A Big 5 Canadian bank (“Bank”) that earns over $20 billion in annual revenue had been suffering from automated attacks on its web and mobile login applications for months.*
Bad actors were performing credential stuffing attacks on all possible channels: both the Canadian and U.S. websites, mobile apps, and even OFX API endpoints. Not only were the attacks leading to account takeover fraud losses, but the sheer volume of attacks also put significant strain on the Bank’s infrastructure. The bank was experiencing rolling outages on both their Canadian and U.S. websites, which prevented customers from accessing their accounts. These service outages were unacceptable to the Bank’s leadership, so the security team was determined to find a solution.
To mitigate the automated attacks, the Bank first deployed a CDN-provided bot mitigation tool (“vendor”). While the vendor was effective in the short-term, the solution was unable to provide long-term efficacy. The vendor relied on a rule-based system to stop attacks, but the bad actors changed tactics and bypassed those rules within hours, forcing manual configuration of the tool.
The Bank’s incident response team was exhausted by the burden of monitoring attackers and configuring new rules 24x7. After months of playing cat-and-mouse with the attackers, the Bank decided to seek out a more sophisticated solution and approached F5.
* "Big 5" refers to the five largest banks in Canada and is equivalent to the "Big 4" in other countries.
The security team decided to keep the vendor’s solution in place while evaluating Distributed Cloud Bot Defense to compare the efficacy and quality of service of the two solutions side-by-side. For the evaluation, the Bank deployed Distributed Cloud Bot Defense on its Canadian web and mobile login applications.
There are two stages to F5 Distributed Cloud Bot Defense deployment: observation mode and mitigation mode. In observation mode, F5 analyzes all incoming requests to the application in order to customize its defense and ensure the best possible outcome for the customer. Once F5 and the customer are confident that no legitimate human traffic will be impacted, F5 activates mitigation mode.
In observation mode, F5 Distributed Cloud Bot Defense found that nearly 1 out of 10 login attempts were malicious. The Bank was immediately impressed with the service's detection capabilities and the level of insight provided by the Intelligence team during regular briefings.
F5 Distributed Cloud Bot Defense can not only distinguish between malicious and legitimate login traffic, but can also group requests into different attack groups (“campaigns”) for analysis. If an attack group tries to bypass it by retooling, e.g., updating software or leveraging new proxies, the services still correctly identifies the attack groups based on hundreds of other signals.
During the first week of deployment, F5 Distributed Cloud Bot Defense identified four separate campaigns and tracked each of their credential stuffing activity.
After five weeks of observation mode, the Bank suddenly became victim to an enormous, unprecedented credential stuffing campaign–the traffic volume grew to a five-time increase from any other prior attack. The Bank was extremely worried because any additional increase in traffic volume would exceed its infrastructure capabilities, which would result in the entire Canadian website going down.
After receiving inadequate help from their existing vendor, the CISO of the Bank personally called F5 with a request: transition from Observation Mode to Mitigation Mode weeks ahead of schedule to stop the debilitating attack. The F5 Professional Services team went to work - within a few hours, Distributed Cloud Bot Defense was configured and deployed in mitigation mode on the Bank’s Canadian sites.
As soon as Distributed Cloud Bot Defense went into mitigation mode, as depicted by the transition from yellow to red traffic in the chart above, the attack tempered down. The service completely eliminated the flood of automated traffic from reaching the Bank’s origin server, allowing the Bank’s incident response team to stabilize traffic and ensure service availability for customers.
F5–through its Distributed Cloud Bot Defense service and Threat Intelligence team–proved superior to the vendor and successfully pinch-hit in a difficult situation. The Bank appreciated not just Distributed Cloud Bot Defense's efficacy, but also that the F5 team was willing and able to deploy in the midst of a large-scale attack.
As a result of F5 successfully defending the Canadian login applications, the Bank plans on taking considerable steps into broadening their use of Distributed Cloud Bot Defense, including: