Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Akamai Cloud Security Summit_London_June 2018

Akamai Cloud Security Summit_London_June 2018

Zoe Latchford

June 20, 2018
Tweet

More Decks by Zoe Latchford

Other Decks in Business

Transcript

  1. Opening Remarks / Welcome Ash Kulkarni, Sr. VP and GM,

    Web Security and Performance, Akamai Technologies
  2. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM The digital economy is transforming faster than ever, creating a world where everything is connected. THIS CALLS FOR A COMPLETE RETHINK OF HOW YOU ENGAGE YOUR CUSTOMERS
  3. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM • 100 percent uptime SLA • Resilient, predictable performance • Intelligent routing and acceleration • Layered, cloud-based security • Experience integrity AKAMAI’S CLOUD DELIVERY PLATFORM How to deliver on such enormous expectations
  4. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM MEDIA DELIVERY High bitrate streaming, adaptive media delivery, and fast downloads for flawless multi- channel digital experiences at scale. CLOUD SECURITY Layered protection against advanced threats, DDoS, malware, phishing, and data exfiltration, with bot management. EXPERTISE 1,900+ experts ready to support you with strategic expertise, 24/7 proactive monitoring and responsive troubleshooting. WEB PERFORMANCE Adaptive acceleration, powerful policies, and extensibility to create dynamic, engaging digital applications. THE AKAMAI INTELLIGENT PLATFORM
  5. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Zero Trust App #1 App #2 App #3 There is no inside... App #2 App #1 App #3 Inside = trusted SECURE ACCESS IN A ZERO TRUST ERA Why cloud and mobile require transformation
  6. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Harness the power of the cloud without losing control CLOUD SECURITY Adaptive threat protection that doesn’t compromise security, sacrifice performance, or risk eroding customer trust.
  7. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Fast DNS >20 clouds for perf & scale, drops attack traffic at the edge Kona >Application & API protections with auto-mitigation + management Prolexic /24 protection with managed SOCs Mirai 620 Gbps botnet attack in September 2016 Memcached 1.3 Tbps DDoS attack in February 2018 WireX >127,000 participating IP Addresses ADAPTIVE THREAT PROTECTION Through layered security solutions
  8. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Prolexic Site Shield Partner with experience – Stopping the largest attacks since 1998 – Continued innovation to stay ahead of customer needs – Leveraging product, intelligence, and people 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 Bot Manager Enterprise Application Access 620 G bps DDoS 80 G bps DDoS 320 G bps DDoS Enterprise Threat Protector Bot Manager Premier First cloud WAF Managed WAF Client Reputation Kona Site Defender CSI KRS Akamai founded 1.3 Tbps DDoS LEADER IN SECURITY INNOVATION Protection from growing online threats
  9. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM CLOUD SECURITY SOLUTIONS Adaptive threat protection as a service Bot Management Application Security DDoS Mitigation API Management Enterprise Access Web App Protector Automated, blanket protection for web applications Kona Site Defender Customizable, advanced app and API protection, managed option Fast DNS Scalable authoritative DNS service with DDoS protection Prolexic Routed Managed protection against the largest DDoS attacks Bot Manager Std Manage automated visitor traffic to protect revenue Bot Manager Premier Machine learning to protect against credential abuse & account takeover API Gateway Manage access, authentication and rate controls for APIs Client Reputation Machine learning service to adaptively manage traffic Enterprise Access Simple, unified & secure enterprise application access Ent Threat Protector Malware protection using recursive DNS & Cloud Security Intelligence
  10. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM WHAT DO YOU WANT TO PROTECT? Security starts with your business Your customers Securing PII, account balances, and transaction details, and more to preserve customer trust DNS services Ensure your DNS stays available, trustworthy, and fast, so users can find you Web applications Stop large and sophisticated denial of service attacks, web application attacks, and bot attacks Your employees Stop damaging breaches perpetrated through malware, ransomware, and phishing attacks APIs Extend application security to API endpoints that expand your attack surface in new ways Enterprise applications and data Provide secure access to enterprise applications while protecting against advanced threats Data centers Protect IT assets within your data centers from denial of service attacks and malware
  11. Changing Threat Landscape, Including a 1.3 Tbps Record-Setting DDoS Attack

