App Tiers Affected:
This is the second installment in our series exploring the experiences of the F5 Security Incident Response Team (F5 SIRT), which assists customers with security incidents in real time. Our first focused on incidents at telecom service providers from around the world in 2017, 2018, and 2019. This article focuses on financial services organizations. This category includes banks, credit unions, brokers, insurance, and the wide range of organizations that serve them, such as payment processors and financial Software as a Service (SaaS). The financial services industry has characteristics that differentiate it from most other entities in terms of information security. It is heavily targeted, and has been for a long time, for the obvious reason that it has a lot of valuable information. This also means it is heavily regulated, and organizations in this sector tend to have large security budgets and a low appetite for risk. Note that we do not mention specific organizations or divulge absolute numbers in order to protect customer confidentiality.
Security Incident Trending in the Financial Sector
Security incidents at financial services organizations in 2017–2019 have been characterized by two predominant vectors, both of which are growing: brute force and credential stuffing attacks at 41%, and DDoS at 32%. Web attacks (8%) and malware (5%) are significantly more rare, as are unidentified attacks and other miscellaneous incidents. The details are in Table 1.
|Percentage of security incidents|
|Brute force and credential stuffing||37%||40%||42%||41%|
Table 1. Security incidents at Financial Services reported to the F5 SIRT from 2017 through 2019.
It’s easier to see the growth trends in a graph, as shown in Figure 1.
Authentication Attacks: Growing Every Year
Credential stuffing and brute force attacks have been the biggest threats for financial services recently, and the trend shows no sign of slowing. This is unsurprising, given the capability that legitimate credentials represent for attackers. If attackers are able to guess or simply re-use already compromised credentials and gain access to customer accounts, they will.
It also makes sense that attackers prefer these techniques to other approaches, considering that financial services IT departments are well-funded in comparison to much of the rest of industry. Banks have compliance and regulatory pressures to protect their systems and are heavily audited, and thus have robust and strong cybersecurity programs. The protections they have in place may represent too high a bar for crooks to pass, so they fall back to simpler, if less efficient methods, like guessing passwords. Oftentimes these attacks begin with attempts against customers of the financial services organization, not the organization’s systems or employees.
Brute force attacks involve a bad actor trying massive numbers of usernames and passwords against an authentication endpoint. Sometimes these are credentials that have been obtained from other breaches, which are then used to target the service in an attack known as “credential stuffing.” Other forms of brute force attacks simply use common lists of default credential pairs (for example, admin/admin), commonly used passwords, or even randomly generated password strings.
What Does Credential Stuffing Look Like at a Financial Services Provider?
As soon as a data dump hits the Internet, cybercriminals attempt logins at as many financial services targets as they can to get access to bank accounts. These dumps have a lifespan. Eventually someone on the other side will find out about a dump, and organizations can use this to determine if their customers are affected. Until that happens, there is a golden window between the initial release of stolen credentials and whatever remediation may take place later.
Some attackers are aggressive, simply trying every stolen credential they have as quickly as they can. This activity can be so forceful that even if it goes unnoticed, backend authentication systems can be overwhelmed, leading to a Denial of Service condition.
Smarter attackers will take a more patient approach, trying to stay below the detection threshold of their target and betting that this approach will allow them more chances before they’re blocked.
Attackers also use a brute force technique known as “password spraying” to avoid detection. In this case the attacker quickly tries a password across a large number of accounts. Target defenses may only allow a few login attempts per username before the account is locked, but with this technique, an attacker can hit many accounts again and again with new password attempts and stay below the threshold for detection. The lack of widespread adoption of multi-factor authentication also enables attackers to conduct brute force activities with greater ease.
For a user, the result of a successful brute force attack can be account takeover or, at the very least, being locked out of their account if countermeasures are triggered. This leads to frustration for the customer and increased support desk calls for the provider.
As with DDoS attacks, the first indications of such an attack are customer complaints about account lockouts, rather than any sort of automated detection. This alone can constitute a denial of service if a large number of accounts are locked out, and certainly can cause increased—and at times overwhelming—strain on support desk capabilities.
Defensively, early detection is key. If defenders can identify an increase in failed login attempts over a short period of time, it gives them a window to mitigate the attack before customers are affected.
DDoS Attacks Trending Up
DDoS narrowly comes in at second place in our data. Sometimes, as noted above, this is the result of overly aggressive brute force attacks. Other times, it’s just a simple denial of service scenario, meant to prevent financial services business from operating as usual.
Some such attacks are motivated by the fact that financial services organizations will lose money from loans that can’t be processed and will lose customer confidence if their services aren’t functioning. Some attackers specifically do this to try to extort a ransom. Financial services organizations are also a target for nation-state actors who wish to disrupt critical infrastructure and apply economic pressures on their adversaries.1
What Does a Typical DDoS Attack Look Like for Financial Services?
