Monitoring for account takeover with the Splunk App for Behavioral Analytics
You work for a financial services company with a large customer base. Recently, you've noticed an increase in account takeover attempts, where unauthorized individuals gain access to customer accounts to conduct fraudulent transactions. These takeovers can happen through phishing attacks, credential stuffing, or exploiting weak passwords.
To protect your customers and the integrity of your services, you need to identify unusual login patterns, changes in user behavior, and other indicators of compromised accounts in real-time.
Account takeover (ATO) occurs when a malicious actor gains unauthorized access to a user's account, often leading to fraud or theft. Common indicators include unusual login behavior, multiple, failed login attempts, rapid credential changes, and anomalous transaction patterns. Fraud teams employ tools like multi-factor authentication (MFA) and anomaly detection to spot suspicious activities. Detecting ATO can be a significant challenge for fraud teams, as threat indicators and attacker tactics constantly evolve.
This article shows you how to use the Splunk App for Behavioral Profiling to create advanced techniques leveraging user behavioral analytics to stay ahead of emerging threats. For basic searches in the Splunk platform to create basic detection methods, see Monitoring for account takeover with the Splunk platform. If you're a Splunk Enterprise Security user, you might also want to see Monitoring for account takeover with the Splunk App for Fraud Analytics.
Prerequisites
- Splunk Enterprise version 9.x.x+ or higher / Splunk Cloud Platform version 9.xx + or higher
- Splunk App for Behavioral Profiling, which should be installed and configured
- Splunk Machine Learning Toolkit
- Python for Scientific Computing
- Sample Fraud data for Splunk App for Behavioral Profiling
Data required
- Application data for consumer financial applications
How to use Splunk software for this use case
The Splunk App for Behavioral Profiling introduces advanced machine learning models that analyze user behavior over time. By building a baseline of normal activity for each user, the app flags deviations such as abnormal transaction amounts or new login locations.
Incorporating these techniques will help you proactively detect ATO attempts, reduce manual analysis, and enhance your overall fraud prevention strategy.
Make sure to use the correct index and added parameter values appropriate to your organization while defining your behavioral indicator search. You'll do this in step 2 of the below processes.
Unusual login behavior
Identify potential security threats by detecting logins from unusual locations or devices in consumer financial applications. Highlight anomalies that could indicate unauthorized access attempts so you can address these potential threats.
- ► How to create a behavioral indicator search and anomaly scoring rule to detect unusual login behavior
-
Creating a behavioral indicator search
- Select Guided Mode. Click Next.
- Select the index that holds your payment transactions. In this case, we're inputting
index
=firstfederal
. - in Entity Field, select usernames. In Other Fields, select _time, action, amount, and login_success_num. Verify the selection, and click Next.
- In Function, select avg. In Function Field select action and login_succes_num. In Split Timespan select Yes. In Time Window select 30m. Click Next.
- Provide a descriptive Name and a Description. Click Save.
- Verify your Behavioral Indicator configuration is correct. Click Submit.
- Verify that the Behavioral Indicator was successfully created.
Creating an anomaly scoring rule
- Under Entity Specific Rule select Mode: Statistical. Click Next.
- Select the previously created Behavioral Indicator. Select avg(logins_success_num). Click Next.
- In Std. Dev Threshold, select 3. Click Next.
- In Scoring Method select Static. Set Scoring Value to 100. Click Next.
- Provide a descriptive Name, and a Description. Click Save.
- Verify your Anomaly Scoring Rule configuration is correct. Click Submit.
Rapid credential changes
Identify patterns of rapid credential changes within consumer financial applications. Rapid changes might signal unauthorized access attempts or account takeover, so early detection can help prevent account compromise and safeguard sensitive financial information.
- ► How to create a behavioral indicator search and anomaly scoring rule to detect rapid credential changes
-
Creating a behavioral indicator search
- Select Guided Mode. Click Next.
- Select the index that holds your payment transaction. In this case, we're inputting index=”firstfederal” action=edit_password.
- In Entity Field, select usernames, and in Other Fields select _time, and action. Verify the selection, and click Next.
- In Function select count, in Function Field select action, in Split Timespan select Yes, and in Time Window select 5m.x
- Provide a descriptive Name and a Description. Click Save.
- Verify that your Behavioral Indicator configuration is correct. Click Submit.
- Verify that the Behavioral Indicator was successfully created.
Creating an anomaly scoring rule
- Under Entity Group Rule select Mode: Statistical. Click Next.
