Almost two thirds of confirmed breaches involve using weak or stolen passwords - it’s not a new threat, but it works. By the end of this talk you will understand the Account Takeover threat, and walk away with some techniques & tools for detection and response within your own web applications.

1. How to spot a
wolf in sheep’s
clothing
Protecting your users from
Account Takeover
CC By-ND flickr.com/photos/cwkarl/11972795684

2. Nick Malcolm
Security Consultant @ SafeStack
Previously CTO @ ThisData
nickmalcolm

3. What we’ll cover
● What is Account Takeover?
● (Why) Is Account Takeover a problem?
● How can we prevent it?
● How can we detect it?
● How can we respond?

4. KNOW PREVENT
RESPOND DETECT

5. What is Account
Takeover?

6. What is Account
Takeover?
It’s when someone takes over …. an account ….
Or, when a wolf has a really good sheep costume!

8. How does it happen?

9. Credit: github.com/magoo/AuthTables (MIT)

10. Is it a problem? Why?

11. Yahoo - 1 Billion
MySpace - 427M
AdultFriendFinder - 400M
LinkedIn - 167M
Dropbox - 68M

13. 63%
of confirmed data breaches involved attackers using
weak, default, or stolen passwords
(Verizon DBIR 2016, page 20)

14. A7: “Insufficient Attack Protection”
“involves automatically detecting, logging, responding, and
even blocking exploit attempts”
- OWASP Top 10 2017, Release Candidate

15. KNOW PREVENT
RESPOND DETECT

16. Know
● Know your users / customers
● Know your app
● Does this type of attack apply to me? Probably.
● Is there lower hanging fruit? Probably!

17. KNOW PREVENT
RESPOND DETECT

18. Prevention
Stopping it from happening in the first place

19. Prevention
● Rate Limiting!
● Don’t rely on just passwords: 2FA
● IP whitelists
● Password policies
● Outsource your authentication: Google SSO, Auth0, etc

20. KNOW PREVENT
RESPOND DETECT

21. Detection
Spotting the wolf

22. Detection
● Goal: learn what “normal” looks like
○ What browser do they use?
○ What locations do they work from?
● The buzzword here is: BEHAVIOURAL ANALYTICS
or ANOMALY DETECTION,
or USER AND ENTITY BEHAVIOUR ANALYTICS (UEBA)
● Simple learning & rules can get you pretty far

23. magoo/AuthTables

24. Credit: github.com/magoo/AuthTables (MIT)

25. AuthTables
● User ID + Cookies and IP Addresses
○ Same cookie, new IP ✓ PASS.
○ New cookie, same IP ✓ PASS.
○ New cookie, new IP ✗ FAIL.
● Can also incorporate IP threat feeds
○ Tor, Spammy IPs, Botnets, etc
● Problem: hard pass or fail

26. Detection
● IP Address
● Geolocation
● Velocity
● Browser & OS
● Browser fingerprint
● Time of Day
● Cursor movement
● Typing speed
On phones:
● How you walk
● Touch pressure
● Swipe movement
● How you hold your phone
● How you move your phone

27. Combined features
gave results
10x more reliable
than a fingerprint
alone
“Project Abacus,” at
Google I/O 2015

28. MACHINE LEARNING

29. Detection
● Machine Learning is great when:
○ You have a lot of data
○ You understand your data well
● There are two ways to train it:
○ Supervised: we tell it what’s good and bad (labels)
○ Unsupervised: figures labels out itself

30. One Class
Support Vector Machine
“Is it them, or not them?”

31. STATISTICS

32. Detection
● You can do it yourself!
○ Simple pass/fail: AuthTables
○ Smarter: Statistics
○ Smarterer: Machine Learning
● Or you can pay someone to do it for you!

33. KNOW PREVENT
RESPOND DETECT

34. Response
You’ve spotted the wolf. What now?

35. Response
● Alert the user, out-of-band
○ Email
○ Slack
● Block the activity completely
● Step Up
○ ask for 2FA
○ ask for answers to security questions (shudder)

37. Distributed Alerting
● Slack uses Slack
● Dropbox liked that, so they made a thing:
dropbox/securitybot

38. KNOW PREVENT
RESPOND DETECT

39. Detection and Response
as Prevention

40. Thanks!
Talk to me on twitter:
@nickmalcolm
CC By-ND flickr.com/photos/cwkarl/11972795684