Syntel Threat Detection
Building a proactive fraud detection system involves accounting for a variety of threats, one of which being threats that target end users and employees. Account takeovers, credential stuffing, and cooking stealing can all be used to compromise your platform. Syntel Threat Detection attempts to prevent these threats before they can hit your platform through the monitoring of 3rd party platforms such as dark web forums, social media, and other sources. When a threat is found you'll be alerted in real-time so you can take measures to protect your users and platform.
Alerts
All alerts are sent to your webhook based off the configuration settings you've set for the scope. For example if you're monitoring employee emails you'll recieve an alert if a recent post or breach is found.
Please only return a 204
status code with no body indicating if the credentials are valid or not. This is for zero trust security in which all parties are assumed to be untrusted.
Encryption
All data is encrypted in with RSA-4096 encryption. This ensures that the data is secure transmitted and can only be decrypted by the intended recipient. You'll need to use your private key to decrypt the data.
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:4096
Alert Types
Returns intelligence data about the IP address.
Attributes
- Name
url
- Type
- string?
- Description
A url if the associated login/pass is associated with your domain or subdomains.
- Name
login
- Type
- string
- Description
Can take the form of an email or username.
- Name
password
- Type
- string
- Description
A password that was found in the breach.
- Name
file_hash
- Type
- string
- Description
Text file hash for where breach was found.
- Name
source
- Type
- enum
- Description
Where the breach originated from.
- Name
timestamp
- Type
- int
- Description
Unix timestamp of when the breach was found.
{
"url": "https://example.com",
"login": "[email protected]",
"password": "NotSecure!",
"file_hash": "<sha256hash>",
"source": "TELEGRAM",
"timestamp": 1728912066
}
Handling Alerts
When an alert is recieved you'll need to decrypt the message using your private key. This will return a JSON object that you can parse and take action on. For example if you recieve an alert that a user's password has been compromised you can force a password reset or lock the account.
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives import hashes, serialization
import json
private_key_str = "... "
private_key = serialization.load_pem_private_key(private_key_str.encode(), password=None)
encrypted_message = '...'.encode()
decrypted_message = private_key.decrypt(
encrypted_message,
padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA256()),
algorithm=hashes.SHA256(),
label=None
)
)
parsed_event = json.loads(decrypted_message.decode('utf-8'))
print(parsed_event)
Suggestions
- Force a password reset for the user if their password has been compromised.
- Lock the account until the user can reset their password.
- Monitor the user's account for any suspicious activity.
- Notify the user that their account has been compromised.
- Blacklist the password from being re-used.