    Jay Coley, Senior Director, Security Planning and Strategy, Akamai Technologies
  12. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Platform stats: • 240,000+ Servers • 2,800+ Locations • 1,600+ Networks • 130+ Countries • Within 1 hop of 95% of Internet end-users • To intelligently protect you online investments • + 7 Global Scrubbings Centers • Five SOC Locations 7x24x365 Built to deliver a fast, reliable & secure online experience: • To end-users around the world Intelligent Platform + Routed Platform
  13. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM
  14. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM 130 185 111 179 240 119 321 158 171 249 149 309 289 363 623 517 120 78 109 56 130 185 111 179 240 119 321 158 171 249 149 309 289 363 623 517 120 78 109 56 1,252 © 2 0 1 8 A K A M A I | F A S T E R F O R W A R D TM 2013 Q 1 2013 Q 2 2013 Q 3 2013 Q 4 2014 Q 1 2014 Q 2 2014 Q 3 2014 Q 4 2015 Q 1 2015 Q 2 2015 Q 3 2015 Q 4 2016 Q 1 2016 Q 2 2016 Q 3 2016 Q 4 2017 Q 1 2017 Q 2 2017 Q 3 2017 Q 4 2018 Q 1 DOUBLING IN ATTACK SIZES Largest DDoS attack mitigated by Akamai per quarter
  15. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM 100 MB response 210 byte request 500K AMPLIFICATION Memcached UDP reflection Country Total C h in a 2 0 ,3 2 7 U n ite d S ta te s 1 7 ,3 2 0 F ra n c e 3 ,2 8 3 H o n g K o n g 3 ,0 0 5 R u s s ia 1 ,7 5 8 J a p a n 1 ,6 5 2 G e rm a n y 1 ,5 6 7 C a n a d a 1 ,5 3 2 V ie tn a m 1 ,3 4 6 U K 1 ,1 1 2 S in g a p o re 1 ,0 6 3 N e th e rla n d s 1 ,0 5 4 T u rk e y 1 ,0 4 4 In d o n e s ia 7 4 8 B ra z il 6 7 9 P o la n d 5 4 3 In d ia 5 2 2 U k ra in e 5 0 4 R o m a n ia 4 5 8 L ith u a n ia 4 5 1 M em cached UDP reflection: an attacker queries an unsecured m em cached server using a spoofed IP address to trigger a flood of UDP packets against its target. W ith a 210 byte request capable of triggering a 100 M B response, this attack vector has the potential for over 500,000x am plification. The Shadowserver Foundation has identified over 50,000 m em cached servers operating on the public Internet. © 2 0 1 8 A K A M A I | F A S T E R F O R W A R D TM
  16. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM M em cached DDoS tim eline: despite the enabling CVEs being disclosed in 2017, the first DDoS attack attributed to m em cached UDP reflection was observed on February 26, 2018. W ithin the first two weeks, this attack vector was responsible for 20 attacks against Akam ai custom ers, including a 1.3 Tbps attack against G itHub. © 2 0 1 8 A K A M A I | F A S T E R F O R W A R D TM Feb 26 Feb 27 Feb 28 Mar 1 Mar 2 Mar 3 Mar 4 Mar 5 Mar 6 Mar 7 Mar 8 Mar 9 Mar 10 Mar 11 • 3 8 .6 1 G b p s • 8 .9 8 G b p s • 3 .5 3 G b p s • 1 9 1 .6 G b p s • 1 3 .8 9 G b p s • 5 .6 3 G b p s • 1 8 .3 4 G b p s • 1 .2 5 T b p s • 0 .8 2 G b p s • 2 2 9 .4 G b p s • 5 .9 8 T b p s • 1 .1 1 G b p s • 3 .4 4 G b p s • 1 6 0 .0 G b p s • 4 .2 G b p s • 2 .3 4 G b p s • 4 4 .6 1 G b p s • 6 .0 3 G b p s • 6 .7 1 G b p s • 1 .7 2 G b p s FIRST TWO WEEKS A new attack vector observed
  17. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Largest DDoS attack ever WHAT IT LOOKS LIKE March 1 (Attack traffic) • UDP flood on port 11211 • 188 Gbps peak bandwidth February 28 (Attack traffic) • UDP flood on port 11211 • 1.3 Tbps peak bandwidth • 330 Gbps second peak, 15-30 Gbps for 1+ hour
  18. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM WHAT IT LOOKS LIKE Breakdown by scrubbing center 299 G bps 457 G bps 89 G bps 231 G bps 212 G bps 77 G bps 29 M pps 42 M pps 8 M pps 22 M pps 19 M pps 7 M pps As hbu r n Frank f urt Hong Kong Lond on San J o s e Tok yo
  19. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM
  20. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM A customer example WHY 100% CLOUD? Phase 1: • CLDAP reflection, DNS flood, NTP flood, SNMP flood, SQL server reflection, UDP flood, UDP fragment • 7.45 Gbps peak bandwidth • Two IP addresses Phase 2: • DNS flood, SYN flood, UDP fragment • 14.79 Gbps peak bandwidth • New IP address, original /24 Phase 3: • DNS flood, NTP flood, SNMP flood, UDP fragment • 32.4 Gbps peak bandwidth • New IP address, new /24 Phase 4: • DNS flood, UDP fragment • 18.5 Gbps peak bandwidth • 8 new IP addresses, 8 new /24s Phase 5: • DNS flood, SNMP flood, SYN flood, UDP fragment • 32.3 Gbps peak bandwidth • 255 new IP addresses, 1 new /24 Phase 6: • DNS flood, SYN flood, UDP fragment • 18.05 Gbps peak bandwidth • 7 IP address (5 new), 6 /24s (5 new) Phase 7: • DNS flood, RPC flood, UDP fragment • 18.05 Gbps peak bandwidth • 10 IP address (5 new), 2 /24s (1 new) Phase 8: • DNS flood, UDP fragment • 2.83 Gbps peak bandwidth • 2 IP address (2 new), 2 /24s
  21. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM 386 479 459 448 506 522 524 866 1,160 1,243 1,510 2,007 2,525 2,922 2,680 2,244 1,851 2,356 2,535 2,348 STOPPING MORE ATTACKS Why Akamai for DDoS 20 13 Q1 20 13 Q2 20 13 Q3 20 13 Q4 20 14 Q1 20 14 Q2 20 14 Q3 20 14 Q4 20 15 Q1 20 15 Q2 20 15 Q3 20 15 Q4 20 16 Q1 20 16 Q2 20 16 Q3 20 16 Q4 20 17 Q1 20 17 Q2 20 17 Q3 20 17 Q4 ©2018 AKAMAI | FASTER FORWARDT M 386 479 459 448 506 522 524 866 1,160 1,243 1,510 2,007 2,525 2,922 2,680 2,244 1,851 2,356 2,535 2,348 2013 Q 1 2013 Q 2 2013 Q 3 2013 Q 4 2014 Q 1 2014 Q 2 2014 Q 3 2014 Q 4 2015 Q 1 2015 Q 2 2015 Q 3 2015 Q 4 2016 Q 1 2016 Q 2 2016 Q 3 2016 Q 4 2017 Q 1 2017 Q 2 2017 Q 3 2017 Q 4 STOPPING MORE ATTACKS Why Akamai for DDoS ©2018 AKAMAI | FASTER FORWARDT M 2013 Q 1 2013 Q 2 2013 Q 3 2013 Q 4 2014 Q 1 2014 Q 2 2014 Q 3 2014 Q 4 2015 Q 1 2015 Q 2 2015 Q 3 2015 Q 4 2016 Q 1 2016 Q 2 2016 Q 3 2016 Q 4 2017 Q 1 2017 Q 2 2017 Q 3 2017 Q 4
  22. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM 1,162 1,421 1,639 1,423 INSTANEOUS DDOS MITIGATION Why Akamai for DDoS © 2 0 1 8 A K A M A I | F A S T E R F O R W A R D TM Pre-mitigated Total mitigated ©2018 AKAMAI | FASTER FORWARDT M 386 479 459 448 506 522 524 866 1,160 1,243 1,510 2,007 2,525 2,922 2,680 2,244 1,851 2,356 2,535 2,348 2013 Q 1 2013 Q 2 2013 Q 3 2013 Q 4 2014 Q 1 2014 Q 2 2014 Q 3 2014 Q 4 2015 Q 1 2015 Q 2 2015 Q 3 2015 Q 4 2016 Q 1 2016 Q 2 2016 Q 3 2016 Q 4 2017 Q 1 2017 Q 2 2017 Q 3 2017 Q 4 1,162 1,421 1,639 1,423 2013 Q 1 2013 Q 2 2013 Q 3 2013 Q 4 2014 Q 1 2014 Q 2 2014 Q 3 2014 Q 4 2015 Q 1 2015 Q 2 2015 Q 3 2015 Q 4 2016 Q 1 2016 Q 2 2016 Q 3 2016 Q 4 2017 Q 1 2017 Q 2 2017 Q 3 2017 Q 4 INSTANEOUS DDOS MITIGATION Why Akamai for DDoS ©2018 AKAMAI | FASTER FORWARDT M 2013 Q1 2013 Q2 2013 Q3 2013 Q4 2014 Q1 2014 Q2 2014 Q3 2014 Q4 2015 Q1 2015 Q2 2015 Q3 2015 Q4 2016 Q1 2016 Q2 2016 Q3 2016 Q4 2017 Q1 2017 Q2 2017 Q3 2017 Q4 Pre-mitigated Total mitigated
