Empowering Digital Transformation in Financial Services

Greivin Viquez,
Senior Solution Engineer, LATAM
Empowering
Digital
Transformation
in Financial
Services

Topics
 What is Digital Transformation?
 Recent Cyber Security Trends
 Digital Transformation War Stories
 How Akamai Reduces Risk
 Akamai At-A-Glance
3 | Empowering Digital Transformation in Financial Services | © 2018 Akamai | Confidential
#ProtectionPeru2019

What is Digital Transformation?
#ProtectionPeru2019

Digital Maturity - FinServ vs. Commerce
15%
2010 20172011 2012 2013 2014 2015 2016
CommerceFinancial Services
AkamaiAdoption
50%5 Years Behind Commerce
(Now growing faster)
Akamai Adoption over Time

Digital Engagement User Experience
Digital Transformation
Technology
Transformation
What Does Digital Transformation Mean?
• % of Transactions
• Self-Service
• Bot Management
• Aggregator Strategy
• Non-Human and
FinTech Engagement
• Instant Web
• Instant Mobile
• Anytime
• Anywhere
• Measurement and
Analytics
• Always Available
• Always Secure
• Protect the Customer
• Protect the Enterprise
• Protect the Company
Business
Transformation
• Rebranding
• Restructuring
• “Go Digital or Die”
Attitude
• Digitally Savvy Senior
Management
• “Digital” titles and
reorganization
• Follow eCommerce
• Investment in Core
Systems and APIs
• Re-think Capacity and
Scale
• Intense Dev-Ops
Effort
• “50 releases per day”
• Digital “re-imaging”,
Replatforming
• Cloud First Strategy
Cyber-Security Risk

Client Intelligence PERU - Cyber Security Trends
#ProtectionPeru2019

Ataques dirigidos a Perú organizados por tipo ataque

Comparación por Industria – Todos los actores
Ataques dirigidos a Perú organizados por industria
#ProtectionPeru2019

Ataques específicos hacia Perú: DDoS
Consumer Goods ManufacturingRetails

Ataques específicos hacia Perú: sector financiero

Ataques específicos hacia Perú: sector público
#ProtectionPeru2019

Ataques específicos hacia Perú: Sector Retail
#ProtectionPeru2019

Ataques específicos hacia Perú: sector líneas aereas
#ProtectionPeru2019

Ataques específicos hacia Perú – ataques específicos

Redes origenes de ataques HACIA Perú
Scraper Web
DDoS
Scanning

Redes origenes de ataques DESDE Perú

Redes origenes de ataques DESDE Perú
Scraper Web
DDoS
Scraper

Recent Cyber Security Trends
#ProtectionPeru2019

DDoS in The Netherlands
Target profile: Dutch financial institutions. (Also one bank outside the Netherlands.)
Akamai Product: Prolexic Routed, Kona
Attack Vectors: UDP, DNS, NTP, SNMP, SYN Flood, SQL Server Reflection, more...
Mutli-vector attacks:
• NTP flood
• UDP fragments
• SNMP flood
• DNS flood
• SYN flood
• SQL server reflection
• CLDPA reflection
• DNS reflection
• SQL Server Reflection
Noteworthy:
• Sustained attack for multiple days
• Peak attack size of 39.45 Gbps, 3.85 Mpps
• Multiple IPs targeted.
• Up to entire /24 network targeted. 255 IPs.
• “Vertical” attack. We don’t see that often.
• One bank had 50 /24s attacked.
• Very quick changes during the attack. About
every 30 seconds we saw:
• Attack vectors change
• IP targets change
• Attack cascading between /24 subnets
• 32k unique reflection IPs.
• DNSSEC and other amplification sources.

DDoS in The Netherlands
00:00 06:00 12:00 18:00 00:00 06:00 12:00 18:00 00:00 06:00 12:00 18:00 00:00 06:00 12:00 18:00
Size: up to 18.5 Gbps
Vectors:
UDP Flood
UDP Fragment
DNS Flood
NTP Flood
SNMP Flood, SQL Server
Reflection
CLDAP Reflection
Comments:
Long lasting campaign,
mitigated by all SOCC
locations, all vectors
stopped within the SLAs.
Over 140 entries added to
the ACLs
No downtime reported for
the services we protected
Size: up to 39.45 Gbps
Vectors:
UDP Flood
UDP Fragment
DNS Flood
Comments:
Two attacks launched on
the Jan 29th.
Same vectors used as in
the attack against Bank 1
Size: 2.10 Gbps
Vectors:
UDP Flood
Comments:
One vector attack,
relatively small quickly
blocked.
30th Jan28th Jan 29th Jan 31st Jan
Bank 1
Bank 2
Bank 3
New Emergency Akamai
Service
Bank 5Size: 2 Gbps
Vectors:
Similar to other banks
Comments:
Brazilian Bank
Vertical attack vector
Bank 4

