Almost two thirds of confirmed breaches involve using weak or stolen passwords - it’s not a new threat, but it works. By the end of this talk you will understand the Account Takeover threat, and walk away with some techniques & tools for detection and response within your own web applications.
3. What we’ll cover
● What is Account Takeover?
● (Why) Is Account Takeover a problem?
● How can we prevent it?
● How can we detect it?
● How can we respond?
22. Detection
● Goal: learn what “normal” looks like
○ What browser do they use?
○ What locations do they work from?
● The buzzword here is: BEHAVIOURAL ANALYTICS
or ANOMALY DETECTION,
or USER AND ENTITY BEHAVIOUR ANALYTICS (UEBA)
● Simple learning & rules can get you pretty far
25. AuthTables
● User ID + Cookies and IP Addresses
○ Same cookie, new IP ✓ PASS.
○ New cookie, same IP ✓ PASS.
○ New cookie, new IP ✗ FAIL.
● Can also incorporate IP threat feeds
○ Tor, Spammy IPs, Botnets, etc
● Problem: hard pass or fail
26. Detection
● IP Address
● Geolocation
● Velocity
● Browser & OS
● Browser fingerprint
● Time of Day
● Cursor movement
● Typing speed
On phones:
● How you walk
● Touch pressure
● Swipe movement
● How you hold your phone
● How you move your phone
29. Detection
● Machine Learning is great when:
○ You have a lot of data
○ You understand your data well
● There are two ways to train it:
○ Supervised: we tell it what’s good and bad (labels)
○ Unsupervised: figures labels out itself
32. Detection
● You can do it yourself!
○ Simple pass/fail: AuthTables
○ Smarter: Statistics
○ Smarterer: Machine Learning
● Or you can pay someone to do it for you!