  23. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM DDoS Attacks Per Target, Q1-Q4 2017 Number of DDoS Attacks Faced by Top Target Organization in Q4 512
  24. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM San Jose Los Angeles Miami Ashburn New York Chicago Hong Kong Sydney Dallas Stockholm Amsterdam London Frankfurt Paris Vienna Singapore Osaka Tokyo 2018: Greater Resiliency and In-Region Scrubbing 18 scrubbing centers / 8+ Tbps capacity PLATFORM EXPANSION 2017 2018
  25. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM DDoS Attack Frequency by Industry, Q3 & Q4 2017
  26. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Web Attacks than 5 million. Mexico and Argentina held the 4th and 5th positions in the Americas, with attack counts in the hundreds of thousands, as opposed to the millions seen in the top three. China, India, and Japan maintained their rankings this quarter as the top three attack source countries in the Asia Pacific region. In first place regionally and third place globally, China had more than 28 million alerts recorded in q4, up from 22 million in q3. Meanwhile, Australia moved into the top five, supplanting South Korea with 2.5 million attacks recorded. The United States remained firmly in first place as the top target country for web application attacks, with more than 238 million attack triggers recorded in q4, down from 323 million in q3. Although the United States continued to be the largest target country by far, its 29% quarter-over-quarter drop in recorded attacks outpaced the global 9% drop in attacks. Meanwhile, Brazil remained in second place as Source Countries for Web Application Attacks — Worldwide, Q4 2017 Figure 3-2: The United States tops the list for source countries for web application attacks in Q4 2017 Country Attacks Sourced Percentage United States 128,013,378 32.0% Netherlands 47,433,432 11.9% China 28,171,775 7.1% Brazil 22,945,844 5.7% Russia 18,370,802 4.6% Ukraine 17,182,960 4.3% India 16,489,773 4.1% Germany 13,046,096 3.3% United Kingdom 12,790,735 3.2% Canada 12,634,269 3.2% <100,000 1M – 5M 10M – 25M 5M – 10M NA >25M 100K - 1M Web Application Attack Source Countries — EMEA, Q4 2017 Figure 3-3: The Netherlands claimed the top spot for source countries in EMEA Country Attacks Sourced Global Rank Netherlands 47,433,432 2 Russia 18,370,802 5 Ukraine 17,192,960 6 Germany 13,046,096 8 United Kingdom 12,790,735 9 <100,000 1M – 5M 5M – 10M NA 100,000 – 1M than 5 million. Mexico and Argentina held the 4th and 5th positions in the Americas, with attack counts in the hundreds of thousands, as opposed to the millions seen in the top three. China, India, and Japan maintained their rankings this quarter as the top three attack source countries in the Asia Pacific region. In first place regionally and third place globally, China had more than 28 million alerts recorded in q4, up from 22 million in q3. Meanwhile, Australia moved into the top five, supplanting South Korea with 2.5 million attacks recorded. The United States remained firmly in first place as the top target country for web application attacks, with more than 238 million attack triggers recorded in q4, down from 323 million in q3. Although the United States continued to be the largest target country by far, its 29% quarter-over-quarter drop in recorded attacks outpaced the global 9% drop in attacks. Meanwhile, Brazil remained in second place as Source Countries for Web Application Attacks — Worldwide, Q4 2017 Country Attacks Sourced Percentage United States 128,013,378 32.0% Netherlands 47,433,432 11.9% China 28,171,775 7.1% Brazil 22,945,844 5.7% Russia 18,370,802 4.6% Ukraine 17,182,960 4.3% India 16,489,773 4.1% Germany 13,046,096 3.3% United Kingdom 12,790,735 3.2% Canada 12,634,269 3.2% <100,000 1M – 5M 10M – 25M 5M – 10M NA >25M 100K - 1M Web Application Attack Source Countries — EMEA, Q4 2017 Figure 3-3: The Netherlands claimed the top spot for source countries in EMEA Country Attacks Sourced Global Rank Netherlands 47,433,432 2 Russia 18,370,802 5 Ukraine 17,192,960 6 Germany 13,046,096 8 United Kingdom 12,790,735 9 <100,000 1M – 5M 5M – 10M NA 100,000 – 1M
  27. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Top 10 Target Countries for Web Application Attacks, Q4 2017
  28. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM
  29. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Threats vs Akamai Solutions Bot Manager Prolexic Routed & Connect Origin Genuine User Request Any non-HTTP/S Attacks directed at the website HTTP/S DDoS Attacks directed at the website HTTP/S Hacking Attacks directed at the website HTTP/S Hacking Attacks directed at the origin IP Small Scale DDoS Attacks directed at the origin IP Large Scale DDoS Attacks directed at the origin IP Bot Manager Premier Origin DNS Attackts against DNS Infrastructure Fast DNS Credential Abuse, Account takeover and human behavior Detection, control and mitigaron in real time of knowns and unknowns Botnets Kona Site Defender - Site Shield
  30. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM WHAT DO YOU WANT TO PROTECT? Security starts with your business Your customers Securing PII, account balances, and transaction details, and more to preserve customer trust DNS services Ensure your DNS stays available, trustworthy, and fast, so users can find you Web applications Stop large and sophisticated denial of service attacks, web application attacks, and bot attacks Your employees Stop damaging breaches perpetrated through malware, ransomware, and phishing attacks APIs Extend application security to API endpoints that expand your attack surface in new ways Enterprise applications and data Provide secure access to enterprise applications while protecting against advanced threats Data centers Protect IT assets within your data centers from denial of service attacks and malware
  31. The Dark Side of Web APIs Tony Lauro | Manager

