How Account Takeover Botnets Outsmart Traditional Security Controls
by jackieboy - July 24, 2019 at 12:21 AM
#1
How Account Takeover Botnets Outsmart Traditional Security Controls: Account Takeover (ATO) describes when an online account is accessed and/ or used by someone other than its legitimate owner, usually for malicious purposes. Account Takeover attacks happen when an attacker is trying to get unauthorized access to an account or when the account has already been compromised and the attacker uses the account for … (Link)
Reply
#2
FWIW if your interested in implementing similar behavior anomaly rules outside of Imperva, there are a set of optional rules under the OWASP CRSv2 that do this as well
Reply
#3
(July 24, 2019 at 08:55 AM)geshem Wrote: FWIW if your interested in implementing similar behavior anomaly rules outside of Imperva, there are a set of optional rules under the OWASP CRSv2 that do this as well

Thanks for providing your input. I think that the use of this technique continues to increase and will become more integrate with AI as time goes by.
Reply
#4
It should still be able to be defeated by using simple behavioral trend analysis,,, such as compiling and comparng time of day and frequency of logins for each account, then flagging any deviations for additoinal checks
Reply
#5
(July 28, 2019 at 03:32 AM)Ashfanino Wrote: It should still be able to be defeated by using simple behavioral trend analysis,,, such as compiling and comparng time of day and frequency of logins for each account, then flagging any deviations for additoinal checks

Is there any existing behavioral algos that can be trained or used currently?
Reply
#6
(July 30, 2019 at 02:17 AM)ch3ckmate Wrote:
(July 28, 2019 at 03:32 AM)Ashfanino Wrote: It should still be able to be defeated by using simple behavioral trend analysis,,, such as compiling and comparng time of day and frequency of logins for each account, then flagging any deviations for additoinal checks

Is there any existing behavioral algos that can be trained or used currently?

There are a few that could be modified from github. I think the behavior algorithm associated with bitcoin trading would be an interesting one to look at because this highlights the human reaction tied to things like greed, fear, nostalgia and inconsistencies in the market. Being able to identify the trends associated with the reaction to money is a good indicator on how people we react to most scenarios.
Reply
#7
(July 30, 2019 at 02:17 AM)ch3ckmate Wrote:
(July 28, 2019 at 03:32 AM)Ashfanino Wrote: It should still be able to be defeated by using simple behavioral trend analysis,,, such as compiling and comparng time of day and frequency of logins for each account, then flagging any deviations for additoinal checks

Is there any existing behavioral algos that can be trained or used currently?

I dont know but it can't be that hard to do, its pretty simple,, like checking to see if a user is logging in from a new location. In this case, all your checking is whether the average spread of user login times is above a certain amount in hours Smile
Reply
#8
This is very interesting topic. I often have thought of different way to track and identify this behaviour algorithmically. Thank you for sharing all.
Reply
#9
(August 11, 2019 at 11:30 AM)tom6321ca Wrote: This is very interesting topic. I often have thought of different way to track and identify this behaviour algorithmically. Thank you for sharing all.

You are very welcome.

(July 28, 2019 at 03:32 AM)Ashfanino Wrote: It should still be able to be defeated by using simple behavioral trend analysis,,, such as compiling and comparng time of day and frequency of logins for each account, then flagging any deviations for additoinal checks

Would the still be the case if the person is using dynamic VPN rotation that initially use timezone to mimic behavioral trends? I never though of it in that manner.  Good points, can you go into a little more detain or pm me.
Reply
#10
(August 13, 2019 at 03:54 PM)jackieboy Wrote: Would the still be the case if the person is using dynamic VPN rotation that initially use timezone to mimic behavioral trends? I never though of it in that manner.  Good points, can you go into a little more detain or pm me.

Not sure what you mean lol VPN rotation doesn't mean an unauthorized user who is logging into those accounts knows exactly when each user would normally be logged into those accounts,,, sure you can guess that people in a certain timezone login at morning, lunch and late afternoon in their timezone but there will still be substantial deviations at times. SO just plot the login times per worker over time, and those who have the biggest deviations (even if it's only by 30 minutes) can be flagged for audit. Most of the time people login to an account at pretty much the exact same time each day if their work accounts
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
Company behind Foxit PDF Reader announces security breach micko05 7 524 Yesterday at 02:42 PM
Last Post: HassoHack
Android vs iOS Security geshem 1 94 September 04, 2019 at 11:36 AM
Last Post: placebo1980
Android 10: Google Confirms 193 Security Vulnerabilities Need Fixing C1cada 0 100 August 23, 2019 at 06:24 PM
Last Post: C1cada

 Users browsing this thread: 1 Guest(s)