Prevent Malware attacks with F5 WebSafe and MobileSafe Alfredo Vistola Security Solution Architect, EMEA
Prevent Malware attacks with F5 WebSafe and MobileSafe
Alfredo VistolaSecurity Solution Architect, EMEA
F5 Agility 2014 2
Malware Threat Landscape – Growth and Targets
Existing malware strains are Trojans
%79
Of malware code is logic to bypass defenses
%50
Of Institutions learned about fraud incidents from their customers
%82
Of real-world malware is caught by anti-virus
%25
Data sources: Dark Reading, PandaLabs, & ISMG
PandaLabs Q1 Reporthttp://press.pandasecurity.com/usa/news/pandalabs
-q1-report-trojans-account-for-80-of-malware-infections-set-new-record/
Malware
F5 Agility 2014 3
Malware Threat Landscape – Phishing by Number of Attacks
Phishing Attacks by Industry• Finance, Government, Shopping, Online
Auctions, and Multiplayer Games.
United StatesAmazonBlizzard EntertainmenteBayInternal Revenue ServiceJ.P. Morgan ChasePayPalWells Fargo
United Kingdom BarclaysHM Revenue & CustomsHSBCLloyds TSBNatwestRoyal Bank of Scotland
BrazilBanco BradescoBanco do BrasilBanco Itau
Italy Intesa SanpaoloPosteitalianeUniCredit
AustraliaANZ (Australia and New Zealand Banking Group)Westpac Bank
McAfee Threats Report 2013http://www.mcafee.com/us/resources/reports/rp-
quarterly-threat-q1-2013.pdf
F5 Agility 2014 4
F5’s Security Services and Solutions
EAL2+
EAL4+ (in process)
NetworkFirewall
One Platform
TrafficManagement
ApplicationSecurity
DNSSecurity
SSLAccessControl
DDoSProtection
Anti-Fraud, Anti-Malware,Anti-Phishing
© F5 Networks, Inc 5
Our unique solution Offers protection to cover the gaps with most security solutions
Device Fingerprinting
• Geo-location• Brute Force
Detection• Behavioral
Analysis
Behavioral and Click Analysis
Abnormal Money Movement Analysis
Site Visit Site Log In User Navigation Transactions Transaction
Execution
Customer Fraud Alerts
Phishing Threats
Credential Grabbing
MalwareInjections
AutomaticTransactions
PII and CCGrabbing
F5 Agility 2014 6
Fraud, phishing & malware protection
Application level encryption
End-user and application transparency
24x7 SOC research, investigation & site take down
Simple deployment & supports any device
F5 Web Fraud Protection
Healthcare
Retail Bank
Device and behavioral analysis
“The knowledge that our online users are protected from fraudsters, wherever they are and at any time, enables our team to
focus on developing new products and services.”
Anti-Fraud Manager , Leumi Bank
WebSafe™ in Action
F5 Agility 2014 8
WebSafe – Clientless and Transparent Anti-Fraud Solution
Transaction Protection Security Operations Research Center
Fraud Detection and Protection
• Real-time transaction analysis for automated or human behavior
• Transaction integrity• Comprehensive request analysis
• 24X7 security reports and alerts• Identifies and investigates attacks
in real-time• Researches and investigates new
global fraud technology & schemes
• Provides detailed incident reports• Optional site take-down
• Detection of targeted malware, BOTs, MITM/B, form grabbing, Zero-day, …
• Monitors and alerts when website is copied and uploaded to a spoofed domain (phishing)
• Clientless application-layer encryption of sensitive user data with session-initiated randomly rotating keys
Only fully transparent Anti-Fraud solution that reduces banking fraud loss
F5 Agility 2014 9
WebSafe Implementation Options
Strategic Point of Control
Web FraudProtection
Online CustomersA
B
C
Online Customers
Online Customers
F5 SecurityOperations Center
A
B
C
Customer Scenarios
Malware Detection and Protection
Anti-Phishing
Transaction Analysis
Account
Amount
Transfer Funds
NetworkFirewall
Copied Pagesand Phishing
Man-in-the-Browser Attacks
Application
AutomatedTransactions
andTransaction
integrity
Easily deployed Deploys with no change to applications Leverages existing F5 resources &
knowledge Enables IT consolidation Integrated into BIG-IP GUI in 11.6
Local alert server and/or SIEM
© F5 Networks, Inc 10
Advanced Phishing Attack Detection and Prevention
Alerts upon usage of copy site on local computer
Alerts upon login and testing of phishing site
Phished user names are sent to the SOC
F5 SOC shuts down identified phishing websites
Identifies phishing threats early-on and stops attacks before emails are sent
Internet
Web Application