    Enterprise Security Architecture Oh man, why did I give Tony these slides?!
  32. • Why Focus on Web APIs? • Denial of Service

    • Application Layer Attacks • Credential Abuse • API Threats & Observations from Protecting Billions of Requests per Day
  33. 144.7B Total HTTP Requests 36.6B API Calls Accelerated to Origin

    65% Mobile APIs 35% AJAX, Web, Other APIs are Pervasive… Let’s Look at a Single Day’s API Activity
  34. 51% 36% 11% 0% 0% 2% 25% 56% 10% 4%

    2% 3% JSON Form-Data XML Plain Text Binary Other REQUEST CONTENT-TYPE Standard Web vs API Calls
  35. Why Focus on Web APIs? • Web APIs are pervasive,

    and growing Already greater than 25% of all HTTP requests • The Web APIs are critical to delivering the rich, relevant, personalized experiences across websites, single page apps, mobile apps, progressive web apps Which makes them a great asset to attack! • Your Web APIs are the front door to your data… Which makes them a great asset to attack!
  36. APPLICATION LAYER API ATTACKS 76% 13% 6% 3% 2% 0.01%

    SQL Inject ion Local F ile In clude Code Inje ction Comma nd Inje ction X SS R emot e F ile In clude
  37. PUT http://pdg03-www.scoe-sil.net/api/user/3 Authorization: Token ce0d69e2f759c6705dd763c8f0c8be14554d7e18 User-Agent: Dalvik/1.6.0 (Linux; U; Android

    4.2.2; AndyOSX Build/JDQ39E) Content-Length: 415 Content-Type: application/json; charset=UTF-8 { "active": 1, "created_on": "2017-01-13 13:47:23", "credit_card": null, "credit_card_cvv": null, "credit_card_expires": null, "email": "[email protected]", "first_name": "John", "id": 3, "last_login": "2017-01-13 14:04:24", "last_name": "Doe", "oauth_provider": null, "oauth_uid": null, "password": null, "photo": null, "recover_passw": null, "rest_token": null, "user_phone": "6175551212", "username": "aedge" }
  38. PUT http://pdg03-www.scoe-sil.net/api/user/3 Authorization: Token ce0d69e2f759c6705dd763c8f0c8be14554d7e18 User-Agent: Dalvik/1.6.0 (Linux; U; Android

