Syntel Threat Detection

Building a proactive fraud detection system involves accounting for a variety of threats, one of which being threats that target end users and employees. Account takeovers, credential stuffing, and cooking stealing can all be used to compromise your platform. Syntel Threat Detection attempts to prevent these threats before they can hit your platform through the monitoring of 3rd party platforms such as dark web forums, social media, and other sources. When a threat is found you'll be alerted in real-time so you can take measures to protect your users and platform.

Syntel Threat Detection

Alerts

All alerts are sent to your webhook based off the configuration settings you've set for the scope. For example if you're monitoring employee emails you'll recieve an alert if a recent post or breach is found.

Encryption

All data is encrypted in with RSA-4096 encryption. This ensures that the data is secure transmitted and can only be decrypted by the intended recipient. You'll need to use your private key to decrypt the data.

openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:4096

Alert Types

Returns intelligence data about the IP address.

Attributes

  • Name
    url
    Type
    string?
    Description

    A url if the associated login/pass is associated with your domain or subdomains.

  • Name
    login
    Type
    string
    Description

    Can take the form of an email or username.

  • Name
    password
    Type
    string
    Description

    A password that was found in the breach.

  • Name
    file_hash
    Type
    string
    Description

    Text file hash for where breach was found.

  • Name
    source
    Type
    enum
    Description

    Where the breach originated from.

  • Name
    timestamp
    Type
    int
    Description

    Unix timestamp of when the breach was found.

{
  "url": "https://example.com",
  "login": "[email protected]",
  "password": "NotSecure!",
  "file_hash": "<sha256hash>",
  "source": "TELEGRAM",
  "timestamp": 1728912066
}

Handling Alerts

When an alert is recieved you'll need to decrypt the message using your private key. This will return a JSON object that you can parse and take action on. For example if you recieve an alert that a user's password has been compromised you can force a password reset or lock the account.

from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives import hashes, serialization
import json

private_key_str = "... "
private_key = serialization.load_pem_private_key(private_key_str.encode(), password=None)

encrypted_message = '...'.encode()
decrypted_message = private_key.decrypt(
    encrypted_message,
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA256()),
        algorithm=hashes.SHA256(),
        label=None
    )
)
parsed_event = json.loads(decrypted_message.decode('utf-8'))
print(parsed_event)

Suggestions

  • Force a password reset for the user if their password has been compromised.
  • Lock the account until the user can reset their password.
  • Monitor the user's account for any suspicious activity.
  • Notify the user that their account has been compromised.
  • Blacklist the password from being re-used.