Bots – ThreatRadar Account TakeOver: Under the Hood (Last in a series)
In the final blog of the blog series, we will discuss in detail how Imperva ThreatRadarAccount Takeover Protection works. In the second blog of this series, we mentioned how botnets play into Credential Stuffing and the ensuing Account Takeover. In this blog, we reveal how Imperva ThreatRadaroutsmarts these exploits and protects against Account Takeover using a combination of credential and device intelligence.
- Credential Intelligence: detects credential stuffing using stolen credentials and weak passwords
- Device Intelligence: detects risky devices based on device finger printing and suspicious behavior
The SecureSphere WAF detects brute-force credential stuffing attacks originating from bot clients by using credential intelligence as follows:
- Repeated login failures trigger checks against ThreatRadar cloud that maintains repositories of stolen credentials, weak passwords and privileged account passwords
- Successful match against one of these repositories confirms a credential stuffing attack
Mitigation rules can be configured on SecureSphere WAF to alert and automatically block such clients
Finally, we take a look at how SecureSphere WAF detects account takeover using device intelligence.
- Device Risk Evaluation: During the login process SecureSphere WAF invokes ThreatRadar APIs to evaluate the device risk score of the device, based on its reputation (e.g. is it a jail broken device), is it using evasion techniques, or is it known to have associations with multiple accounts.
- Mitigation Rules: The device risk score returned from ThreatRadar is correlated with other feeds in SecureSphere WAF to determine the mitigation action performed on a specific web-login attempt. The results of this SecureSphere WAF Mitigation rule determines the mitigation action – Audit, Alert or Block.
For more information:
- Read this playbook to understand the top 5 requirements necessary for a robust Account Takeover Protection solution.
- Also, watch this webinarthat highlights the value proposition of Imperva ThreatRadar threat intelligence services for Imperva SecureSphere WAF.
Check out the related blog entries for more reading on ThreatRadar: