For many years, security monitoring relied on gathering data from layer 4 of the OSI model through such data types as NetFlow. Because layer 4 data dealt with the transport layer, it isn’t the most informative — though for a period of time, it was what security teams could reliably get access to and efficiently query. Then, as technology improved, security teams found themselves with access to a much richer data set: layer 7 data. Proxy logs, DNS logs, packet capture (PCAP), and other layer 7 data sources became available, and it was a game-changer for security teams.
Layer 7 data allows us to interrogate the application layer. Specifically, as it relates to digital channels such as Web and mobile, layer 7 data lets us understand what is happening within the end-user application session. This gives us essential context around the end user’s activity. Unfortunately, layer 7 data does not allow us to understand the “how” behind what is happening. Questions such as “How is the end user behaving?”, “What is the end user’s intent?”, and “Is this legitimate end-user activity?” can only be answered by looking beyond layer 7.
To understand intent — the “how” behind the “what” — we need to closely examine the behavior of the end user in the session. This additional behavioral insight is critical to an enterprise’s ability to separate legitimate traffic from fraud. In other words, the difference between legitimate use of an application and abuse of that application (i.e., fraud) is the intent of the end user responsible for the activity. When we look at the concept of fraud in this manner, it is easy to see that visibility into “what” the end user is doing inside the application session isn’t enough. We also need visibility into “how” they are doing it.
Behaviors That Could Signal Fraudulent Use
Some people refer to this end-user layer above layer 7 of the OSI model as layer 8. And as the Sesame Street song says, eight is great. Let’s take a look at some of the ways in which layer 8 data can help us better detect fraud.
Optimized mouse movements. Legitimate users tend to have very random mouse movements when interacting with an application. The reason is simple: Legitimate users aren’t interacting with the application “professionally” and thus don’t have any need or incentive to optimize their mouse movements. Fraudsters, on the other hand, who may be trying to access tens, hundreds, or thousands of accounts fraudulently, have every motivation to optimize their mouse movements to save time.
Pasting. I don’t know about you, but I don’t often cut and paste my username and password or first name and last name from a text file. As it turns out, most legitimate users don’t either. Fraudsters, as you might imagine, do this quite frequently, particularly when it comes to account takeover (ATO).
Strange keys. If you are a legitimate user, chances are that you use a fairly standard set of letters, numbers, and special characters when interacting with an application. It is fairly unlikely that you would use function keys, keyboard shortcuts, or other unusual combinations. Fraudsters who are looking to save time, however, often do exactly that.
A signature device. Fraudsters typically have one or a few favorite devices that they have configured exactly as they want them. Fraudsters will often use these same devices to log in to a relatively large number of accounts on the same application. Because of this, if we invest in accurate and reliable device identification and track logins by device, we can often use that knowledge to understand when we might be dealing with a fraudulent session.
Other tricks.
Fraudsters often rely on environment spoofing, VPN, and other tricks to try to appear to be legitimate users. Legitimate users do this far less frequently, though it does still happen.
The above user behaviors are a few examples of the differences in behavior between legitimate users and fraudsters. None of these behaviors in and of themselves can tell us with 100% certainty whether a given session is legitimate or fraudulent. They can, however, provide us valuable insight into the “how” behind the “what”. That, in turn, can help us make far more accurate assessments around what is fraud. Understanding end-user behavior (layer 8 data) allows us to increase our detection rates, while at the same time lowering our false positive rates.