Monthly Archives: March 2015

Detecting Bank Accounts Takeover Fraud Cyberattacks with Splunk. Part3: The Advanced Negative Look Behind Query

…Continued from Part 2.

Splunk-ANLB-SearchIn the final part of this writeup I’ll show you the actual query that does it all and explain how it works.

To remind – this is the challenge – what we want to accomplish:

Detect and alert when C-class IP subnet tries to access at least 5 different accounts within an hour and at least 75% of total accounts touched has never been accessed from this subnet *and* from this USER_AGENT within the last 45 days.

And, as you may remember from Part 1, here’s the basic logic that we need to implement to make it happen:

  1. Scan last hour of access log data and find the list of subnets that tried to access multiple accounts within that hour.
  2. For each of these accounts – take username, IP, USER_AGENT and scan the previous 45 days of traffic history to find usernames that has never been touched by this IP/USER_AGENT combo.
  3. Alert if number of found accounts is above threshold.

I’ve spent quite a bit of effort to come up with a single query that does all of the above and in a pretty efficient manner.

The biggest part of challenge is that the query needs to find events (#1 above) but then it needs to run very custom search for each event against summary index that we’ve created (#2 above). And added icing on this cake is that the query needs to return results only if there are *no matches* found for the second part of search.

This quickly gets mind-boggling and it is a rather interesting puzzle to solve with SPL.

The way I solved it – is with a combination of macros + advanced subsearch. But instead of returning traditional results – the subsearch will return new, custom crafted Splunk search query to be executed by the outer search.

I named this approach Advanced Negative Look Behind (ANLB) query.

ANLB query is the query that has these capabilities: (more…)

Detecting Bank Accounts Takeover Fraud Cyberattacks with Splunk. Part 2: Building Reference Summary Index of Logins Data

summary-indexcontinued from Part 1.

Summary indexing is a great way to speedup Splunk searches by pre-creating a subset of only necessary data for specific purpose. In our case we need to filter out of all available WEB traffic data only login events. This will allow us to have very fast, much smaller data subset with all the information we need to reference against when matching with new, suspicious login events.

To proceed with building summary index we need to make a set of assumptions. These assumptions are needed to build the query and all other elements of the solution. You’ll be able to substitute names to your specifics later on if wanted to.

  1. Lets assume you have your WEB logs with all the event data indexed in Splunk already.
    All web events are located within index named: logs.
  2. Field names (or aliases):
    1. HTTP request method (GET, POST, HEAD, etc..): method
    2. URL of page accessed: page
    3. Username field: username
    4. IP address of visitor: ip
    5. USER_AGENT value: ua

To generate summary index of login data – we need to create index itself first.


Detecting Bank Accounts Takeover Fraud Cyberattacks with Splunk. Part 1: The Challenge

splunk-ato-detection-step-1Full Series:

In these series of posts I’ll cover the complete strategy of utilizing Splunk Enterprise in detecting customer account takeover fraud as well as setting up an automated alerts when such activity is detected.

While I’ve helped to implement these measures for large financial firm – the same approach can be applied to any online enterprise where it is essential to protect online customer accounts, quickly detect suspicious activity and to act and prevent monetary and business losses.

The techniques I am going to describe generate pretty low level of false positives and contain efficient ways to adjust trigger thresholds within multiple metrics for specific business needs. In addition – it is tested and works really well for portals that generate up to 3,000,000-5,000,000 hits a day.

Specific use case that is covered in these posts applies to situation where credentials of multiple clients (sometimes thousands or more) got in the hands of attackers who will try to take advantage of these for monetary, competitive or political gains. With the help of Splunk, enterprise will be able to quickly and automatically detect such situation and take necessary measures to protect business and clients.

Account takeover fraud comes into play when fraudster gains access to customer account credentials via any means: phishing campaigns, malware, spyware or by buying sets of stolen customer credential data on darknets or black online markets and forums.

I won’t get into the details of multiple possible ways customer credentials may be compromised but the end result is an ability of unauthorized person(s) to access multiple customer accounts and cause significant damages to customers and to business, including large monetary losses.

The worst way the enterprise can learn about cyberattack on their own customers is from CNN.

Splunk gives us all the necessary tools to quickly detect such attacks and stay on top of the game. (more…)

Go to Top