- Select the previously created Behavioral Indicator. Select count(action). Click Next.
- For Std. Dev Threshold select 3. Click Next.
- In Scoring Method, select Proportional. Set Scoring Value as 100. Click Next.
- Provide a descriptive Name, and a Description. Click Save.
- Verify your Anomaly Scoring Rule configuration is correct. Click Submit.
Unusual transaction patterns
Monitor for abnormal transaction activity by analyzing factors such as transaction amount, payees, and locations, and calculating deviations from established patterns. This will help you quickly highlight irregularities.
- ► How to create a behavioral indicator search and anomaly scoring rule to detect unusual transaction patterns
-
Creating a behavioral indicator search
- Select Guided Mode. Click Next.
- Select the index that holds your payment transactions. In this case, we're inputting index=payment_transaction action=authorized.
- In Entity Field select usernames, and in Other Fields select _time, action, amount, channel, os, and vendor. Verify the selection, and click Next.
- In Function select count. In Function Field select action, channel, and vendor. In Split Timespan select Yes. In Time Window select 30m. Click Next.
- Provide a descriptive Name and a Description. Click Save.
- Verify your Behavioral Indicator configuration is correct. Click Submit.
- Verify the Behavioral Indicator was successfully created.
Creating an anomaly scoring rule
- Under Entity Group Rule select Mode: Statistical. Click Next.
- Select the previously created Behavioral Indicator. Select count(action). Click Next.
- For Std. Dev Threshold select 4. Click Next.
- In Scoring Method select Proportional. Set Scoring Value as 100. Click Next.
- Provide a descriptive Name, and a Description. Click Save.
- Verify your Anomaly Scoring Rule configuration is correct. Click Submit.
Multiple failed login attempts
Monitor failed login attempts so you can identify security risks such as brute-force attacks or compromised accounts. By identifying users or IP addresses with an unusual number of failed login attempts, you can quickly address potential threats and take preventative actions.
- ► How to create a behavioral indicator search and anomaly scoring rule to detect multiple failed login attempts
-
Creating a behavioral indicator search
- Select Guided Mode. Click Next.
- Select the index that holds your payment transactions. In this case, we're inputting index="firstfederal" action=login_fail.
- In Entity Field select action, and in Other Fields select date_hour, date_wday, date_minute, and login_success_num. Verify the selection, and click Next.
- In Function select count. In the Function Field select action. In Split Timespan select Yes. In Time Window select 15m. Click Next.
- Provide a descriptive Name, and a Description. Click Save.
- Verify your Behavioral Indicator configuration is correct. Click Submit.
- Verify the Behavioral Indicator was successfully created.
Creating an anomaly scoring rule
- Under Entity Specific Rule select Mode: Statistical. Click Next.
- Select the previously created Behavioral Indicator. Select count(action). Click Next.
- In Std. Dev Threshold select 3. Select Create Baseline. Click Next.
- In Scoring Method select Static. Set Scoring Value as 100. Click Next.
- Provide a descriptive Name, and a Description. Click Save.
- Verify your Anomaly Scoring Rule configuration is correct. Click Submit.
Next steps
Use your results to make recommendations to the rest of the security team about which accounts should be investigated for potential account takeover. Create reports based on these searches and schedule them to run at a regular cadence as needed. Be sure to follow any industry policies and regulations that are required for compliance.
To further advance your use cases, the Splunk Essentials for the Financial Services Industry app helps you automate the searches to detect financial crime. The app also provides more insight on how searches can be applied in your environment, how they work, the difficulty level, and what data can be valuable to run them successfully.
The Splunk App for Fraud Analytics provides Splunk Enterprise Security users with a number of other fraud detection solutions for financial services, such as account takeover and new account abuse.
If you have questions about monitoring for account takeover in your environment, you can reach out to your Splunk account team or representative for comprehensive advice and assistance. You can contact your account team through the Contact Us page. For more in-depth support, consult Splunk On-Demand Services to access credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.
In addition, these resources might help you understand and implement this guidance:
- Use Case Explorer: Risk-based alerting
- Use case: Monitoring consumer bank accounts to maintain compliance
- Use case: Detecting credit card fraud
- Use case: Detecting wire transfer fraud
- Use case: Investigating interesting behavior patterns with risk-based alerting
- Use case: Monitoring new logins to financial applications
- Use case: Using modern methods of detecting financial crime
- Use case: Detecting multiple account login denials followed by authorization