BT and Akamai Beat the Bots Event

Transcript

1. Beat the Bots. Tackling the threat of credential abuse in

   the finance sector Wednesday 8 May 2019

2. Agenda 14:00 Welcome from Phil Packman, CISO – Major Clients,

   BT 14:10 Edge Security from Matt Payne, Regional Director, EMEA – Financial Services, Akamai Technologies 14:20 From Zombies to Bots from Scott Barnett, Head of Cyber & Information Security Services, TSB Bank 15:00 Akamai Network Operations Command Centre (NOCC) Tour from Simon Petch, Senior Solutions Engineer, Akamai Technologies 15:30 Networking Break 15:45 Credential Abuse - Challenges, Detection Strategies & Understanding Your Attack Surface from Richard Meeus, Security Technology and Strategy Director, EMEA, Akamai Technologies 16:30 Identity Cloud from Mayur Upadhyaya, Senior Director – Identity Cloud, EMEA, Akamai Technologies 17:00 Closing comments 17:15 Networking drinks and canapes

3. Welcome Phil Packman, CISO – Major Clients, BT

4. EDGE SECURITY A new paradigm for protecting businesses from Internet-facing

   threats Matt Payne Regional Director, EMEA – Financial Services

5. The digital economy is transforming faster than ever, creating a

   world where everything is connected. THIS CALLS FOR A COMPLETE RETHINK OF HOW YOU ENGAGE YOUR CUSTOMERS

6. Edge platform Optimized for security, high accessibility and performance Cloud

   infrastructure Optimized for high availability +

7. Financial Services Firms Trust Akamai All top 25 US banks

   (Source: The Banker) 19 of the top 20 European banks (Source: The Banker) All top 10 world’s largest asset managers (Source: Towers Watson) 9 of the top 10 US P&C insurance carriers (Source: A.M. Best) 8 of the top 10 FinTech companies (Source: American Banker) Top firms in Cards & Payments, Financial Information Services, Brokerage and Forex Over 400 banks worldwide use Akamai solutions Approx US$1.5 Trillion in financial transactions are executed on the Akamai Intelligent Platform every year.

8. TWO DECADES IN SECURITY But security remains a persistent challenge

   2017 2016 2015 2014 2013 2012 2010 1999 2003 2008 1998 Akamai founded NOMINUM founded Authoritative DNS launched Prolexic founded Origin obfuscation launched Cloud Security Intelligence developed XEROCOLE founded Integrated WAF + DDoS launched Curated WAF ruleset developed SOHA Systems founded Managed WAF service introduced Bot management introduced Client Reputation launched Credential abuse mitigation Introduced Secure application access introduced Malware & Phishing Protection Introduced Akamai introduces first cloud WAF

9. A NEW PARADIGM What the edge offers for security STRATEGIC

   PLATFORM Surrounds your applications, infrastructure, and people and enforces consistent security policy at a global scale Industry’s largest capacity—over 80 Tbps Massively distributed—2,400 global points of presence Proven track record—instant mitigation of terabit-scale attacks

10. A NEW PARADIGM What the edge offers for security VISIBILITY

    into ATTACKS Keeps up with the latest threats (so you don’t have to) with visibility into billions of attacks daily 2 trillion DNS requests 1.3 billion client devices 178 billion application attacks

11. A NEW PARADIGM What the edge offers for security Protects

    your apps, infrastructure, and people anywhere—in your offices and data centers, on the road, or in the cloud ADAPTS to BUSINESS 140 countries around the world On-premises, hybrid cloud, or multi-cloud On-net or off-net

