Bots – ThreatRadar Account TakeOver: Under the Hood (Last in a series)

Imperva-Bot-Protection-Account-Take-over

In the final blog of the blog series, we will discuss in detail how Imperva ThreatRadarAccount Takeover Protection works. In the second blog of this series, we mentioned how botnets play into Credential Stuffing and the ensuing Account Takeover. In this blog, we reveal how Imperva ThreatRadaroutsmarts these exploits and protects against Account Takeover using a combination of credential and device intelligence.

ThreatRadar Account Takeover Protection is an add-on subscription service for Imperva SecureSphere WAF that delivers the following real-time threat intelligence via ThreatRadar  API calls:

  • Credential Intelligence: detects credential stuffing using stolen credentials and weak passwords
  • Device Intelligence: detects risky devices based on device finger printing and suspicious behavior

The SecureSphere WAF detects brute-force credential stuffing attacks originating from bot clients by using credential intelligence as follows:

threatradar-account-takeover-credential-intelligence

  1. Repeated login failures trigger checks against ThreatRadar cloud that maintains repositories of stolen credentials, weak passwords and privileged account passwords
  2. Successful match against one of these repositories confirms a credential stuffing attack

Mitigation rules can be configured on SecureSphere WAF to alert and automatically block such clients

 

Finally, we take a look at how SecureSphere WAF detects account takeover using device intelligence.

threatradar-account-takeover

  1. Device Profiling: SecureSphere WAF injects JavaScript to every device that attempts to log into the web application. The JavaScript profiles the device and identifies if it is a new or returning devices accessing the web application.
  2. Device Risk Evaluation: During the login process SecureSphere WAF invokes ThreatRadar APIs to evaluate the device risk score of the device, based on its reputation (e.g. is it a jail broken device), is it using evasion techniques, or is it known to have associations with multiple accounts.
  3. Mitigation Rules: The device risk score returned from ThreatRadar is correlated with other feeds in SecureSphere WAF to determine the mitigation action performed on a specific web-login attempt. The results of this SecureSphere WAF Mitigation rule determines the mitigation action – Audit, Alert or Block.

For more information:

  • Read this playbook to understand the top 5 requirements necessary for a robust Account Takeover Protection solution.
  • Also, watch this webinarthat highlights the value proposition of Imperva ThreatRadar threat intelligence services for Imperva SecureSphere WAF.

 

 Check out the related blog entries for more reading on ThreatRadar:

Bots – The Backbone of Cyber Crime (First in a series)

Bots – How To Counter Account Take Over – (Second in a series)

Bots – ThreatRadar Bot Protection: Under the Hood