    4.2.2; AndyOSX Build/JDQ39E) Content-Length: 678 Content-Type: application/json; charset=UTF-8 { "active": 1, "created_on": "2017-01-13 13:47:23", "credit_card": null, "credit_card_cvv": null, "credit_card_expires": null, "email": "[email protected]", "first_name": "Akamai", "id": 3, "last_login": "2017-01-13 14:04:24", "last_name": "Edgey", "oauth_provider": null, "oauth_uid": null, "password": null, "photo": null, "recover_passw": null, "rest_token": null, "user_phone": "1231231234', `first_name` = (SELECT `full_name` FROM `tbl_customer_address` WHERE `id` = 7), `last_name` = (SELECT `address_line_1` FROM `tbl_customer_address` WHERE `id` = 7), `user_phone` = (SELECT `zip` FROM `tbl_customer_address` WHERE `id` = 7), `email` = 'success", "username": "aedge" }
  39. 413.4M Login Requests 27.9M Unique IP Addresses 48.7K Internet Hosts

    42% Only API Calls (JSON, XML, SOAP) 55% Only Forms Login 3% Use Both 78% Mobile Logins 22% Browsers, IoT Single Day’s Login Activity
  40. Password Another password ONE MORE PASSWORD Password YET ANOTHER PASSWORD

    The average user uses over 50 different services requiring a password People have limited memory (and they are often lazy) FACT FACT Password Password PEOPLE USE THE SAME PASSWORD EVERYWHERE
  41. It only takes one site to leak... Many large scale

    breaches of highly trusted services
  42. CAMPAIGN ANALYSIS 1,000,000 4,000,000 St andar d Web APIs Average

    Campaign Size (By Number of Accounts) ATTACKERS ATTEMPT x4 MORE STOLEN ACCOUNTS THROUGH API LOGINS!
  43. • Why Focus on Web APIs? • Denial of Service

    • Application Layer Attacks • Credential Abuse • API Threats & Observations from Protecting Billions of Requests per Day • Foundational to modern web architectures and experiences • High value targets for attacks
  44. © 2 0 1 6 A K A M A

    I | F A S T E R F O R W A R D TM Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Sign In CS User name Password
  45. © 2 0 1 6 A K A M A

    I | F A S T E R F O R W A R D TM Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. CS User name Xavie Password Let’s talk credential stuff Sign In Sign In in r g
  46. © 2 0 1 6 A K A M A

    I | F A S T E R F O R W A R D TM Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. © 2 0 1 8 A K A M A I | F A S T E R F O R W A R D TM
  47. © 2 0 1 6 A K A M A

    I | F A S T E R F O R W A R D TM Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Sign In CS Xavier Let’s talk credential stuffing
  48. © 2 0 1 6 A K A M A

    I | F A S T E R F O R W A R D TM Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Sign In CS Xavier Let’s talk credential Sign In stuffing
  49. © 2 0 1 6 A K A M A

    I | F A S T E R F O R W A R D TM Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Sign In ABC User name Password
  50. © 2 0 1 6 A K A M A

    I | F A S T E R F O R W A R D TM Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. ABC User name Xavier Password Let’s talk credential Sign In Sign In stuffing
  51. © 2 0 1 6 A K A M A

    I | F A S T E R F O R W A R D TM Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Sign In AFF User name Password
  52. © 2 0 1 6 A K A M A

    I | F A S T E R F O R W A R D TM Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. AFF User name Xavier Password Let’s talk credential Sign In Sign In stuffing
  53. © 2 0 1 6 A K A M A

    I | F A S T E R F O R W A R D TM Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. My-Carrier 12:00 PM 21% Edit Hello! Sign in to access your money. Sign In User name Password
  54. © 2 0 1 6 A K A M A

    I | F A S T E R F O R W A R D TM Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. My-Carrier 12:00 PM 21% Edit Hello! Sign in to access your money. Sign In User name Xavier Password Let’s talk credential Sign In stuffing
  55. © 2 0 1 6 A K A M A

    I | F A S T E R F O R W A R D TM Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Xavier D paid Joe Sm ith for the lulz Like Com m ent $-1,999.00 1m Xavier D paid AdultFriendFinder for XoXoXo Like Com m ent $-1,000.00 1m Xavier D paid Need M ulaah for alcohol and drugs Like Com m ent $-1,500.00 1m Xavier D paid YouGotPwned for 10QSucka Like Com m ent $-1,999.00 1m Xavier D @Xavier_D Member since Yesterday Account balance: $6,500.00 My-Carrier 12:00 PM 21% Edit $4,501.00 $3,501.00 $2,001.00 $2.00 2m 3m 4m 2m 3m 2m
  56. © 2 0 1 6 A K A M A

    I | F A S T E R F O R W A R D TM Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Xavier D paid YouGotPwned for 10QSucka Like Com m ent $-1,999.00 1m Xavier D paid Need M ulaah for alcohol and drugs Like Com m ent $-1,500.00 2m Xavier D paid AdultFriendFinder for XoXoXo Like Com m ent $-1,000.00 3m Xavier D paid Joe Sm ith for the lulz Like Com m ent $-1,999.00 4m Xavier D paid YouGotPwned, Need M ulaah, AdultFriendFinder, and Joe Sm ith Like Comment WTF? $-6,498.00 Xavier D @Xavier_D Member since Yesterday Account balance: $2.00 My-Carrier 12:00 PM 21% Edit
  57. © 2 0 1 6 A K A M A