12. Banking Reference Architecture Akamai Platform 1 – Ion • Optimized

    UX across any device, anywhere • Global Scale & Availability • Mobile Application SDK • Cloud Enablement • Real User Monitoring • HTTP/2 • Adaptive Optimization • Content Targeting - Personalization • Global Traffic Manager • IPv6 • Site Failover • Mobile Detect & Redirect • Front End Optimizations 2 – Kona Site Defender • DDoS Fee protection • Web Application Firewall • Siteshield – Origin Cloaking • GEO Blocking • White & Blacklisting • Rate Controls • Client Reputation • API Protection 7 – Enterprise Security • Secure, clientless app specific access to all enterprise apps, on-prem and in the cloud • Proactively prevent malware using Recursive DNS • Enforce Internet AUP 6 – DataStream • SIEM Integration • Realtime Log Uploads to SIEM 5 – Cloudlets • Edge Redirector • Application Load Balancer • Visitor Prioritization • Image Manager 4 - FastDNS • Primary/Secondary Authoritative DNS • DNSSEC • TSIG 8 – Bot Management • Detect and mitigate Credential Stuffing • Content Scraping • Manage Aggregators Digital Performance Management Protection from Application layer attacks for maximum uptime and brand integrity Simplify workflow Execute Business logic at the Edge Datasets Sent to SIEM Front end all DNS requests Shield from DNS attacks Enterprise Access BotManagement Framework EnterpriseThreat Protection 3 - Prolexic • DDoS Infrastructure Protection • All Ports and All Protocols Protection from Network layer DDoS attacks ©2018 AKAMAI | FASTER FORWARD ™

13. AKAMAI INTELLIGENT EDGE SECURITY The market leader in edge-based security

    PROTECT APPS & APIs MOVE TO ZERO TRUST STOP CREDENTIAL ABUSE Akamai has had the strongest and broadest edge security offering for quite some time… - IDC DDoS & WAF LEADER Bot Management LEADER Zero Trust eXtended Ecosystem STRONG PERFORMER
14. None

15. FROM ZOMBIES TO BOTS SCOTT BARNETT, HEAD OF CYBER &

    INFORMATION SECURITY SERVICES TSB BANK PLC.

16. MILLION DOLLAR HOMEPAGE

17. STAND AND DELIVER - 2005

18. ANONYMOUS AND OPERATION PAYBACK - 2010

19. VOLUNTEER CYBER ARMY – IMMA CHARGING MY LASER!!!

20. GAMING AND DDOS – 2014

21. YOUR CARING, SHARING STRESSERS - 2015

22. FUELLING THE ECONOMY

23. THE CREDENTIAL STUFFERS – 2018

24. UNDERGROUND ECONOMICS

25. NEW PARADIGMS

26. Q&A AND DISCUSSION SCOTT BARNETT, HEAD OF CYBER & INFORMATION

    SECURITY SERVICES TSB BANK PLC.

27. Akamai Network Operations Command Centre (NOCC) Tour Simon Petch, Senior

    Solutions Engineer, Akamai Technologies

28. Credential Abuse - Challenges, Detection Strategies & Understanding Your Attack

    Surface Richard Meeus, Security Technology and Strategy Director, EMEA, Akamai Technologies

29. Understanding Credential Abuse

30. None

31. Collection Number 1 772,904,991 email addresses 21,222,975 passwords £0

32. The automated effort of cycling through large lists of usernames

    and password combinations on a target website, in hopes of identifying still valid account credentials

33. The automated effort of cycling through large lists of usernames

    and password combinations on a target website, in hopes of identifying still valid account credentials

34. Rand omiz ed user agent Brow ser imper sonat ion

    Sessi on repla y Full cookie support JavaScript support Browser fingerprint spoofing Recorded human behavior IP Blocking / Rate Limiting Multiple IPs Low request rate Single IP HTTP Anomaly Detection Browser Fingerprinting User Behavior Analysis BOT SOPHISTICATION Evasions and mitigations SIMPLE SOPHISTICATED

35. The automated effort of cycling through large lists of usernames

    and password combinations on a target website, in hopes of identifying still valid account credentials

36. 1 2 $ $ $ 3 4 HOW IT WORKS

    Attackers pull data during a data breach Stolen credentials are sold on the dark web Fraudsters purchase stolen credentials Stolen credentials are tested on other websites

37. The automated effort of cycling through large lists of usernames

    and password combinations on a target website, in hopes of identifying still valid account credentials

38. Infrastructure Load Security Customer Satisfaction BUSINESS AND IT IMPACTS

39. The automated effort of cycling through large lists of usernames

    and password combinations on a target website, in hopes of identifying still valid account credentials

