shape technology & deployment overview · captured mouse event. dashed line high speed movement...
TRANSCRIPT
Shape Technology & Deployment Overview
2020
Jamie Lockhart, Solutions Engineer, EMEA
Confidential / / Part of F5
Shape Overview 1
How does Shape work? 2
Architecture 3
Taking Action 4
Proof of Concept 5
Agenda
Confidential / / Part of F5
Shape Overview
Confidential / / Part of F5
What does Shape do?
Security-as-a-Service (SaaS) solution that protects websites from unwanted
automated traffic that exploits the user interface of web applications without
introducing friction for users.
Access
Credential Stuffing
Account Verification
Account Takeover
Man-in-the-Browser
Misuse
Content/Price Scraping
Application DDoS
Skewing
Promo Abuse
Interaction
Account Creation
Credit Building
Cashing Out
Carding
Rewards/Gift Card Fraud
Detect, Monitor, Mitigate
Confidential / / Part of F5
Challenge: criminals use apps as you intended
User: logs in with username & password
Attacker: logs in with username & password
Criminals, armed with widely-available tools, can evade almost all defenses
Vulnerabilities Abuse
Confidential / / Part of F5Confidential
Automated Fraud Attempts● Credential Stuffing
● Account Takeover
● Fake Account Create
Monitoring
Tools
Scraping / API abuse
App Layer DDoS
Legitimate
customers
Successful
login
What does Shape do?
Good
Automation
What does Shape do?
Confidential / / Part of F5
Att
ack
Co
st
Attack Complexity7
Browser ImitationExecute JavaScript like real browser.PhantomJS, Headless Chrome
User ImitationFake mouse tracks, fake keystrokes, Selenium, Sikuli, Humans
Network RequestsHTTP requestsSentry MBA, Wget and cURL
High
Low
Low High
Evolution of Attacks
Custom Attack PlatformsTarget specific , custom developed, Purpose built for attack target
Evolution of AttacksDisrupt the economics for motivated attackers
Confidential / / Part of F5
Attacker ecosystemsBreaches, Malware, Tools, APIs
Confidential / / Part of F5
Major US Mobile Operator
POST/HR
What They Saw
68.6M ? ? ?Human AutomatedAutomatedTotal POSTs
Confidential / / Part of F5
Shape
10Total POSTs
68.6MHuman
4.1MAutomated
64.5MAutomated
94%
POST/HR
5 Attackers
Tools
Human
This is attack traffic
This orange is ok
What We Saw
Confidential / / Part of F5
When Shape Mitigates
Green = Human | Yellow = Automation | Red = Mitigated Automation
Mitigation Enabled Attackers Recon & RetoolWeb & Mobile Login
Activity
Confidential / / Part of F5
EU TelcoAutomation sophistication and evolution
Confidential / / Part of F5
How does Shape work?
Confidential / / Part of F5
How it works: Protected Flows
Shape has a concept of a protected flow:
● Entry point:
○ The page where a user submits information we want to protect (e.g. login form)
○ Shape JS is deployed to collect signals which are evaluated to determine whether the
protected URL end point request is made from a illegitimate (automated) source or a legitimate
source.
<head><script type=”text/javascript” src=”/assets/common.js”></script>...</head>
○ Shape has mechanisms to protect against reverse engineering and signal spoofing
● End point:
○ The URL where the user’s information is submitted to (e.g. auth API POST).
○ Routed to a Shape cluster for evaluation and for real time mitigation.
Confidential / / Part of F5
How it works: Shape Protected Flows== Use cases
Login Forgot Password Create Account
Entrypoint
Endpoint
Entrypoint
Endpoint
Entrypoint
Endpoint
Signal Collection
Confidential / / Part of F5
An example of an entry and end point pair
Protected endpoint
Entry point page -
Login form
Confidential / / Part of F5
Shape System Overview
Modes● Non-Blocking (Observation)● Blocking (Mitigation)
Stage I● Advanced Signals Analysis● Real-time Mitigation
○ Allow○ Flag & Allow○ Throttle○ Block○ Custom Response○ Redirect / Forward
Stage II● Artificial Intelligence● Machine Learning● Data Scientists● Investigative Analysts● 24x7 Threat Mitigation Center
Protection is based on signals not IPs or User Agents.