    I | F A S T E R F O R W A R D TM Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Xavier D paid YouGotPwned, Need M ulaah, AdultFriendFinder, and Joe Sm ith Like Comment WTF? $-6,498.00 Xavier D @Xavier_D Member since Yesterday Account balance: $2.00 My-Carrier 12:00 PM 21% Edit WTF?
  58. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM HOW IT HAPPENS Credential stuffing in the bot kill chain Reconnaissance Weaponization Delivery Exploitation Action Bot m anagem ent • Pros: good vs. automation • Cons: not good vs. humans Fraud prevention • Pros: knows individual users • Cons: high cost, account already compromised • Identify target website with high account value • Purchase list of stolen credentials on dark web • Build or rent a botnet to automate validation • Build or buy software tools to evade detection ü • Purchase compromised account for target site • Use purchased account credentials to login • Perform fraudulent transactions using compromised account OBJECTIVES SOLUTIONS • Validate list of stolen credentials against login page of target website • Resell validated account credentials on dark web © 2 0 1 8 A K A M A I | F A S T E R F O R W A R D TM
  59. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM © 2 0 1 8 A K A M A I | F A S T E R F O R W A R D TM
  60. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM © 2 0 1 8 A K A M A I | F A S T E R F O R W A R D TM
  61. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Money lost to fraud per compromised account 25% 29% 22% 14% 10% L ess th an $ 10 0 $ 10 0 to $ 50 0 $ 50 1 to $ 1,0 0 0 $ 1,0 0 1 to $ 5,0 0 0 Mor e th an $ 5,0 0 0 P o n e m o n — T h e C o s t o f C r e d e n tia l S tu ffin g , O c t 2 0 1 7 BUSINESS IMPACT Understanding the cost of credential stuffing Number of accounts targeted per attack 19% 35% 28% 11% 7% 1 to 1 00 1 01 to 5 00 5 01 to 1 ,00 0 1 ,00 1 to 5 ,00 0 Mor e th an 5 ,00 0 Number of credential stuffing attacks per month 0% 41% 38% 12% 9% No ne 1 to 5 6 to 10 1 1 t o 2 0 More th an 2 1
  62. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Industry IPs Participating Login Requests % of Total Requests Gaming 7,712,894 1,358,045,044 61.30% Hotels & Resorts 122,026 232,309,946 10.49% Cards & Payments 477,507 148,304,255 6.69% Department Stores 326,151 104,748,065 4.73% Commerce Portal 66,321 60,199,822 2.72% Banking 349,474 55,356,808 2.50% Airline 86,346 41,004,594 1.85% Cosmetics 82,808 38,197,524 1.72% Consumer Software (B2C) 224,707 28,202,339 1.27% Social Media 127,396 26,557,605 1.20% Enterprise Software (B2B) 21,290 25,383,158 1.15% Consumer Electronics 50,984 25,264,381 1.14% Apparel & Footwear 66,414 19,692,260 0.89% Online Travel Agents 102,555 8,935,366 0.40% Federal 3,403 7,454,257 0.34% INDUSTRY BREAKDOWN A 1-week view into Akamai customers
  63. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM • Majority of IPs performing credential stuffing make less than 1 request per minute • Average is 28 requests per hour • Maximum request rate observed from a single IP during the sampled period - 625,000 requests per hour (173 login requests per seconds) Rate Controls are only effective against the rare bots that fall outside typical human request rate thresholds ATTACK CHARACTERISTICS What an attack looks like
  64. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM CONSEQUENCES Wide-ranging impacts of credential stuffing 5% 17% 41% 43% 50% 63% 67% Othe r Damag ed bra nd equ ity fro m news stori es or socia l med ia Lo s t bu s i ness due to c u s t omers sw i tchin g t o compe tito rs Compro m i s e d a c cou nts le ad ing to fra ud-r ela ted fin an c i al loss e s Lo wer custo m e r s a tisfacti on Cost to re m e dia te c omp romis e d accoun ts App li c a tio n d ownti m e fro m larg e spikes in lo gi n tra ffi c
  65. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM RESPONSIBILITY Dispersed throughout the organization 5% 2% 3% 3% 9% 13% 16% 20% 21% 28% 3% 40% O t her C om p l i ance / audi t C EO / C O O H ead of l egal D at a cent er / I T oper at i ons Web host i ng ser vi ce pr ovi der H ead of r i sk m anagem ent C I SO / C SO Fr au d pr event i on / m a nagem en t C I O / C TO Li ne of b usi ne ss / m anagem ent N o on e f unct i on has over al l r esponsi bi l i t y
  66. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM CASE STUDY Top 10 global financial services institution As one of largest financial asset management companies, this organization sees high bot traffic, including financial aggregators as well as credential stuffing and other fraud-related activities. Result Dramatic reduction in account takeovers to 1-3 per month and fraud-related losses to $1-2k per day—across all login endpoints Solution Behavioral-based bot detections deployed in deny in front of every consumer login endpoint Problem 8,000 account takeovers a month across multiple login endpoints, leading to $100k per day in direct fraud-related losses û
  67. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM TRANSACTIONAL ENDPOINTS Two types of bots 1. Scraping Bots 2. Transactional Bots Example1 : Price Scraping (Good or Bad) Example2 : Content Scraping (Good or Bad) Example3 : Google Web Crawler (Good)
  68. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM TRANSACTIONAL ENDPOINTS Two types of bots 1. Scraping Bots 2. Transactional Bots Example 1 : Login Attack :: Credential Abuse (Bad) Example 2 : Fake Account Signup (Bad) Example 3 : Concert Ticket Grabbers (Bad)
  69. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Random ized user agent Browser im personation Session replay Full cookie support JavaScript support Browser fingerprint spoofing Recorded hum an behavior Rate limiting M ultiple IPs Low request rate Single IP EVOLVING BOT LANDSCAPE Bot technologies and detection © 2 0 1 7 A K A M A I | F A S T E R F O R W A R D TM IP blocking HTTP anomaly detection Browser fingerprinting User behavior analysis Simple Sophisticated
  70. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM BEHAVIOR ANOMALY Detecting the most sophisticated bots Analysis Engine Asynchronous server-side analysis Bot Detection Hum an or bot with high accuracy Behavioral Data Client-side data collection User behavior signals Device + browser characteristics Limited obfuscation required Advanced machine learning tracks human and bot behavior across Akamai platform Signal processing w/hundreds of signals Limited human intervention required (i.e., no more whack-a-mole) Highly accurate; target <0.2% FP
  71. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM HOW IT WORKS Bot detection with Akamai End User Akamai JS 1 Merchant Web/ Mobile Server Akamai Edge Customer Post 2
  72. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM HOW IT WORKS Protecting mobile apps and infrastructure © 2 0 1 8 A K A M A I | F A S T E R F O R W A R D TM 1. Administrator defines mobile endpoint in Luna 2. Developer downloads and adds static lib to the project 3. App initializes SDK upon startup to start collecting sensor data 4. App calls SDK with Get Sensor Data on call to protected endpoint 5. App appends sensor data in request to header or POST body 6. Sensor data analyzed and appropriate action taken at Edge 7. Sensor data (max 8k) stripped before delivering request to origin S D K 4 5 6 7 1 2 3 O b j- C A P I iO S 8 a n d a b o v e S ta tic F r a m e w o r k S D K a p p im p a c t: 3 0 0 K B J a v a A P I A P I 1 5 a n d a b o v e ( A n d r o id 4 .0 .4 ) S D K s iz e : 6 5 K B , D E X C o u n t 5 1 2
  73. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Simplest to deploy and maintain SEAMLESS INTEGRATION No application changes Seam less injection of JavaScript code while delivering the page m eans no disruptive application changes required ü Transparent updates Regular updates to bot detections and JavaScript code com pletely transparent to custom ers and end users Fast deployment Architecture as a layered solution on the Akam ai platform enables rapid integration of protected endpoints 18: … 21: … Apr 4 03: … 06: … 09: … 12: … 15: … 18: … 21: … Apr 5 03: … Lower overall LOE After this top global airline saw a spike in bot activity, Akam ai integrated two new endpoints, tuned bot detections, and set Bot M anager to deny in <2 hours. Integration © 2 0 1 8 A K A M A I | F A S T E R F O R W A R D TM
  74. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM HOW TO PRIORITIZE Start looking at your sites now In Home Security, you don’t just protect the front door. Neither should you focus on the obvious access points to their applications. Start taking an inventory of all necessary transactional endpoints you should protect and their URL category (Desktop, Mobile, API or Hybrid).
  75. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM CONCLUSION Summary and recommendations • Credential stuffing attacks are at elevated levels within financial and retail services • Monitor for increase in failed logins – Credential stuffing attacks are often mistaken for DDoS • Monitor Call Center for increases in account lockouts • Information sharing, inclusive of verticals outside FS and retail, appears to be useful • Consider biometric detection techniques for more sophisticated attackers
  76. Why You Need a Zero Trust Security Model & Deep