40. Reconnaissance Weaponization Delivery Exploitation Action FRAUD KILL CHAIN Understanding the

    role of credential stuffing • Identify target website with high account value • Purchase list of stolen credentials on dark web • Build or rent a botnet to automate validation • Build or buy software tools to evade detection ✔ • Purchase compromised account for target site • Use purchased account credentials to login • Perform fraudulent transactions using compromised account OBJECTIVES • Validate list of stolen credentials against login page of target website • Resell validated account credentials on dark web Bot management • Mitigates attack earlier in the kill chain to reduce incidence of downstream fraud SOLUTIONS Fraud prevention • Pros: knows individual users • Cons: high cost, account already compromised
41. None
42. None

43. Amount of money lost to fraud per compromised account FINANCIAL

    IMPACT Ponemon Institute – The Costs of Credential Stuffing Number of accounts targeted per credential stuffing attack Ponemon—The Cost of Credential Stuffing, Oct 2017 Other annualized costs related to credential stuffing

44. Wide-ranging impacts of credential stuffing

45. Whose problem is it?

46. RESPONSIBILITY Dispersed throughout the organization

47. UNDERSTANDING ATTACK SURFACE For transactional endpoints SIGN IN BA G

    SIGN IN BA G LOGIN CREATE ACCOUNT Website GIFT CARD SIGN IN BA G URLs Desktop login Shopping cart Create account Account balance Cart API SIGN IN BA G SIGN IN BA G Login API Mobile app Clients Desktop browser Mobile browser 3rd party Attacker

48. ATTACK CAMPAIGN SIZES Differences between standard web vs. API endpoints

    ATTACKERS ATTEMPT x4 MORE STOLEN ACCOUNTS THROUGH API LOGINS!

49. Check for free trips ~~~~~~~~~~~~~~ ~~~ ~~~~~~~~~~~~~~ ~~~ ~~~~~~~~~~~~~~ ~~~

    Reset Password

50. Check for free trips ~~~~~~~~~~~~~~ ~~~ ~~~~~~~~~~~~~~ ~~~ ~~~~~~~~~~~~~~ ~~~

    Reset Password
51. None
52. None

53. Thank you! We have sent you an email to reset

    your password.

54. Examples of Attacks

55. ©2018 AKAMAI | FASTER FORWARDTM Retail Financial Institution 46,230 legitimate

    login requests / hour 8,723 malicious login requests / hour 800 malicious login requests / hour Botnet #1 • Requests – 94,296 (average 9/min) • Clients – 2 IPs, same UA Botnet #3 • Requests – 5,286 (average 0.5/min) • Clients – 1500 IPs, 188 UAs Botnet #2 • Requests – 190,487 (average 59/min) • Clients – 10k+ IPs, 695 UAs Legitimate and malicious requests to a login endpoint compared Total logins 4,251,661 Malicious logins 315,178 IP addresses 19,992 ASNs 1,743 User agents 4,382 Key Take-aways: • Botnets #1, #2 are dumb bots that could be mitigated by signatures or rate controls • Botnet #3 is low, slow, highly distributed, highly sophisticated bot. A dedicated bot solution with true behavioral machine learning, not dependent on browser and network info, is required to detect Average 0.00035 requests/min per IP Low & Slow Stealth Mode Bot | © 2019 Akamai | Confidential

56. EXAMPLE – FINANCIAL SERVICES User Agent Countries IP Address Attackers

    rotated through 7,894 user agent strings during the last 30 days. A total of 43,808 IP addresses were detected sending potentially malicious requests during the past month. 83%of blocked requests originate from within the US. ©2018 AKAMAI | FASTER FORWARDTM Akamai began protecting Verified Sign-In URL in February. Since DENY mode enabled, total malicious bot traffic is now just 0.2% of total pre-DENY mode bot traffic. Bot Requests 798,000 Human Logins 440,000,000 Averaging more than ~2.5 million daily bot triggers before DENY mode February 9th Bot Manager turned to DENY Averaging fewer than ~6,700 daily bot triggers since DENY mode

57. EXAMPLE – FINANCIAL SERVICES 5 4 3 2 1 0

    20000 16000 12000 8000 4000 0 18000 14000 10000 6000 2000 Total Login Requests (Millions) Bot Triggers Bot Manager Premier Behavior Anomaly Total Logins