Technology, Analytics, Process
Confidential / / Part of F5
Shape Signal Analysis
Confidential
NetworkEnvironment Behavior
Shape Signal Analysis
Confidential / / Part of F5
All JavaScript is generated on the fly.This allows Shape to adapt to attackers with its 120+ composable signal modules.
Active and passive modules
delivers different signals back
to Shape.
Each module serves a different purpose. Proofs of
hardware, proofs of environment, deception, user
behavior collection, and much more.
Confidential / / Part of F5
Frustrating Sophisticated Attackers with our JS
Solution: Virtualization + Randomness in the Shape JavaScript
● Prevent Google Dorks: Avoid obvious naming schemes for the JS file● Avoid Clear Text: We convert readable JavaScript
→["runFonts", "pixelDepth", "-1,2,-94,-122,", "\\"", "dm_en", "psub", "cta", "tact", "fpcf", "doNotTrack", …
=> Into computer-readable, unstructured machine code:→
● Insert Randomness: Our code changes many times per minute, and is different each time it is distributed
Confidential / / Part of F5
Emojis render differently on different platforms/apps
Confidential / / Part of F5
Really big numbers convert differently on different platforms
18,446,744,073,709,552,000
18,446,744,073,709,550,000
18,446,744,073,709,550,591
0xFFFFFFFFFFFFFBFF
=
Confidential / / Part of F5
Browser IDConfidential
Plugins
Fonts Screen Size
Additional Signals
Browser
Confidential / / Part of F5
Header Pattern
Header
Confidential / / Part of F5
Shape Signal Set - User Behaviour Analysis
Blue Bar Key-down.
Orange Bar
Key-up.
Red Circle
Mouse-click.
Green Tick
Captured mouse event.
Dashed Line
High speed movement between two points.
Brown Square
Long pause.
Grey Line
Transition from non-mouse event to mouse event.
U1
U2
U3
Key-down, key-up events
Mouse events & Mouse click
Confidential / / Part of F5
Shape Signal Set - User Behaviour Analysis
11 keystrokes < 30 ms
Blue Bar Key-down.
Orange Bar
Key-up.
Red Circle
Mouse-click.
Green Tick
Captured mouse event.
Dashed Line
High speed movement between two points.
Brown Square
Long pause.
Grey Line
Transition from non-mouse event to mouse event.
U1
Confidential / / Part of F5
Timing AnalysisConfidential
Inorganic
(Manual Fraud)
Organic
(Human)
Inorganic
(Automation)
Time to Complete Form
Confidential / / Part of F5
Source (IP/ASN) AnalysisConfidential
Nu
mb
er
of
Tra
nsa
ctio
ns
Top Source IP’s
Nu
mb
er
of
Tra
nsa
ctio
ns
Top Source IP’s
Confidential / / Part of F5
Shape Telemetry Example
Shape Telemetry
● Resulting from the Shape JS execution
on an entry point page.
● Typically included as X- form parameters
in the POST request payload.
● These are stripped when the request
passes through the SSE.
Shape SignalsAn example of signals on a protected POST
Confidential /
Signal Inspection
1. Token Missing2. Token Expired3. Token Replay Exceeded4. Token Blacklisted5. AI Payload Missing6. AI Payload Invalid7. UUBID Blacklisted8. Attack Inference
Description: the Shape signals are indicative of automation (that is, automation is “inferred”).Category: ToolCategory: ScrapingCategory: Monitor….
Causes: an attacker used an automated tool such as Selenium, iMacros, or PhantomJS; or there were other indications of automation such as a mismatch between the UA specified in the HTTP header and the DOM.