    Dive into Malware, Ransomware & Data Exfiltration Trends Andy Crail, EMEA Manager Solutions Engineering, Enterprise Solutions, Akamai Technologies
  77. Zero Trust Security What it is & why you need

    it Andy Crail [email protected] Solutions Engineering Manager, EMEA
  78. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM There is no INSIDE
  79. © 2 0 1 7 A K A M A

    I | F A S T E R F O R W A R D TM “As businesses monetize information and insights across a complex business ecosystem, the idea of a corporate perimeter becomes quaint - even dangerous.” Excerpt from Forrester’s Future-Proof your Digital Business with Zero Trust Security
  80. Grow revenue opportunities with fast, personalized web experiences and manage

    complexity from peak demand, mobile devices and data collection. Bottom line: security perimeters belong in the past
  81. What’s Zero Trust? Key principles: • Assume a hostile environment

    • Don’t distinguish between external & internal • Never trust and only deliver applications/data to authenticated & authorized users/devices • Always verify with logging & behavioral analytics
  82. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM That Idea & Zero Trust Are Catching On https://www.usenix.org/node/208152 https://www.usenix.org/conference/enigma2018/presentatio n/hildebrandt
  83. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM You Have Choices, Each With Pros & Cons Option #1 Network Segmentation Option #2 Software Defined Perimeters Option #3 Identity Aware Proxies
  84. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Embrace Zero Trust With Akamai Threats App C&C App App AUP One cloud platform to secure all enterprise apps and users • Identity and app access • Single sign-on with multi-factor authentication • App performance & security • Advanced threat protection • Inline data inspection
  85. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Centralize security & access controls For specific apps across I/SaaS and on-prem Multi-factor auth for enterprise apps Supports email, SMS, TOTP or Duo Secure Access To On-Prem, Iaas & SaaS Apps SaaS A D / L D A P On-prem IaaS TLS m TLS m TLS SAM L Single sign-on for all enterprise apps Across I/SaaS and on-prem Keep users off the corporate network Make your infrastructure invisible on the Internet A p p # 1 A p p # 2 A p p # 3 Identity & Access SSO & MFA App Security App Delivery & Acceleration
  86. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Core Enterprise App Access Use Cases Secure access to cloud apps VPN elimination Secure 3rd party app access Mergers & acquisitions
  87. © 2 0 1 7 A K A M A