1. Copy website
2. Save image to computer
3. Upload image to spoofed site
4. Test spoofed site
Alerts at all stages of phishing site development
© F5 Networks, Inc 11
Generic and Targeted Malware Detection
• Analyzes browser for traces of common malware (i.e., Zeus, citadel, Carberp, etc)
• Detects browser redressing
• Performs checks on domain and other components
With real-time analysis and a variety of checks WebSafe identifies compromised sessions, malicious scripts, phishing attacks and malware including MITM/B, BOTs, fraudulent transactions
F5 Agility 2014 12
Malware Detection – Web Injection Examples
F5 Agility 2014 13
Malware Detection – Web Injection Examples
Targeted malware
web injection
F5 Agility 2014 14
Malware Detection – Web Injection Examples
Targeted malware
web injection
F5 Agility 2014 15
Malware Detection – Web Injection Examples
F5 Agility 2014 16
Malware Detection – Web Injection Examples
© F5 Networks, Inc 17
Clientless Application-Level EncryptionWebSafe secures credentials and other valuable data submitted on web forms
© F5 Networks, Inc 18
Clientless Application-Layer EncryptionWebSafe secures credentials and other valuable data submitted on web forms
• Any sensitive information can be encrypted at the message level
• User credentials & information is submitted & encrypted with public key
• Data is decrypted on BIG-IP WebSafe using the private key
• Intercepted information rendered useless to attacker
WebSafe™BIG-IP GUI Integration
© F5 Networks, Inc 20
WebSafe : BIG-IP Integration 11.6
• Define anti-fraud profile for each domain
• Configure alert server
• Enable and disable individual detection/protection modules
o Phishing detectiono Malware detectiono Application layer encryptiono Automated transaction protection
Easily turn on WebSafe anti-fraud protection from BIG-IP
F5 Agility 2014 21
Anti-Fraud Profiles
F5 Agility 2014 22
Virtual Server Security Policy Configuration
MobileSafe™ In Action
F5 Agility 2014 24
• Man in the middle• DNS spoofing
• The target domain is checked against a pre-loaded list of known IPs• Certificate forging
• The target certificate is compared against a pre-loaded certificate
• Jailbreak / rooted devices• Detection of a jailbreak and rooted device
Attack Mitigations (1 of 2)
F5 Agility 2014 25
• OS security• Unpatched version with known vulnerabilities will raise the device risk score
(sent when the app is loaded)
• App integrity• Android - MobileSafe will check the application signature (Checksum)• IOS – this check is disabled
• Keyloggers – virtual keyboard
• Network sniffing at the OS level (before the SSL) vCrypt
Attack Mitigations (2 of 2)
F5 Agility 2014 26
MobileSafe Architecture / Data Flow
User
Data Center
BIG-IP(message encryption) servers
F5 SOC
Download app
Device to applicationcommunication
Alerts
F5 Configuration Server
F5 SOC (Cloud)
F5 Security Operations Center
© F5 Networks, Inc 28
F5 Security Operations CenterAlways on the watch
24x7x365 fraud analysis team that extends your security team
Researches and investigates new global fraud technology & schemes
Detailed incident reports
Provides detailed threat analysis & incident reports
Real-time alerts activated by phone, smsand email
Optional site take-down: Phishing sites
© F5 Networks, Inc 29
F5 SOC: Phishing Site Take-Down Service
Always available F5 monitoring and response team
Complete attack assessment & post-partum attack report
Leverage relationships with ISPs, anti-phishing groups and key international agencies
Malicious site take-down in minimal time
Recommendations for counter security measures
Quickly identify and shut down brand abuse websites
F5 Agility 2014 30
Real-Time Alerts Dashboard
F5’s Anti-Fraud Solutions
If I can be of further assistance please contact me:
Targeted malware, MITB, zero-days, MITM,
phishing, automated transactions…
Clientless solution, enabling 100% coverage
Protect Online UserDesktop, tablets & mobile
devices
On All DevicesNo software or user
involvement required
Full TransparencyAlerts and customizable
rules
Prevent FraudIn Real Time
Demo
F5 Agility 2014 33
Demo of Clientless Application-Level Encryption
InfectedPC
Webapplication
Dropzone and C&C on the
server at the ISP
Login InformationUsername + password
Login InformationUsername + password
Internet
F5 Agility 2014 34
Questions?