58. EXAMPLE – FINANCIAL SERVICES Detection Method # of Triggers ▪

    Behavioral Telemetry Indicates Bot 61,883 ▪ No Behavioral Telemetry Received 9,709 ▪ Session Cookie Missing 4,843 ▪ Session Cookie Invalid 1,410 ▪ Behavioral Telemetry Invalid 176 ▪ Session Cookie Replay 120 • The majority of the bots observed support cookies and proper network headers • Compound detection mechanisms allows Akamai to detect more bots

59. CASE STUDY Top 10 global financial services institution As one

    of largest financial asset management companies, this organization sees high bot traffic, including financial aggregators as well as credential stuffing and other fraud-related activities. Result Dramatic reduction in account takeovers to 1-3 per month and fraud-related losses to $1-2k per day—across all login endpoints Solution Behavioral-based bot detections deployed in deny in front of every consumer login endpoint Problem 8,000 account takeovers a month across multiple login endpoints, leading to $100k per day in direct fraud-related losses

60. Escalating Bot Detection Tactics

61. Disposable IPs Dynamic rotating IP Rotating IPs Single IP Primitive

    Pearl, Curl Javascript Engines Headless Browser A LOOK AT THE MOST COMPLEX ATTACKS Attack tool sophistication Attack Deployment Sophistication Automated Browsers w/Human Imitation

62. Disposable IPs Dynamic rotating IP Rotating IPs Single IP Primitive

    Pearl, Curl Javascript Engines Headless Browser A LOOK AT THE MOST COMPLEX ATTACKS Attack tool sophistication Attack Deployment Sophistication Automated Browsers w/Human Imitation Network Detections • IP Address • Country of origin • Rate of requests Pros • Simple to implement • Can be done within a WAF

63. Disposable IPs Dynamic rotating IP Rotating IPs Single IP Primitive

    Pearl, Curl Javascript Engines Headless Browser A LOOK AT THE MOST COMPLEX ATTACKS Automated Browsers w/Human Imitation Header Detections • User-Agent • Missing headers • Header order Pros • Simple to implement • Can be done within a WAF Attack tool sophistication Attack Deployment Sophistication

64. Disposable IPs Dynamic rotating IP Rotating IPs Single IP Primitive

    Pearl, Curl Javascript Engines Headless Browser A LOOK AT THE MOST COMPLEX ATTACKS Automated Browsers w/Human Imitation Browser Fingerprinting • Checks to see if client can process .js • Compares browser characteristics with User-Agent Pros • Identifies basic scripts • Isn’t as complex as other solutions Attack tool sophistication Attack Deployment Sophistication

65. Disposable IPs Dynamic rotating IP Rotating IPs Single IP Primitive

    Pearl, Curl Javascript Engines Headless Browser A LOOK AT THE MOST COMPLEX ATTACKS Automated Browsers w/Human Imitation Behavioral Detections (hybrid) • Uses both browser fingerprinting and human telemetry to create a single signature Pros • Identifies basic, moderate and some advanced bots • Starts to look at the user interaction Attack tool sophistication Attack Deployment Sophistication

66. Disposable IPs Dynamic rotating IP Rotating IPs Single IP Primitive

    Pearl, Curl Javascript Engines Headless Browser A LOOK AT THE MOST COMPLEX ATTACKS Automated Browsers w/Human Imitation Behavioral Detections (true) • Creates a unique signature based on human telemetry • Uses browser characteristics to identify Bot tools and improve machine learning Pros • Identifies basic, moderate and some advanced bots • Accurately identify humans Attack tool sophistication Attack Deployment Sophistication

67. CAPTCHA IS NOT A PANACEA • Simple to implement •

    Can be done within a WAP Pros • Customer experience • Detection quality • Risk score based • Not really Bot management • Possible privacy issues • Limited support and development Cons

