Admin

About Gleb

This author has not yet filled in any details.
So far has created 38 blog entries.
  • summary-index

Detecting Bank Accounts Takeover Fraud Cyberattacks with Splunk. Part 2: Building Reference Summary Index of Logins Data

… continued from Part 1.

Summary indexing is a great way to speedup Splunk searches by pre-creating a subset of only necessary data for specific purpose. In our case we need to filter out of all available WEB traffic data only login events. This will allow us to have very fast, much smaller data subset with all the information we need to reference against when matching with new, suspicious login events.

To proceed with building summary index we need to make a set of assumptions. These assumptions are needed to build the query and all other elements of the solution. You’ll be able to substitute names to your specifics later on if wanted to.

Lets assume you have your WEB logs with all the event data indexed in Splunk already.
All web events are located within index named: logs.
Field names (or aliases):

HTTP request method (GET, POST, HEAD, etc..): method
URL of page accessed: page
Username field: username
IP address of visitor: ip
USER_AGENT value: ua

To generate summary index of login data – we need to create index itself first.

[…]

By |Enterprise Security, Splunk|Comments Off on Detecting Bank Accounts Takeover Fraud Cyberattacks with Splunk. Part 2: Building Reference Summary Index of Logins Data
  • splunk-ato-detection-step-1

Detecting Bank Accounts Takeover Fraud Cyberattacks with Splunk. Part 1: The Challenge

Full Series:

Detecting Bank Accounts Takeover Fraud Cyberattacks with Splunk. Part 2: Building Reference Summary Index of Logins Data.
Detecting Bank Accounts Takeover Fraud Cyberattacks with Splunk. Part3: The Advanced Negative Look Behind Query.

In these series of posts I’ll cover the complete strategy of utilizing Splunk Enterprise in detecting customer account takeover fraud as well as setting up an automated alerts when such activity is detected.

While I’ve helped to implement these measures for large financial firm – the same approach can be applied to any online enterprise where it is essential to protect online customer accounts, quickly detect suspicious activity and to act and prevent monetary and business losses.

The techniques I am going to describe generate pretty low level of false positives and contain efficient ways to adjust trigger thresholds within multiple metrics for specific business needs. In addition – it is tested and works really well for portals that generate up to 3,000,000-5,000,000 hits a day.

Specific use case that is covered in these posts applies to situation where credentials of multiple clients (sometimes thousands or more) got in the hands of attackers who will try to take advantage of these for monetary, competitive or political gains. With the help of Splunk, enterprise will be able to quickly and automatically detect such situation and take necessary measures to protect business and clients.

Account takeover fraud comes into play when fraudster gains access to customer account credentials via any means: phishing campaigns, malware, spyware or by buying sets of stolen customer credential data on darknets or black online markets and forums.

I won’t get into the details of multiple possible ways customer credentials may be compromised but the end result is an ability of unauthorized person(s) to access multiple customer accounts and cause significant damages to customers and to business, including large monetary losses.

The worst way the enterprise can learn about cyberattack on their own customers is from CNN.

Splunk gives us all the necessary tools to quickly detect such attacks and stay on top of the game. […]

By |Enterprise Security, Splunk|0
  • visualizing_cyber_attack_trends

IBM TeaLeaf + Splunk = Powerful fraud investigation and security analytics platform for financial firms. Part 3: Visualizing Trends and Patterns of Cyberattacks

Once you got all the beautiful and rich traffic data exported from Tealeaf and imported in Splunk – the possibilities are virtually endless to create very powerful search and cross referencing analytics and security investigation tool.

Within my consulting work for a major financial services firm I’ve built a specialized Splunk App that allows using single dashboard to execute multiple searches and visualize results and trends by leveraging Tealeaf data.

In addition to that a number of custom searches and alerts were created to create summary indexes and automatically detect and alert on possible malware infections, notify about suspicious activity patterns and out of bound activities.

Before sharing more details about visualizing trends and malicious traffic patterns – here are few tips on general design of custom Splunk security analytic apps and dashboards with Splunk.