    I | F A S T E R F O R W A R D TM Who Doesn’t Want Free Airline Tickets?
  88. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Majority Of Advanced Threats Leverage DNS DNS lookup Time to first byte Initial connection Content download malware.com 70 ms 60 ms 60 ms 140 ms 91.3% of known bad malware uses DNS Source: Cisco 2016 Annual Security Report
  89. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Proactive Malware Protection Using DNS WWW DN S Identify and block access to malicious domains - everywhere Refuse requests to or communication with malicious domains known to host sites used to deliver malware or for phishing Disrupt communications from compromised devices Severs existing connections from infected devices to malicious actors’ command & control infrastructure Prevent DNS-based data exfiltration Stops malicious actors from using the DNS protocol to extract enterprise data Prevent access to inappropriate content Easily enforce an enterprise’s acceptable Internet usage policy effectively and consistently Threats C&C AUP Recursive DNS Cloud Security Intelligence AUP Enforcement Intelligence from 2.2 Trillion DNS a day
  90. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Core Enterprise Threat Protector Use Cases Simply improve security posture Increase security team operational efficiency Guest Wifi acceptable usage enforcement Off-net/on-net control and protection
  91. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM No Inside No VPN No Passwords Every app seems like SaaS Every office is a hotspot WE DRINK OUR OWN CHAMPAGNE
  92. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Zero Trust Adoption Best Practices 1. Conduct a Threat Check to determine exposure of devices to malware/phishing 2. Consider a Zero Trust Architecture Assessment to develop a comprehensive plan to migrate from your current architecture to your goal Zero Trust architecture a. Profile users and apps b. Develop a customized phasing plan 3. Stop accumulating technical debt by publishing new apps based on Zero Trust 4. Begin migration of your Web apps, since they are easy to move to Zero Trust 5. Once you’ve addressed low hanging fruit with new apps and web apps, work to migrate legacy apps to Zero Trust based on the Zero Trust Architecture Assessment plan you developed earlier 6. Work to decommission legacy access, including VPN and privileged corporate WiFi/Ethernet segments 1 2 3 4 5 6
  93. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Malware Delivery Is Majority Of Malicious Traffic Malware • Connection to known malicious domains associated with malware delivery CNC • Connection to domains associated with command and control infrastructure Phishing • Connection to known malicious domains associated with phishing DNS based data exfiltration • Connection to domains associated with DNS based data exfiltration
  94. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Crypto-Mining & Botnets Are In Vogue
  95. © 2 0 1 8 A K A M A

    I Coin Mining High risk to system s availability Potential risk also to confidentiality of system s Dom ains incl. coinhive[.]com , jquery- uim [.]download., m inergate[.]com ., authedm ine[.]com Coin Mining and Simda Botnet communications detected from corporate endpoints Threat events 121.4K % Malware 15% % C&C 83% Simda Botnet System s infected with Sim da m ay allow cyber crim inals to harvest user credentials, including banking inform ation, install additional m alware, or cause other m alicious attacks Dom ains incl. pres[.]serverhom e[.]com AUP events N/A % Phishing 2% Top Global Media Company
  96. © 2 0 1 8 A K A M A

    I APT Variant MiniDuke Used as Trojan that opens a backdoor and potentially allows the download of additional m alware Dom ains incl. www[.]eam tm [.]com Android based malware and Onedrive phishing clicks detected from corporate endpoints Android Based Trojan Dom ains incl. c[.]px9y94[.]com Threat events 121.4K % Malware 8% % C&C 10% AUP events 244.6K % Phishing 2% % Blacklist 80% Onedrive Phishing Campaign Dom ains incl. dwerap[.]cf Online & Store Retailer
  97. © 2 0 1 8 A K A M A

    I Valyria Trojan This Trojan arrives as an attachm ent to em ail m essages spam m ed by other m alware/grayware or m alicious users Dom ains incl. lapelim m ortelle{.}com {.}au Corporate HQ shows significant amount of acceptable usage policy (AUP) violations Threat events 1.5M % Gambling 33% AUP events 3.4K % Pornography 22% % Dating 42% Coin Mining High risk to system s availability Potential risk also to confidentiality of system s Dom ains incl. datasecu{.}download, jqcdn{.}download Top Restaurant Chain
  98. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM School District “Even small school districts get targeted attacks.” IT Manager High risk to system s availability Potential risk also to confidentiality of system s Dom ains incl. coinhive[.]com , load[.]jsecoin[.]com Social engineering is the art of m anipulating people to perform actions and / or extract inform ation, and as such phishing Dom ains incl. reddit[.]co Coin Mining Social Engineering Malware Distribution Drive-by downloads, phishing or or other dom ains associated with m alware delivery Dom ains incl. W orldnaturenet[.]xyz, eluxer[.]net 97% Malware 2% C&C 1% Phishing
  99. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. akamai.com/etp
  100. © 2 0 1 8 A K A M A

    I | F A S T E R F O R W A R D TM Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. akamai.com/threat-check