68. https://www.akamai.com/us/en/multimedia/documents/state-of-the- internet/soti-2018-credential-stuffing-attacks-report.pdf • No silver bullet to address credential stuffing,

    need multiple levels of defence: o Bot solution & Web application firewall • Things you can do on your website: ◦ Implement a robust CIAM solution ◦ Make MFA mandatory. ◦ Not allow email addresses as usernames for authentication ◦ Add a third informational proof element to login pages, such customer ID or last name
69. None

70. IDENTITY CLOUD Mayur Upadhyaya, Senior Director – Identity Cloud, EMEA,

    Akamai Technologies

71. PRIVACY: A STRATEGIC IMPERATIVE Janrain was Acquired by Akamai in

    January 2019 Janrain pioneered the Customer Identity landscape Named a Customer Identity and Access Management (CIAM) leader in 2017 Forrester Wave™ Report Named as the overall leader in 2018 Customer Identity Leadership Compass Giving end-users control and choice over their data and how it is used Accelerating sustained compliance of GDPR for their customers Enhancing digital trust

72. What is Identity Cloud? Identity Cloud increases the user’s security

    and privacy, while improving end user engagement and thus brand loyalty Reducing friction in the registration journey; by scaling & performing without latency and allowing customers to bring their own identity Customer Identity & Access Management consists of three key capabilities delivered as a service Offloading & simplifying the management of customer profiles, opt- ins, logins and registrations while de- siloing identity architecture Protecting & securing end user data and password INTRODUCING: AKAMAI IDENTITY CLOUD Formally Janrain

73. DIGITAL TRUST Identity is at the heart of a customer

    centric approach Customer Identity & Access Management Regulation & Compliance Digital Transformation Omnichannel, IoT & Personalisation

74. THE CUSTOMER IDENTITY CHALLENGE Why customer identity is critical DIGITAL

    ECONOMY • 3.8B out of 7.5B people are digitally connected • 5M mobile applications • 1.2B websites • 6.4B connected things MARKETING TO ONE • 4000 marketing companies in 49 categories • Multiple views of customer • Unpersonalised campaigns DATA GOVERNANCE • 1000s of silos of customer data • 100s of consumer data protection regulations • Up to 4% WW annual turnover in penalties for non- compliance IDENTITY SECURITY • 4.5M breached identities per day • 7B breached identities since 2013 • >80% f/bad actors • >60% f/compromised credentials

75. Increases the user’s security and privacy, while improving end user

    engagement and brand loyalty Secure your customer identities & protect against identity fraud Identity Cloud consists of three key functions delivered as a service: Optimise user experience & marketing efforts Manage your online customer identities HOW IDENTITY CLOUD HELPS Understanding Customer Identity and Access Management

76. MANAGING Your online customer Identities Authentication SSO Social/BYOID Traditional •

    Offload authentication and self-registration • Reduce friction allowing consumers to bring their own identity (e.g social) • Allow customers to move seamlessly across properties • Flexible user experience • Customer Support Representative Screens

77. • CIAM/PII protected by the Akamai offerings you know and

    trust • Ability to lock down data access by attribute and application • Standards compliant, working against vendor lock in • Strong Customer Authentication SECURING Your online customer Identities ABAC Authorisation Secure Edge

78. • Give customer control and choice with consent and preference

    Store • Ability to store attributes without compromise • Identity Analytics • Internationalisation and version control OPTIMISING Your online customer experience Identity Consent Profile Identity Analytics

79. CREATING VALUE Customer identity impacts roles across the enterprise Infrastructure

    owner • Offload and simplify—offload identification to the edge, put your identity store in the cloud, de-silo your identity architecture, and simplify access policy enforcement • Better performance / security for your IAM infrastructure Security owner • Compliance with GDPR and other regional data privacy regulations • Better security for your end users—strong data protection, threat intelligence to detect account compromise, behavioral analysis to detect automated attacks Business owner • Improve end user experience—better performance, less unnecessary friction, and a more personalised experience • Improve revenues through better cross sell and upsell with better customer insight

80. CUSTOMER IDENTITY FOR BANKING The PSD2/Open Banking Customer Identity Requirement

    Authentication SSO Social/BYOID Traditional • Explicit Consent • Strong Customer Authentication • API Performance and Availability
81. None

82. Closing Comments

83. Networking Drinks and Canapes