A brute-force attack is a “try until you succeed” approach which results in repetitive attempts that usually generate a massive spike in alerts. These low-quality alerts are actually not “false positives” because they were repeated failed logins attempts and are “noisy alerts” that could lead to alert fatigue which ultimately lowers the fraud analyst’s guard.
Automated Search Alert Filtering
Example One: Moving from 1000 to 250 alerts
In the example below, we assume that a brute-force attack is underway and is triggering 1000 alerts over 2 days.
You can set up searches on all the fraud behavioral analytics alerted events and filter out the brute-force type of alerts with specific conditions. This creates a “reduction by aggregation” of alerts of type brute-force.
For example, you may want to search for alerts generated in the past 2 days, at all risk levels, and the alert contains a failed login activity.
The search will return all alerts meeting the criteria. Often, a brute-force attack is launched repeated against multiple accounts. Most of the alerts will share common attributes, such as IP addresses, user agent string and network provider. They also occur in temporal proximity.
Alert Mapping to the Right Fraud Queue
Example Two: Moving from 25 Alerts to 5 Alerts per Queue
In this scenario, you have been informed that some suspicious IPs have successfully logged in during the brute-force attacks. You want to ensure that Wire and ACH payments are not at risk.
You can use our Fraud Match feature to further filter the alerts. Let’s say you have dedicated fraud analysts’ queues for Wire and ACH:
- Per your Wire risk policy, you want to check the risk presence of Untrusted Beneficiary and Untrusted Beneficiary FI and elevate priority on International Wire exceeding certain amount and routed to Wire Analyst Queue.
Risk Factors:
- Untrusted Beneficiary
- Originator Transaction Amount (Credit)
- International
Search criteria:
- Direction: Outbound
- Activity: WrIntlOut (Wire International Outbound)
- Amount: > 100,000
You can add a second criteria such as:
For ACH queue, you want to ensure that if there is an unusual percentage of new recipients in a batch, this risk factor receives a higher priority in the alerting queue so that despite the brute-force attacks alerts spike, these high-quality alerts are managed accordingly.
Risk Factors:
- BatchPercentNewRecipient
- This risk factor indicates that there are an unusual percentage of new recipients in this batch compared to historical average
- For example, out of 10 entries, 7 have new recipients which would be highly unusual
Search Criteria:
- Risk Factor: BNewRecipPrcnt (Batch New Recipient Percentage)
These automated searches can be performed using the Filters capability in the application or execute the searches manually on an ad-hoc basis. Alternatively, you can setup automated searches using the Filters feature in the application. This allows the system to do the work on your behalf to monitor any new alert that meets your search criteria and place the alert onto the Filters Assignee’s My Queue page.
Proactively monitoring for signs of brute-force attacks is the key to reduce the impact of the attack and prevent more customers from being affected. Once you identify the fraud attack, sharing the incident with your cyber security team and notifying your customers will help everyone respond more effectively.
In summary, NICE Actimize Xceed’s application features give fraud teams the ability to manage brute-force attacks with automatic searches and filters that allow workflows to separate low-quality alerts from high-quality alerts which ultimately reduces the alert noise and allows fraud teams to focus on what matters the most.
Learn how Guardian Analytics Digital Banking Fraud Detection provides both the fraud detection software and FraudDESK services mid-sized financial institutions need to protect themselves and their customers from fraud.