The US Federal Bureau of Investigations (FBI) includes the following in its definition of Internet fraud/web-based crime: phishing scams, data breaches, Denial of Service (DOS) attacks, email account compromise, malware, spoofing, and ransomware (among others). These activities cost the average global enterprise $2M in 2017 (out of the average $11.7M total cost for cybersecurity), according to last year’s “Cost of Cyber Crime” report from Accenture and the Ponemon Institute. The report also showed a dramatic increase in the number of these crimes between 2016 and 2017, indicating that the problem is steadily increasing in scope.
One of the most dramatic examples of web-based crime over the last few years was the notorious Equifax breach that affected roughly 148 million customers (plus or minus, depending on who you ask). In that case, hackers gained access to sensitive user data, including Social Security and driver’s-license numbers, via a website vulnerability. As of April of 2018, the company had spent $242.7M in the aftermath of the breach, according to ZDNet.
Net-net: if you’re not paying close attention to web security, you may be putting your company at risk.
An Analytic Story in an October release of the Splunk Enterprise Security Content Update (ESCU) looks for evidence of some of the more common Internet attack techniques that could be indicative of web fraud in your environment.
A few of the packaged searches include:
Account harvesting. This search focuses on web pages used for user-account registration. It detects the creation of a large number of user accounts using the same email domain name, a type of activity frequently seen in advance of a fraud campaign.
Anomalous clickspeed. The presence of users who appear to be moving through your website at a faster-than-normal speed or with a perfect click cadence (high periodicity or low standard deviation) may indicate that the user is a script, as opposed to an actual human.
Password sharing across accounts. Another search detects incidents wherein a single password is used across multiple accounts, which may indicate that a fraudster has infiltrated your environment and embedded a common password within a script.
Splunk ESCU’s Analytic Stories not only provide narrative background on common attack techniques, they include detection, investigative, and contextual searches to help you find and research suspicious activity within your environment. Unlike more ephemeral indicators of compromise (IOCs), an analytics-based approach can help you identify the attack techniques employed by hackers and implement a continuous, forward-looking approach to detecting and combating them.
The Splunk ESCU research team sleeps better at night when we know you’re protected against threats and vulnerabilities. It provides content updates every two or three weeks. Download and install the latest release to make sure you stay vigilant for web crime in your environment.