Inference process evaluates the request for attack causes
Confidential / / Part of F5
Mobile Environment Signals (Native Mobile Apps)Gathered via Shape Mobile SDK Telemetry
● Operating System
● Device Information
● App Versioning
● Battery Information
● Processor
● Localization Information
● Physical Sensor Data
● Epoch Timestamp
● WebView Data
● Emulator Detection
● Rooted Device Detection
AltitudeOrientationGyroscope
TemperatureCapacityTechnology
Screen resolutionScreen brightnessHardware
Shape’s Mobile SDK is deployed on >200M mobile devices worldwide
Confidential / / Part of F5
Identifying AutomationDetection Formula
B U ASNH
To find fraudulent transactions, we use one or more data points:- Signals (custom if required)- Browser identifier based on unique interrogation- User interaction pattern- HTTP Header indicators- Timing analysis (keystrokes and interaction)- Traffic source analysis (Autonomous Systems)- Rules
Confidential / / Part of F5
Signals can reveal contrived entropyMotivated actors continue seeking ways to avoid detection
2
1
3
5
4
1
2
3
4
5
...
Confidential / / Part of F5
Disclaimer Page: POST Differences Heat MapAutomatedHuman
Mouse Move Mouse Click
Confidential / / Part of F5
Disclaimer Page: POST Differences Heat MapAutomatedHuman
Mouse Move Mouse Click
Confidential / / Part of F5
Defeating the most sophisticated attacks
“Fullz”
Confidential / / Part of F5
Defeating the most sophisticated attacks
First Name Last Name
Confidential / / Part of F5
Defeating the most sophisticated attacks
Confidential / / Part of F5
Defeating the most sophisticated attacks
Confidential / / Part of F5
Defeating the most sophisticated attacks
300px
Confidential / / Part of F5
Defeating the most sophisticated attacks
Confidential / / Part of F5
Capture The Potential of Shape’s DeviceID DeviceID provides insight into your customer base
Screenshot
Identifying devices used for malicious and abusive
transactions
OR
Allows you to create device to account association
OR
Simplifying login experience for returning users
Confidential / / Part of F5
Shape Device ID
* Browser or mobile app, to be precise
● A mechanism to enable device identification and activity○ A data feed your systems can use for risk profiling
● A digital ID to identify devices* visiting enterprises’ web pages ○ A 64 char string - e.g.,74b174532bc7b1daeb914d2bf5ca0b75cf4ad8b8f357c9ad277c3cf9ea66be5c
● An optional feature of Shape Enterprise Defense○ Available for web and mobile○ Device IDs generated from a selection of signals captured by Shape JS and SDKs ○ Enabled by a simple policy change○ Device IDs generated and delivered on the fly
An ID of the device
Confidential / / Part of F5
Shape Protection Manager (SPM)Reporting, Analysis and Management Portal
Confidential / / Part of F5
Architecture
Confidential / / Part of F5
HostedShape proxy is located in a Shape
managed colocation facility.
Deployment OptionsOptions to Fit Your Business
CloudShape proxy is located in a cloud
provider and managed by Shape.
On-PremiseShape proxy is located inside the
customer data center.
Confidential / / Part of F5
Deployment Options
● Inline
○ Cloud / Hosted / On-premise
○ Integration at CDN / Load balancer / Nginx / Apache ….
● API
○ Cloud / Hosted / On-premise
For Shape to provide real time mitigation the deployment needs to be inline
Confidential /
Cloud Integration
Website end-users
Enterprise Boundary
Internet
Shape JS
and
Protected
Traffic
Shape Protection
Manager (SPM) receives
transaction metadata
Shape
Javascript
Web app servers
General Traffic
Shape Processed Traffic
Load Balancer
Shape SSEs
Examples:
/signin
/forgotpassword
/accountCreate
Mobile API servers
Confidential /
Cloud Integration
Website end-users
Enterprise Boundary
CDN
Shape JS
and
Protected
Traffic
Shape Protection
Manager (SPM) receives
transaction metadata
Shape
Javascript
Web app servers
General Traffic
Shape Processed Traffic
Load Balancer
Shape SSEs
Examples:
/signin
/forgotpassword
/accountCreate
Mobile API servers
Confidential /
On-premise Integration
Website end-users
Enterprise Boundary
Internet
Shape JS
and
Protected
Traffic
Shape Protection
Manager (SPM) receives
transaction metadata
Shape
Javascript
Web app servers
General Traffic
Shape Processed Traffic
Load Balancer
Shape SSEs
Examples:
/signin
/forgotpassword
/accountCreate
Mobile API servers
Confidential /
API Integration*
Website end-users
Enterprise Boundary
Internet
Shape
JS
Shape Protection
Manager (SPM) receives
transaction metadata
Shape
Javascript
Web app serversLoad Balancer
Shape SSEs
Example:
