Real World Use Case: Retail Theft Prevention

Consistently our partnerships with our clients lead to some of the most interesting use cases.  Recently we partnered with a retailer who has a large online presence to help detect and mitigate fraudulent transactions.  

The first step to establishing a use case is understanding the data sources.  In this case, the retailer received logs of every successful and unsuccessful transaction attempted on the website.  In addition, they had visibility to the edge via their web application firewall.  In our initial use case, we focused on transactional data.  As we continue to iterate over the use case, we'll start to incorporate other data.

Our focus was solely on catching successful transactions which were illegitimate with a very low false positive rate.  

We start by looking at every new purchase transaction and assigning it a score.  The diagram below covers a portion of the logic we include.  We enriched the data with a threat intelligence vendor's compromise credential API.  We used the other transaction data to query for similar transactions.  We retrieved account age and other account specific information directly from the application's identity source.  

While this diagram cores 8, in total we have 37 different steps to calculate the validity of a transaction.  

Results

The question becomes how effective was this?  The best part of this use case is we can use the historical data to predict the future.  As adversaries will continually become more creative in their tactics and techniques, our algorithm will continue to adapt.  While this was implemented with one SOAR, it could easily be implemented with Swimlane, XSOAR, Chronicle SOAR, Splunk or any similar SOAR with case management built in.