Automating Brand Abuse Detection and Takedowns
ASOS is an ever-growing platform with over 26 million active customers worldwide and a portfolio of nearly 900 global and local partner brands. With this, comes a necessity to protect our customers and our business from those looking to imitate brands and create fake shopping sites, phishing and/or impersonating domains.
In the ASOS Cyber Security Incident Response Team (CSIRT), we’ve developed an internal Azure-based automation that combines and correlates data from threat intelligence and takedown vendors. This allows us to action brand abuse investigations relating to impersonating domains in an efficient manner from a single location — Microsoft Teams.
In this post, we’ll give an overview of the automation, some benefits we’ve seen since implementation and some tips to assist any security teams that are experiencing similar issues.
Previously we utilised two vendors; one for the purpose of threat intelligence (including impersonating domain detection and alerting), and one for purely handling takedown requests with web hosts and domain registrars. This flow required analysts to manually report malicious domains, log into multiple web interfaces, but also spend a significant amount of time filtering through false positive alerts — which became time consuming.
There’s also a fair bit of crossover in this area between the work we do, and the great work that the Brand Protection team do. We needed to find a solution that provided both teams with insight into detections and actions and enabled us to work more seamlessly.
Below is a flow diagram showing the high-level logic behind the automation — let’s dig into this in more detail.
Microsoft Sentinel Incidents and Automation Trigger
Currently, we’re utilising a Microsoft Sentinel analytics rule to generate incidents which are used to kickstart our automation. We ingest and store alert data in our security information and event management (SIEM) system from our primary threat intelligence provider, relating to ‘Impersonating Domains’, where a domain is attempting to typo squat one of our brands. We then send the suspicious domain names to the takedown provider via their API to see if they have any related alerts or not. The result of this is one of two paths:
- The domain has already been seen by the takedown provider and it’s currently being triaged or actioned.
- The domain has not been seen by the takedown provider therefore it needs to be investigated and submitted for takedown if appropriate.
Now that we have a list of impersonating domains, we need to inform the team so they can be investigated to determine if they are true positives, or false positives.
Notifying The Team
There are several ways that the automation could inform the CSIRT of an impersonating domain alert. Email is one of the most common notification routes, however it’s fairly easy to miss emails for any given reason. To ensure that these alerts are immediately visible to the team, that we can use the same medium as an instant communication and collaboration channel, we push notifications to a Teams channel. By utilising Microsoft Teams and Adaptive Cards within Azure Logic Apps, we’re able to send interactive messages to a channel that allows analysts to select the most appropriate action.
The adaptive card above allows the receiver to open the threat intelligence alert for triage, then select an action.
True Positive Actioning
If the alert represents a true positive, an analyst has three actions to choose from:
2. Fake Shop
3. Impersonating Domain
Each submission submits an action to takedown vendor for their respective attack vector.
Each submission assigns the alerts to the analyst that actions the notification in our intelligence vendor portal, changes the alert status to resolved and adds a comment to the alert with actions taken for auditing.
False Positive Actioning
If the alert represents a false positive case where the domain is not impersonating or abusing one of our brands, an analyst has three actions to choose from.
Here is an example of the reply Adaptive Card that shows when an analyst has responded to an alert. This allows our Brand Protection Team the ability to review what actions we have taken in case they wish to provide input, learn more about the case, or change our response to a specific domain.
- Allows more efficient collaboration with our Brand Protection team
- Enhanced visibility and statistic gathering by combining two data sources
- Removed manual reporting step, saving analyst time and reducing time to report
- Full actioning of alerts from within Teams
- Gracefully closing alerts in multiple platforms with appropriate notes
As the ASOS brand builds and grows, here’s a lot of potential for this tool to do the same— whether that’s tackling the different alert types, such as social media impersonation detection and takedowns, or we can extend the scope to automate monitoring, detection and response in other areas of threat intelligence findings.
CSIRT @ ASOS
When we’re not responding to incidents, we’re focussed on improving our visibility, making IR more efficient, researching and integrating new tools and much more. If something becomes repetitive, the freedom is there to find a better solution.
If this is something that you find interesting, we’d love to hear from you:
— — — — — — — — — — — — - — — — — — — — — — — — — — — — — — — —
Jack Humphries is a Senior Incident Response Analyst @ ASOS. Aside from investigating threat actors, you can usually find him day dreaming of warmer climates at the coffee bar.