/assets/script.js Mobile API servers
← Shape Telemetry & Request Details
Automation Decision →
GET: Webpage with Shape JS
POST: Form Data + Shape telemetry
* No real time mitigation by Shape
Confidential / / Part of F5
Taking Action
Confidential / / Part of F5
Blocking is not always the right solution
Confidential
Block - Stop processing the request
Redirect - Redirect the user browser to a specified URL
Respond - Respond with configured HTTP response
Deceive - Provide misdirection to attackers
Read-only - Limit access to transactions
Rate limit - Limit system resource impact
Types of Traffic Custom Action
Good humans
Bad humans
Good bots
Bad bots
Semi-trusted bots
Aggregators
Scrapers
Password tools
Application DDoS
Confidential / / Part of F5
Proof of Concept
Confidential / / Part of F5
Preliminary Technical Discovery
1. Do you use a CDN?
2. What is the target site?
3. What are the areas of the site/workflows that receive automated traffic (e.g. login,
create account, forgot password, search etc)?
4. What are the peak and average transactions per second for each workflow?
5. What load balancer do you use?
6. Is the load balancer capable of doing HTTP path based routing?
7. Where is your origin hosted geographically?
8. How many data centres do you have? If multiple, what is the DR model?
9. Do you have an internet facing test environment? What is the domain?
10. Where are your users located?
Confidential / / Part of F5
~Day 21 ~Day 30Day 1
Typical POC Project Timeline
Production Monitoring Mode
Production Analysis and
Threat Report
Project Startup& Policy
Development
~Day 14
Pre-Production Monitoring Mode
Confidential / / Part of F5
POC Implementation: High Level Steps
Step Who
1 Discovery - define protected paths (entry and end points) and gather technical information Customer/Shape
2 Create SSE clusters and policies Shape
3 Add <script> tag to entry point page(s) for Shape JS Customer
4 Add traffic routing rules to CDN / load balancer for Shape JS and end point URL(s) Customer
5 Test in QA / Staging environment Customer/Shape
6 Promote to production environment (incl. Cookie wall) Customer
7 Test in production Customer/Shape
8 Remove cookie wall Customer
9 LIVE TRAFFIC IN MONITORING MODE Customer/Shape
10 Threat Briefing Shape
Confidential / / Part of F5
Shape Passive Detection Tool(SPDT)Detect and report bots in a simple integration
● A tool to detect & report bot threats in a simple integration○ Threat reports for any HTTP traffic - web, mobile, API
■ Tool can scan whole sites and show where (URLs) attacks are appearing
○ No need to deploy Shape JS, mobile SDKs, or SSE○ Tool scans traffic passively on a monitoring port. No latency nor UX impact
● Self-contained & run within customer’s premises○ No data leaves customer premises (datacenter, VPC)
● Only for PoV (Proof of Value) project. Not for production○ It only does Reporting. No mitigation
○ Limited set of signals since Shape JS is not deployed
Confidential / / Part of F5
Within customer datacenter/VPC
SPDT integration Works on mirrored traffic
● SPDT ingests mirrored HTTP traffic (Big-IP clone pool, AWS VPC mirroring, log files,
etc)
● SPDT runs on○ VMWare ESXi - 8 core CPUs, 32GB RAM, 500GB SSD or above ○ AWS AMI - c4.4xlarge instance or above○ SSE 3200 appliance - in a later release
Traffic mirroring
Shape Passive
Detection Tool
(SPDT)
Origin server
Confidential / / Part of F5
SPDT Threat ReportsRich set of reports exhibiting threats
● Traffic overview - bot vs. human
● # and % of bots appeared for each URL
● Overview & detailed view of top bot campaigns
● Bot campaign signatures clustering graph
● Bots & traffic distribution per country
Confidential / / Part of F5
Questions
THANK YOUshapesecurity.com