©2019 AKAMAI | FASTER FORWARDTM
100 MB response
210 byte request
Memcached UDP reflection
500K AMPLIFICATION
Country Total
China 20,327
United States 17,320
France 3,283
Hong Kong 3,005
Russia 1,758
Japan 1,652
Germany 1,567
Canada 1,532
Vietnam 1,346
UK 1,112
Singapore 1,063
Netherlands 1,054
Turkey 1,044
Indonesia 748
Brazil 679
Poland 543
India 522
Ukraine 504
Romania 458
Lithuania 451
Memcached UDP reflection: an attacker queries an unsecured memcached server using a spoofed IP address to trigger a flood of UDP
packets against its target. With a 210 byte request capable of triggering a 100 MB response, this attack vector has the potential for over
500,000x amplification. The Shadowserver Foundation has identified over 50,000 memcached servers operating on the public Internet.

What’s it look like?

Memcached DDoS timeline: the first DDoS attack attributed to memcached UDP reflection was observed on February 26, 2018. Within
the next few days, this attack vector was responsible for 22 attacks against Akamai customers, including a 1.3 Tbps attack, and attacks
against 3 banks.
Mar 12
Memcached UDP reflection
FIRST TWO WEEKS
Feb 26 Feb 27 Feb 28 Mar 1 Mar 2 Mar 3 Mar 4 Mar 5 Mar 6 Mar 7 Mar 8 Mar 9 Mar 10 Mar 11
• 38.6 Gbps
• 9.0 Gbps
• 3.5 Gbps
• 191.6 Gbps
• 13.9 Gbps
• 5.6 Gbps
• 18.4 Gbps
• 1.3 Tbps
• 0.8 Gbps
• 229.4 Gbps
• 6.0 Tbps
• 1.1 Gbps
• 3.4 Gbps
• 160.5 Gbps
• 4.2 Gbps
• 2.3 Gbps
• 44.6 Gbps • 6.0 Gbps
• 6.7 Gbps
Two U.S. banks. 2nd bank was
attacked 6 minutes after the first.
Europe bank
• 1.7 Gbps • 2.1 Gbps
• 20.1 Gbps
Data through 3/12/2018. Aditional attacks are still coming in.

Operation Brobot 2012- Cyber Security Trends
#ProtectionPeru2019

26
DDoS campaign day 1 – large financial customer JAN
2012
6:15 am ATTACK BEGINS
The campaign starts as a DNS Flood. On-site mitigation is deployed. Two tier
1 telecom providers are engaged to provide upstream blocking of attack traffic.
7:30 am APPLIANCE FAILURE
On-site mitigation appliance fails. Local mitigation team gives up on
appliance.
10:45 am TELECOM FAILURE
Both telecom DDoS service providers are proving to be ineffective against a multi-vectored UDP and
DNS attack. Attack size approximately 8-10 Gbps. Response time is approaching critical levels.
11:30 am CUSTOMER ACTIVATES PROLEXIC
Customer flips the BGP switch and all traffic from 2 out of 3 data centers is routed to Prolexic. The SOC
immediately starts the mitigation process and within 20 min the response times are down to a few seconds.
Three telecom bridges are opened with the customer; an attack line, a trouble shooting line, and a SERT
line to the FBI and Secret Service which includes the customers SERT team.
8:00 pm CUSTOMER PREPARATION
Preparing to route the 3rd and final data center over to Prolexic.

27
DDoS campaign day 2 – large financial customer
8:30 am ATTACK VECTOR MORPHS TO DNS
Another major attack was initiated. It was a multi-
vectored attack which included a DNS Flood and a UDP
Flood. The attack peaked out at 13.4 Gbps and 600,000
pps.
10:00 am 100% PROLEXIC MITIGATION
The 3rd and final data center is routed over to Prolexic.
All back channels to Web, DNS, VPN’s, Custom Apps protected.
#ProtectionPeru2019

28
9:00 am ATTACK COMPLEXITY INCREASES
Another major attack was initiated. It was a multi-vectored
attack which was comprised of a DNS Flood of 6.3 Gbps
and 4.1 Mpps, a UDP Flood of 301 Mbps and 400K pps, a
GET Flood, UDP Fragment, and ICMP Flood that peaked
at 7.1 Gbps and 11.3 Mpps.
10:00 am PROLEXIC BOTNET TAKEDOWN WITH FBI
The GET Flood attack finally provided some non spoofed
IP addresses. Our SERT team using information from
several sources triangulated several Command and
Control PC’s or CNC’s . These addresses were then
turned over to law enforcement. The FBI proceeded to
monitor them to get more information.
8:00 pm BOTNET TAKEDOWN SUCCESSFUL
Several CNC’s were taken down.

