BIG-IP WebSafe using the private key • Intercepted information rendered
WebSafe™
© F5 Networks, Inc 20
WebSafe : BIG-IP Integration 11.6
• Define anti-fraud profile for each domain
• Configure alert server
• Enable and disable individual detection/protection modules
o Phishing detection o Malware detection
o Application layer encryption
o Automated transaction protection Easily turn on WebSafe anti-fraud protection from BIG-IP
F5 Agility 2014 21
F5 Agility 2014 22
F5 Agility 2014 24
• Man in the middle
• DNS spoofing
• The target domain is checked against a pre-loaded list of known IPs • Certificate forging
• The target certificate is compared against a pre-loaded certificate
• Jailbreak / rooted devices
• Detection of a jailbreak and rooted device
F5 Agility 2014 25
• OS security
• Unpatched version with known vulnerabilities will raise the device risk score (sent when the app is loaded)
• App integrity
• Android - MobileSafe will check the application signature (Checksum) • IOS – this check is disabled
• Keyloggers – virtual keyboard
• Network sniffing at the OS level (before the SSL) vCrypt
F5 Agility 2014 26
MobileSafe Architecture / Data Flow
User
Data Center
BIG-IP
(message encryption) servers F5 SOC Download app Device to application communication Alerts F5 Configuration Server F5 SOC (Cloud)
© F5 Networks, Inc 28
F5 Security Operations Center
Always on the watch24x7x365 fraud analysis team that extends your security team
Researches and investigates new global fraud technology & schemes
Detailed incident reports
Provides detailed threat analysis & incident reports
Real-time alerts activated by phone, sms and email
Optional site take-down:
© F5 Networks, Inc 29
F5 SOC: Phishing Site Take-Down Service
Always available F5 monitoring and response team
Complete attack assessment & post-partum attack report
Leverage relationships with ISPs, anti-phishing groups and key
international agencies
Malicious site take-down in minimal time
Recommendations for counter security measures
F5 Agility 2014 30
F5’s Anti-Fraud Solutions
If I can be of further assistance please contact me: [email protected]
Targeted malware, MITB, zero-days, MITM, phishing, automated
transactions…
Clientless solution, enabling 100% coverage
Protect Online User
Desktop, tablets & mobile devices
On All Devices
No software or user involvement required
Full Transparency
Alerts and customizable rules
Prevent Fraud
F5 Agility 2014 33
Demo of Clientless Application-Level Encryption
Infected PC Web application Dropzone and C&C on the server at the ISP Login Information Username + password Login Information Username + password Internet
F5 Agility 2014 34