Identifying worms, bots, fraud and other malicious traffic (with guest Fang Yu)
Fang Yu is CTO of fraud detection platform DataVisor. She is also a prolific writer and conference presenter and has filed over 20 patents. Fang spoke with Infosec‘s Cyber Work podcast about her work developing algorithms and building systems for identifying malicious traffic such as worms, spam, bots, fake queries and account hijacking.
Fang told us about working in the area of threat detection:
“Detecting attacks is pretty complicated and complex. It’s very challenging and it also a very, very important task; without that, everybody including every end user would be affected. That’s a very, very important thing.”
From Microsoft cybersecurity researcher to startup co-founder
Fang began her career as part of the Microsoft cybersecurity research team looking into the myriad threats made against the company’s products. Problems included spam issues in Hotmail, Xbox payment fraud, and so on. The team would analyze the attacks and come up with solutions. It was like whack-a-mole: the team would build up solutions over time, then adjust them as the threats changed.
During the research, it became clear to Fang that professional cybercriminals use a complex network of specialized actors to perpetrate their cybercrimes. For example, the network will demarcate roles: one may have the role of creating the proxy IP, another specializes in the data breach specifics, another pulling the entire attack together.
Fang went on to point out that locating the root of the problem is a key piece of detective work. Going back to the whack-a-mole analogy, being able to capture “mole” after “mole” and building up a holistic methodology to prevent a cyberattack became a key reason behind the startup phase of her new venture:
“Have a way to capture things before they start to attack and capture things at the root, rather than chasing different attack patterns at the end.”
Of algorithms and systems (for malicious traffic detection)
One of the unique aspects of the DataVisor tool is the use of an unsupervised machine learning (ML) approach. A supervised ML approach requires labels. However, in the cybersecurity and fraud space, the use of labels is complicated by the fact that cyberattacks are ever-changing and need to be addressed in real time.
Fang pointed out that there is little point in training models retrospectively, as she said:
“By the time you train a model, it is already too late. In the experience of DataVisor, on average for the types of global intelligence that we analyze, most attack patterns change within a few days, sometimes even more aggressively changing within hours.”
DataVisor’s solution can use unsupervised ML to spot patterns on the fly, as they happen.
As Fang pointed out, modern cybercriminals are professionals. They often create fake accounts or compromise many multiple accounts to optimize their gains. The fraudsters also remotely control these compromised accounts in an attempt to obtain credit cards, study transactions and more.
These types of attacks are highly distributed, sophisticated and coordinated. Fang described the best way to detect such attacks is to “zoom out” to define perspective. The use of unsupervised machine learning algorithms allows an organization to spot abnormal fraudulent patterns in a coordinated way.
ML facilitates the need to look at many users and transaction activities, and importantly, correlate across multiple users. This can be done in real time and system-wide. This capability allows the organization to oversee their entire user base and spot new dark patterns. This type of intelligence gives the organization actionable insights into attack patterns.
Protecting a global user base
DataVisor protects on an enterprise basis, but this intelligence becomes part of a community of over four billion protected accounts. Customers can add in several transaction events; the more entered, the more protection is enforced. However, the protection is also proactive. Many attacks are captured at registration: an Account Fraud Register held by DataVisor is used to spot fraudsters and stop them using that account.
A day in the life of a DataVisor CTO
Cyber Work asked Fang about a typical day as the CTO of a cybersecurity intelligence vendor. Fang told us about her day and the various hats she wears to get the job done
Working on the algorithm and general system is an ongoing, hands-on task for Fang. However, she is also a face-to-face worker, dealing directly with clients. Attacks are analyzed, with the team at DataVisor keeping on top of emerging attacks.
Fang is also involved in the development of DataVisor’s quarterly fraud index report, which looks at patterns and trends in fraud and malicious traffic across the globe. Areas that feed into the report include comparison of different sectors and the type of attacks impacting the different sectors. The reports are published quarterly and available from the DataVisor website.
Fang also oversees the company’s suite of products, as well as its SDK that allows analysts to see threat data in real time. It is this holistic approach that stands out in the discussion:
“… We have a very talented team and I work alongside that team. DataVisor has a research department that employs talented engineers developing unsupervised machine learning as well as the wider system. I would say the success of the product has three aspects; the first is the algorithm; the second, extremely challenging task, is the underlying system that handles billions of events in real time — everything is highly distributed; the third part is access to the right domain expertise.”
The art and science of preventing major cyberattacks
Cool war stories are something that Fang has in abundance, thanks to her long and illustrious career in cybersecurity. She told us about a large “Thanksgiving” attack that was carried out against a client organization.
The attack centered around a mass login attack. DataVisor identified that the attack was highly distributed, possibly using devices across the world, which all seemed to be iPhones. However, the pattern seemed to imply this was from an emulator on IoT devices and not iPhones. This was a global attack attempting multiple account takeovers.
But spotting and analyzing the patterns of the attack was not the end. The fraudsters quickly evolved the attack pattern, pretending to be inactive. DataVisor was able to block the attack.
How have cyberthreats changed over the years?
As Fang has worked on cybersecurity projects for more than 10 years, we asked for her view on the changing cyberthreat landscape.
Fang noted that 2010 seemed to be the time when cyberattacks became more sophisticated. The differences between now and back then was that attacks were mostly carried out through proxies and similar. Now all industries are affected. There are two main trends:
- Trend One: New data centers that provide the playground for fraudsters
- Trend Two: The advancement of cloud computing
Other issues that are being taken advantage of by fraudsters are the belief that two-factor authentication (2FA) can block attacks. Attackers are now able to circumvent some 2FA by changing the phone bindings or hijacking verification codes.
Fang pointed out that her team is seeing a lot of new techniques connected to mobile devices. For example, number porting fraud or “port-out” fraud, where a victim’s telephone number is ported to a SIM card under fraudster control. This phone is then used to access the victim’s bank account.
The cloud was also discussed at length by Fang. According to her, this computing paradigm has changed the goalposts for cybercriminals in their favor. Fang told us that:
“The cloud makes detection of cybercriminals difficult … They redirect the traffic to the cloud, to perform some security act, like scanning. Then redirect the traffic out on the cloud … But you can’t just blacklist the cloud, as much legitimate traffic goes through VPNs.”
Fang explained that modern cyberthreats need a more intelligent approach. One that combines signals.
“You cannot just rely on traditional blacklists, this cloud provider, this range is bad. Rather, we need to take that as a signal and then combine with all the other signals to have a way of successful detection.”
Fang believes that in the next 10 years, there will be more focus on the computational and automation side of threat detection.
Advice on fighting malicious traffic and attackers
Fang’s advice on joining the good guys in fighting cybercrime is:
- Be interested in your subject and have evidence of learning about topics such as machine and deep learning
- Have system skills, including knowledge of operating systems and networking skills
- Statistical analysis skills, perhaps understanding how tools like MATLAB work
- Domain knowledge in fraud or related areas is useful but may take time to build
Finally, we asked Fang about any additional advice for women entering the space:
“Don’t overthink that you are a woman. Just be your regular self. Everybody can do the work equally well; focus on the work and really go deep but you need a technical ability to go deep. There are a lot of other women leaders out there. There is a community out there, so don’t feel lonely.”
To hear the full conversation between Fang Yu and Chris Sienko, tune in to this episode of the Cyber Work Podcast on our YouTube page.
- Identifying worms, bots, fraud and other malicious traffic | Cyber Work Podcast, Infosec (YouTube)
- Intelligence Center, DataVisor