29
11:00 am ATTACKER UNLEASHES EVERYTHING THEY HAVE
Another attack begins around 11 am. It started out small but by noon it had
morphed into a VERY LARGE and COMPLEX attack. The attack vectors
included: GET Flood, UDP Fragment, DNS Flood, ICMP Flood. This
campaign peaked at a very impressive 54.30 Gbps and 4.90 Mpps..
Note: Prolexic is the only company in the world able to mitigate this size of attack. It should be
noted that we were mitigating another 12 attacks for other clients at the same time as this 54
Gbps attack. That should give you some idea how big our network is, the effectiveness of our
services, and the skill level of our technicians. Many providers would have been so focused on
the huge attack that they would have missed the smaller, more deadly Layer 7 attack that was
also launched.

30
9:30 am ALL QUIET ON THE BANKING FRONT
No large attacks were recorded on Day 5. The customer
directed additional traffic to Prolexic from some of its
smaller, regional data centers.
#ProtectionPeru2019

31
12:00 pm HOME COUNTRY OF ATTACKER IDENTIFIED
Law enforcement narrows down the country origin of the attacker and starts to
zero in.
Attacker unsuccessful in impacting customer over several days.
Many attacker C&C’s taken down.

32
Note: ATTACKS END
Attacks end on Day 7. Throughout the campaign the
customers perimeter assets remained functional and
responsive despite the best efforts of a very skilled
attacker.
The attack never became public and there was no lack
of continuity in the day-to-day business. If the
company did not have Prolexic in place the outcome of
the campaign would have been dramatically different.
Note: FORENSICS
After several months of detailed forensics, it was evident
the attackers had done extensive analysis of the target
prior to the attack.
#ProtectionPeru2019

Operation Ababil 2012- Cyber Security Trends
#ProtectionPeru2019

Operation Ababil
Phase 1
Sep 12 – Early Nov 2012
• DNS Packets with
“A” payload
• Limited Layer 7
attacks
• Began use of
HTTP dynamic
content to
circumvent static
caching defenses
Phase 2
Dec 12, 2012 – Jan 29
• Incorporate
random query
strings and values
• Additions to bot
army
• Burst probes to
bypass rate-limiting
controls
• Addition of valid
argument names,
random values
Phase 3
• Increased focus on
Layer 7 attacks
• Larger botnet
• Highly distributed
• Target banks
where attacks work
• Fraudsters take
advantage
Late Feb 2013 – May 2013
“none of the U.S banks will be safe from our attacks”
Phase 4
• Updated attack
scripts, harder to
understand
• Requests look
more like normal
browsers
July 2013 – Now
#ProtectionPeru2019

• Top 5 Global Bank customer experienced a Denial of Service attack which
attempted to bring down their retail banking web site.
• Peak attack traffic was 1.46 Gbps, 73x normal.
• Page Views peaked at over 6,600 per second, 220x normal.
DDoS Attack – Banking Web Site (1 of 3)

• Akamai Offloaded over 95% of bandwidth during the attack, protecting the site.
• Origin bandwidth peaked at only 38 Mbps.

• Anniversary of Sept. 18, 1931 “Mukden Incident” and Sept. 19 invasion of
Manchuria.
• #1 – DDoS attack on Sept. 18, 2010.

Operation Ababil / 2nd Phase / 4th Week
“none of the U.S banks will be safe from our attacks.”

