The entire bot protection, threat intelligence and DDoS awareness space has grown massively over the last few years. Instead of just relying on network related throttling, the auth trees fabric really makes it simple to augment third party systems into the login journey.
Two pretty simple nodes that were added include the OpenThreatIntelliegenceNode and the HaveIBeenPwnedNode. The open threat intelligence node, basically calls out to the https://cymon.io site, sending a SHA256 hash of the inbound client IP address. The response is basically a verification to see if the IP has been involved in any botnots or malicious software attacks.
Have I Been Pawned is a simple free site, that takes your email address and checks if it has been involved in any big data breaches. If so, it might then be prudent to prompt the user in your system to either use MFA or perhaps change their password too.
|Threat Focused Auth Tree|
Another addition in this space was the Google reCaptcha node to prevent against bot attacks.
SLA, Metrics and Timing
Two recent additions, form ForgeRock's very own Craig McDonnell. Craig has built out two interesting nodes for monitoring time and metering. First up is the MeterAuthTreeNode. This node can be dropped into any part of the tree and basically add a configurable string to the DropWizard meter registry within AM. So for example, if you're tracking which browser users are logging in from using the BrowserCheckerNode, you could simply drop in a couple of meter nodes to add incremental counters that are updated every time that specific browser is seen during the login journey. This becomes massively important when building out user experience analytics projects. The metrics can the be viewed using something like JConsole and retrieved into nice dashboards using JMX or pushed to a Graphite Server.
A cousin of the meter node, are the TimeAuthTreeNodes. Similar to the meter, they can basically time each part of the auth tree. As tree's are likely to include upwards of 20 data signals, and 3rd party processing, it may be essential to understand response times and SLA impacts. The timer nodes are part of a pair - a starter node and stop node. The time calculated in between is then sent to the same registry as the meter and can be viewed using JConsole.
|Monitoring Response Time of a 3rd Party Call Out During Login|
From a security perspective it's quite common to pair a trusted user to their login device. But what about verifying if that device itself has the correct browser or operating system? The OSCollectorNode and sister node BrowserCollectorNode, allow basically analysis of the incoming client request. This can be extended right down to the versioning, to allow for redirects, blocking or perhaps a more personalised experience. If a service provider knows you are logging in from a mobile device on 4G at 8am, they can likely infer you are commuting and may respond differently to different content. The information collected, can be simply added into session properties and delivered to down stream protected applications.
|OS and Browser Analysis During Login|