A denial-of-service attack against service providers usually targets either the core services that their customers use (such as DNS) or the applications that allow their users to view their bills, see transactions, apply for loans, or get quotes. Such attacks can overwhelm a network, although this is rare. Attacks are usually sourced from all over the world, likely via the use of large botnets that are either rented out by attackers or purpose built from compromised machines.
Typically, the first indication that an IT team has of a DDoS attack is a massive increase in network traffic or CPU usage. The second is typically increased response times for applications. Financial services organizations usually keep an eye on these indicators for this reason. After that, customer complaints resulting from impaired service are the next most common indicator that a DDoS event is underway.
From a defensive point of view, as mentioned above, these attacks can appear to simply be either a general outage of a service or a surge in network traffic. The ability to quickly compare the characteristics of normal, expected network traffic against samples of traffic while the attack condition exists is critically important. Additionally, the ability to quickly enable in-depth logging for application services in order to identify unusual queries is key to detecting and mitigating these attacks.
Web attacks against financial services targets dropped significantly in 2019. They represented 4% of financial services incidents; down from 11% the previous two years. It is difficult to determine causality in trends like this, but one likely contributor is the growing sophistication of properly implemented technical controls such as web application firewalls (WAFs). In 2018, as part of that year’s Application Protection Report, we found that a greater proportion of financial organizations tended to deploy WAFs (31%), compared to the average across all industries (26%).
Most of the web attacks against financial services that the SIRT examined took one of two forms. The first was attacks against APIs, such as mobile authentication portals and Open Financial Exchange (OFX) APIs. The second attack type was web scraping, or copying content for the purpose of creating realistic-looking phishing pages. We have found that web attacks against financial services targets tend to be the most persistent when compared to targets in other sectors. This is probably due to both the precise targeting that goes into these attacks and the high value of a potential success.
Regional Top 3
The SIRT data also revealed geographic differentiation in terms of attack type. Customers in the Europe, Middle East and Africa and Asia/Pacific theaters saw more DoS attacks than any other, with Asia/Pacific attacks in particular totally dominated by DoS. In North America, brute force and credential stuffing attacks predominated, while web attacks were conspicuously infrequent. See Figure 2 for more details.
The financial sector data represented here are at odds with general trends in the Europe, Middle East and Africa theater, where we have noted disproportionate growth in brute force and credential stuffing attacks in 2018 and 2019. We can only speculate whether this difference between financial services organizations and the mainstream in this theater will grow or shrink.
We hypothesize that the prevalence of brute force and credential stuffing attacks in North America is driven largely by the enormous volume of existing exposed credentials for North American users that has resulted from more than a decade of near-daily data breaches. The corollary of this hypothesis is that as data breaches in other theaters become more common, the prevalence of these attempts will rise in those theaters as well.
Top Targeted Technology
We also examined the list of incidents by the targeted technology. Not all of the incidents that the SIRT logged mentioned specific technologies, but we categorized those that did in Table 2.
Table 2. Technology targeted by security incidents at financial services reported to the F5 SIRT from 2017 through 2019.
Given the enduring prevalence of brute force and credential stuffing in these logs, it is not surprising that most of the targeted tech involves some kind of authentication technology, whether that is login pages, APIs, or Anonymous File Transfer Protocols (AFTP). Websites and DNS are both susceptible to attack either via the exploit of vulnerabilities or DDoS, so it is not possible to tell how those vectors map to these targets.
Compared with other sectors, the financial services industry tends to place greater importance on substantive and overarching security programs. Still, it faces many of the same challenges that other industries do when it comes to building and maintaining security programs in the face of both attacker trends and entropy. For instance, despite the valuable assets at stake, it remains a challenge to get customers to accept the need for multifactor authentication, even though it probably represents the most impactful way to prevent nearly all access-style attacks like brute force, credential stuffing, and phishing.
Given that challenge, there is still a range of things organizations can do—preventative, detective and corrective—to minimize these risks. On the preventative side, organizations can harden APIs and implement a vulnerability management program that includes external scanning and regular patching. On the detective side, it is critical to monitor traffic for traces of brute force and credential stuffing, even as the more sophisticated end of the spectrum becomes increasingly adept at evading this kind of detection. Defenders can check customer passwords against known breach lists and change out passwords that are known to be exposed. It is also important to keep an eye on DNS and routing for properties under an organization’s control, so that they are aware if it is being used to their disadvantage, either for phishing or for DoS. For corrective action, organizations can begin by developing procedures for incident response that address all of these risks—DoS, access attacks and web attacks—and practice incident response regularly.
The financial services industry has seen a lot of change in the last few years, both in how traditional members of this group operate as well as the types of organizations and services that are included. The combination of a global rise in DoS attacks and an increasing focus in North America on credential-based attacks suggests some ambivalence among attackers regarding the best strategies for extracting value from financial services targets. With the help of our colleagues in the SIRT, we will continue to monitor these events, looking for patterns that suggest either a newfound attacker consensus, or continued opportunism.