January 3, 2013 – Massive Banking DDoS Attack
Always-on Protection
• Top financial services firm with nearly 10M customers.
• Peak attack traffic was 30 Gbps, 30x normal daily high traffic.
• Attackers gave up after 15 minutes, and moved attack to another bank.
• 100% of the attack was on SSL.
Bank #1

Massive Banking DDoS Attack
• Akamai offloaded 100% of the attack.
• “A bug impacting our windshield”.
Bank #1
15 Minutes
Total Origin
Bandwidth
(Attack ended at
11:25)

• “Probe” attack was then
seen at another bank 25
minutes later.
• Akamai Kona in place, and
rate controls automatically
activated.
Bank #2

• 60 minutes later, 8 Gbps attack seen on a 3rd customer.
• 100% of the attack was on SSL.
• Akamai offload was over 99%
Bank #3

Non-Akamai bank hit at 12:03 PM
• Compuware benchmark of bank home page, measured from 12 cities 1x per
hour.
• First performance hit recorded at 12:03 PM.
• Performance and availability problems continued to 9:00 AM the following
morning.
12:03 PM
9:00 AM
Bank #4

Non-Akamai bank attacked at 12:44 PM
• First outage recorded at 12:44 PM.
• Attack continued to 6:21 PM.
• Bank attacked numerous times after January 3.
Bank #5
12:44 PM 6:21 PM
SITE UNAVAILABLE

Prolexic Routed – DDoS
Data center/infrastructure
20-40 attacks per day
Kona WAF – CDN
Web Application Attacks
Machine Generated
80M WAF rules triggered per hour
Akamai
SOURCES OF INTEL

43% of all logins transactions are malicious
50 day period in Nov – Dec 2017
#ProtectionPeru2019

Why is Credential Abuse so hard?
It breaks the security controls already in place:
• Low and Slow – 25% of the bots are used once
• Volumetric – Millions of request
• Layer 7 (application layer), not Network Layer (L3/4)
• The most sensitive traffic – Usernames and passwords
• Encrypted traffic – If you can’t see it, you can’t block it
• APIs are hit – 3.7x more often than login pages
Why is Credential Abuse so hard?
#ProtectionPeru2019

Digital Transformation War Stories
#ProtectionPeru2019

Are you ready for Digital Transformation?
Investment Website Traffic
1/29/18
0:00
1/29/18
16:40
1/30/18
9:20
1/31/18
2:00
1/31/18
18:40
2/1/18
11:20
2/2/18
4:00
2/2/18
20:40
2/3/18
13:20
2/4/18
6:00
2/4/18
22:40
2/5/18
15:20
2/6/18
8:00
2/7/18
0:40
2/7/18
17:20
2/8/18
10:00
Traffic
Example Investment WebSite Traffic Spikes
4x Traffic
Spike

• Social Media
• “The convenience of mobile banking”
• 15 minutes of downtime, and you need to
report to your regulator
L E S S O N S L E A R N E D
T H E S T O R Y
• Card skimmer leads to to $1M in theft in 2 hours
• Word gets out on social media
• Panicked customer check their accounts
• 3 months worth of traffic in 1 hour
• Datacenter overwhelmed
• The bank goes down
• Big national news
F A C T O R S
• Be prepared for flash crowds
• Develop and exercise run books
• Understand the risk to your business
• Better call Akamai
How an ATM can bring down your datacenter

How Akamai Reduces Risk
#ProtectionPeru2019

Data Loss Prevention – Kona as a virtual patch
machine
Struts CVE-2017-5638:
• March 6th, the Apache team patched a vulnerability in Struts2 framework
• Akamai engaged [unnamed customer] on March 9th
• Rule deployed on March 10th covering all [customer] applications on Akamai
• Rule in Monitor for visibility into any attacks/probes
• Bake to ensure no adverse impact to applications/customers
• Rule moved to Deny on March 12th

Review – Industry Objections
Objection Description Objection Handling
TLS Termination Akamai sees all PII and financial data ”in the clear”. - Education
- Residual Risk
- Data center visit
- SXL
- Limited ESSL maps
- Contractual language
- References
TLS Certificates Akamai holds customer certs on all ESSL servers.
Data Sovereignty Regulators require data to stay within country or region. Law
enforcement could compel Akamai to disclose PII.
Regulatory Challenges Customer believes that their regulator only allows end-to-end
encryption. Both internal and external regulators.

Akamai At-A-Glance
#ProtectionPeru2019

V I S I O N
M I S S I O N
To deliver a fast, reliable, and secure Internet to enable our
financial services customers:
• to grow their business
• to deliver world class products and services
• to give them a competitive edge
Akamai is the business Internet for Financial Services
The standard for performance, security, and mobile internet
architectures across the Financial Services industry

THANK YOU!
Greivin Viquez
Senior Solution Engineer

Empowering Digital Transformation in Financial Services

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Empowering Digital Transformation in Financial Services

Similar to Empowering Digital Transformation in Financial Services (20)

More from Cristian Garcia G.

More from Cristian Garcia G. (20)

Recently uploaded

Recently uploaded (20)

Empowering Digital Transformation in Financial Services