Empowered by big-data analysis, security researchers are finding new ways to pinpoint the sources of botnets, login account hacking and fraud exploits that will allow businesses to proactively evaluate and manage their exposure to financial and other risks.
Ongoing analysis of attack traffic – through correlation of malicious traffic, scraping of login details, geolocation information, usage patterns and more – has helped Akamai security researchers in a new effort to analyse and categorise active botnets that has already classified more than 1300 such attack pathways.
These and other suspicious sites are being monitored for questionable activity and tagged with reputation scores that are helping surface new relationships and attack patterns that show, for example, where a particular attacker has been using scripts to launch automated password-reuse checks across a large number of sites.
“It has taken us many years to get to this point but we have a lot of customer data from around the world and we're feeding that into a big-data engine,” the company's APJ security chief technology officer Mike Smith recently told CSO Australia.
“Reputation scores help a business see that someone was, say, attacking the site of a competitor in the same industry or geography,” he continued. “You can learn from the attacks against everybody else, but in an abstract way so you don't know who it was.”
Many attacks are “really simple stuff” that are more distinctive for the patterns of activity that they generate – large numbers of requests to or from a single IP address in a short period of time, for example – than their actual authorship.
Analysis was starting to show hotspots of activity where fraudsters were leveraging personal information to extract details of loyalty programs to cash them in for gift cards and other negotiable instruments. Other analysis was revealing cases where an online merchant had been shipping items to people who have different names but the same shipping address.
“You start to use big-data techniques on your customer base looking for irregularities,” Smith explained. “If you can find out which domains are very popular but shouldn't be popular, that's where your fraudsters are.”
Economic crime has emerged as a major and growing problem as online cybercriminals refine techniques for harvesting large volumes of stolen account passwords, cloud-service credentials, personally identifiable information, and other data that can be used to infiltrate additional services and extract some type of financial reward.
PricewaterhouseCoopers' recent Global Economic Crime Survey 2016 hinted at the magnitude of the problem, culling responses from more than 6000 respondents across a range of industry sectors to find that existing methods for detecting criminal activity have become less effective over time.
Although 36 percent of surveyed organisations had experienced economic crime in the previous 24 months, fully 22 percent of the respondents had not conducted a single fraud risk assessment in the previous 24 months – leaving them wide open to exposure from evolving fraud techniques that are changing on a daily basis.
Given that two-thirds of CEOs surveyed agreed that there are more threats to the growth of their companies than ever, the low rate of detection and checking suggests “that too much is being left to chance,” the PwC analysis concluded. “In fact, our findings indicate that one in ten economic crimes are discovered by accident.”
Better utilisation of traffic analysis and big-data tools is finally providing ways for businesses to get more proactive about their defence against economic crimes.
“We are now at the point where we can identify where people are getting lots of login abuse,” Smith said. “If they have a large volume of traffic going to a target URL from individual IP addresses, they probably have an account takeover problem and we can proactively reach out to them.”
Having refined the company's data collection and analysis capabilities over the years, Akamai is now looking at ways of packaging up its analytics services to empower businesses to get more proactive about their investigation of suspected fraudsters.
“We're currently doing this with people but that doesn't scale out very well,” he said. “We're trying to figure out how to do bundles of packages so that customers can come with a problem and find a solution that can help them out.”
If big-data analytics can help them identify potential risk vectors based on contemporary hacking patterns, Smith reasons, businesses of all sizes will be able to leverage such tools to follow through on breaches – identifying where remote fraudsters have sought to use their stolen credentials for malicious purposes.
By comparing their internal customer databases with activity data that Akamai is collecting, businesses will be able to contextualise observed activity and respond to it more appropriately. They should also consider downloading copies of compromised credential databases to proactively identify user accounts – theirs, their customers', or their suppliers' – that may be exploited by hackers for nefarious purposes.
“All the smart folks are getting copies of that, which is normally a black-hat activity, and they are taking that to their customer database to find out about any customer accounts they have that could potentially be compromised,” Smith. “There are things like that that most companies should be doing, but probably aren't.”