While I cannot offer image snapshots of the actual dashboard’s visuals used within financial firm due to obvious client’s security concerns, I can describe the general approach we took to overcome Tealeaf’s limitations with Splunk as well as number of important points on how to take the most advantage of Splunk as a security research tool. […]

By |Enterprise Security, Splunk, TeaLeaf|0
  • Traffic Ray

Traffic Ray: New Splunk App to visualize your HTTP WEB traffic for security and analytics needs

Update: Splunk approved and published Traffic Ray within official Splunk app repository here.

Traffic Ray is a real time Web traffic analytics Splunk App I built for web server administrators and web hosting service providers.

Traffic Ray leverages raw Apache log files to visualize incoming Web server traffic allowing to discover incoming IP activity patterns, detect malicious activity, view bandwidth consumption trends and gain insights into Web visitor’s origins and behaviors on a single dashboard. Ok, on two :).

Being a webmaster as well as Web hosting server administrator myself – I often wanted to get unobstructed, quick, visual, real time view into incoming Web traffic stats and patterns. While working with many different reporting and analytic solutions I found most of them to be either too convoluted, overly generic, suspiciously intrusive or unacceptably restrictive. I needed an easy ability to gain comprehensive server-wide Web traffic insights as well as ways to do quick drilldowns into specific IP address behavior patterns or specific Web site bandwidth consumption trends.
Also, quite often ill-behaving or outright malicious incoming Web traffic source causes server to send automated, generic, non-descriptive system alerts about excessive server loads, suspicious running processes and alike that would require further root cause analysis.

Before I had to rely on multiple tools to put together a big picture of events as well as login to system shell and manually search and grep through raw logs to discover culprits of suspicious activity – and that was time consuming and unpleasant process.

Now with Traffic Ray it is essentially one click step to grasp all the necessary and specific information about root causes and origins of suspicious activity on a single screen view. […]

By |News, Splunk|0

IBM TeaLeaf + Splunk = Powerful fraud investigation and security analytics platform for financial firms. Part 2: Exporting data from TeaLeaf

Let’s get our hands dirty. First step in building fraud investigation and security analytics platform with TeaLeaf is making TeaLeaf’s data available for Splunk. Then Splunk will take care of all the deep security queries and specialized investigative dashboarding.

Disclaimer: all data you see on this site was autogenerated for demonstration purposes. It demonstrates concepts and ideas but does not shows any real names, IP addresses and any other information that matches real world events.

TeaLeaf comes with cxConnect for Data Analysis component.

TeaLeaf cxConnect

“Tealeaf cxConnect for Data Analysis is an application that enables the transfer of data from your Tealeaf CX datastore to external reporting environments. Tealeaf cxConnect for Data Analysis can deliver data in real-time to external systems such as event processing systems or enable that data to be retrieved in a batch mode. Extraction of customer interaction data into log files, SAS, Microsoft SQL Server or Oracle databases are supported. Data extraction jobs can be run on a scheduled or ad-hoc basis. Flexible filters and controls can be used to include or exclude any sessions or parts of sessions, according to your business reporting needs”.
Source: IBM TeaLeaf.

IBM TeaLeaf cxConnect hourly log extraction task

Although from my experience “real-time” claim is a long shot (at least I didn’t find a way to accomplish above in real-time), but I managed to do pretty successful regular, hourly, detailed TeaLeaf log exports.

cxConnect Daily extraction task

If you’d try to use cxConnect right off the bat for log exports and select all default options – you’ll end up with humongous set of files that will contain mountain data you don’t really need wasting your disk space. It took me quite a while to configure cxConnect to export data that i need and to make it not include data that i don’t need.

Within cxConnect “Configured Tasks” menu – you may create any scheduled task. For our purpose I’ve created two tasks – one is hourly and second is daily. […]

By |Enterprise Security, Splunk, TeaLeaf|0

IBM TeaLeaf + Splunk = Powerful fraud investigation and security analytics platform for financial firms. Part 1: Introduction

IBM Tealeaf plus Splunk

IBM TeaLeaf is one of the leading customer experience management platforms from IBM.

IBM TeaLeaf is set of tools allowing enterprises to record all customer interactions with their Web Application portals with further capabilities of visual session replays. IBM TeaLeaf also offers a set of interfaces to design custom events, alerts, dashboards and visual reports.

TeaLeaf allows to define custom reporting dimensions that could be very specific to the given business needs.
Tracking clicks, conversions, customer struggles, optimizing sales funnels, analyzing mobile experiences, presenting any kind of data in a visually appealing way are only few of many available benefits that TeaLeaf offers.

As a consultant helping large brokerage and financial firm to manage firm-wide TeaLeaf deployment – I see another fast growing application for IBM TeaLeaf – financial fraud investigations, security analytics, forensic analysis and investigation of suspicious activities.

When corporate security departments receive suspicious activity reports and requests to investigate possible ATO (Account TakeOver – case where fraudsters buy on a black market set of valid customer credentials obtained by targeted phishing attacks for example) – they come to TeaLeaf to dig into raw data and do forensics investigations.

After finding necessary visitor hits or customer sessions data within TeaLeaf database, security investigators launch TeaLeaf RTV viewer to visually preview actual sessions that potentially involve fraudulent activity.

TeaLeaf allows searching for pieces of data by predefined metrics – IP address, browser OS, browser version, User Agent, text in request, text in response as well as via raw text data fragments possibly found within hit or session data.

TeaLeaf generally offers two ways to search for pieces of information – via it’s browser interface (“Search” menu option) or using RealiTea Viewer (RTV) – separate desktop application allowing to run raw searches via direct connections to TeaLeaf data repository (data canisters).
The main advantage of RTV is that it allows to run searches on currently active sessions (in other words with almost no delay in obtaining fresh traffic data) as well as it is quite fast. […]

By |Enterprise Security, Splunk, TeaLeaf|0
  • square_peg

When Machine Learning and Anomaly Detection Cannot Detect Fraud: Be careful what you invest into

As part of being professional consultant building client-specific fraud detection solutions I often witness product pitches by different vendors in a security / fraud detection space.

The recent wave of successful high profile cyberattacks and disastrous data leaks added new level of activity into search for the perfect fraud detection and early alerting solution.

With attackers changing their activity vectors, attack patterns and techniques on a daily basis this makes many legacy fraud detection tools to lose their efficiency and get outdated very quickly.

In the never ending quest to protect enterprise against fraud losses the ideas of Automated Anomaly Detection are picking up steam.

The way it generally works – anomaly detection system would establish baseline for certain predefined dimensions and system would then monitor (often in real time) for deviations from established baseline. Once sufficiently abnormal condition is detected – the alert is issued. Such system could operate pretty automatically and learn from historical and present data constantly updating it’s baselines as well as trigger thresholds. […]

By |Enterprise Security, Fraud, Splunk|0

Before buying membership site software – ask these questions to every vendor

Building online membership site business is an exciting step on the road to build our own source of residual income.

We all have talents, we all love and know to do certain things better than anyone else. We all know how to solve certain problems that others would love to learn from us. Taking time to put our skills, experience, passion and knowledge on the web and having a chance to monetize it brings triple excitement:

You do something more about what you love.
You share what you love to do with other people and helping them to solve their problems.
You can make money doing what you love.

One way to monetize your skills and experience is to build a site  and share your skills and experience in form of writings, posts, helpful articles, downloadable ebooks, text, video and audio tutorials or in any other kind of “digital” format. Idea is to share your talents with other people, helping them to solve their problems and making money along the way by charging for information access.
Today on internet people are happily paying for useful practical information.

Once you decide to take a step and start building your online membership business the question is how to proceed? […]

By |Webmaster Toolbox, Wordpress|Comments Off on Before buying membership site software – ask these questions to every vendor

Build Membership Site for free? You got it!

Would you like to buil […]

By |Webmaster Toolbox|0

Why Hostgator’s support absolutely rocks!

Here’s my little experience with HostGator service and support.

Well, let me say first that I moved to Hostgator after finding that someone’s e-commerce site was totally flying in terms of speed of contents delivery and she was hosting it all off hostgator’s lower end shared hosting plans. So I decided to move few of my domains to hostgator and even opened a reseller account with them to get a bit of boost in performance.

Yesterday I was working to update my WordPress Membership Plugin (MemberWing allows to build free membership sites) – and it was supposes to send an email when new user is paid and signed up.

Everything was working but that piece – sending email. It was kinda annyoing to me to deliver software that works but no one get notified that it works. In other words sending email part of script didn’t work. So I decided to blame Hostgator and send them email asking it to fix sending email from PHP. My perception was that their security settings was over elevated. […]

By |Webmaster Toolbox|0