This is the second installment in our series exploring the experiences of the F5 Security Incident Response Team (F5 SIRT), which assists customers with security incidents in real time. Our first focused on incidents at telecom service providers from around the world in 2017, 2018, and 2019. This article focuses on financial services organizations. This category includes banks, credit unions, brokers, insurance, and the wide range of organizations that serve them, such as payment processors and financial Software as a Service (SaaS). The financial services industry has characteristics that differentiate it from most other entities in terms of information security. It is heavily targeted, and has been for a long time, for the obvious reason that it has a lot of valuable information. This also means it is heavily regulated, and organizations in this sector tend to have large security budgets and a low appetite for risk. Note that we do not mention specific organizations or divulge absolute numbers in order to protect customer confidentiality.
Security Incident Trending in the Financial Sector
Security incidents at financial services organizations in 2017–2019 have been characterized by two predominant vectors, both of which are growing: brute force and credential stuffing attacks at 41%, and DDoS at 32%. Web attacks (8%) and malware (5%) are significantly more rare, as are unidentified attacks and other miscellaneous incidents. The details are in Table 1.
|Percentage of security incidents|
|Brute force and credential stuffing||37%||40%||42%||41%|
Table 1. Security incidents at Financial Services reported to the F5 SIRT from 2017 through 2019.
It’s easier to see the growth trends in a graph, as shown in Figure 1.
Authentication Attacks: Growing Every Year
Credential stuffing and brute force attacks have been the biggest threats for financial services recently, and the trend shows no sign of slowing. This is unsurprising, given the capability that legitimate credentials represent for attackers. If attackers are able to guess or simply re-use already compromised credentials and gain access to customer accounts, they will.
It also makes sense that attackers prefer these techniques to other approaches, considering that financial services IT departments are well-funded in comparison to much of the rest of industry. Banks have compliance and regulatory pressures to protect their systems and are heavily audited, and thus have robust and strong cybersecurity programs. The protections they have in place may represent too high a bar for crooks to pass, so they fall back to simpler, if less efficient methods, like guessing passwords. Oftentimes these attacks begin with attempts against customers of the financial services organization, not the organization’s systems or employees.
Brute force attacks involve a bad actor trying massive numbers of usernames and passwords against an authentication endpoint. Sometimes these are credentials that have been obtained from other breaches, which are then used to target the service in an attack known as “credential stuffing.” Other forms of brute force attacks simply use common lists of default credential pairs (for example, admin/admin), commonly used passwords, or even randomly generated password strings.
What Does Credential Stuffing Look Like at a Financial Services Provider?
As soon as a data dump hits the Internet, cybercriminals attempt logins at as many financial services targets as they can to get access to bank accounts. These dumps have a lifespan. Eventually someone on the other side will find out about a dump, and organizations can use this to determine if their customers are affected. Until that happens, there is a golden window between the initial release of stolen credentials and whatever remediation may take place later.
Some attackers are aggressive, simply trying every stolen credential they have as quickly as they can. This activity can be so forceful that even if it goes unnoticed, backend authentication systems can be overwhelmed, leading to a Denial of Service condition.
Smarter attackers will take a more patient approach, trying to stay below the detection threshold of their target and betting that this approach will allow them more chances before they’re blocked.
Attackers also use a brute force technique known as “password spraying” to avoid detection. In this case the attacker quickly tries a password across a large number of accounts. Target defenses may only allow a few login attempts per username before the account is locked, but with this technique, an attacker can hit many accounts again and again with new password attempts and stay below the threshold for detection. The lack of widespread adoption of multi-factor authentication also enables attackers to conduct brute force activities with greater ease.
For a user, the result of a successful brute force attack can be account takeover or, at the very least, being locked out of their account if countermeasures are triggered. This leads to frustration for the customer and increased support desk calls for the provider.
As with DDoS attacks, the first indications of such an attack are customer complaints about account lockouts, rather than any sort of automated detection. This alone can constitute a denial of service if a large number of accounts are locked out, and certainly can cause increased—and at times overwhelming—strain on support desk capabilities.
Defensively, early detection is key. If defenders can identify an increase in failed login attempts over a short period of time, it gives them a window to mitigate the attack before customers are affected.
DDoS Attacks Trending Up
DDoS narrowly comes in at second place in our data. Sometimes, as noted above, this is the result of overly aggressive brute force attacks. Other times, it’s just a simple denial of service scenario, meant to prevent financial services business from operating as usual.
Some such attacks are motivated by the fact that financial services organizations will lose money from loans that can’t be processed and will lose customer confidence if their services aren’t functioning. Some attackers specifically do this to try to extort a ransom. Financial services organizations are also a target for nation-state actors who wish to disrupt critical infrastructure and apply economic pressures on their adversaries.1
What Does a Typical DDoS Attack Look Like for Financial Services?
A denial-of-service attack against service providers usually targets either the core services that their customers use (such as DNS) or the applications that allow their users to view their bills, see transactions, apply for loans, or get quotes. Such attacks can overwhelm a network, although this is rare. Attacks are usually sourced from all over the world, likely via the use of large botnets that are either rented out by attackers or purpose built from compromised machines.
Typically, the first indication that an IT team has of a DDoS attack is a massive increase in network traffic or CPU usage. The second is typically increased response times for applications. Financial services organizations usually keep an eye on these indicators for this reason. After that, customer complaints resulting from impaired service are the next most common indicator that a DDoS event is underway.
From a defensive point of view, as mentioned above, these attacks can appear to simply be either a general outage of a service or a surge in network traffic. The ability to quickly compare the characteristics of normal, expected network traffic against samples of traffic while the attack condition exists is critically important. Additionally, the ability to quickly enable in-depth logging for application services in order to identify unusual queries is key to detecting and mitigating these attacks.
Web attacks against financial services targets dropped significantly in 2019. They represented 4% of financial services incidents; down from 11% the previous two years. It is difficult to determine causality in trends like this, but one likely contributor is the growing sophistication of properly implemented technical controls such as web application firewalls (WAFs). In 2018, as part of that year’s Application Protection Report, we found that a greater proportion of financial organizations tended to deploy WAFs (31%), compared to the average across all industries (26%).
Most of the web attacks against financial services that the SIRT examined took one of two forms. The first was attacks against APIs, such as mobile authentication portals and Open Financial Exchange (OFX) APIs. The second attack type was web scraping, or copying content for the purpose of creating realistic-looking phishing pages. We have found that web attacks against financial services targets tend to be the most persistent when compared to targets in other sectors. This is probably due to both the precise targeting that goes into these attacks and the high value of a potential success.
Regional Top 3
The SIRT data also revealed geographic differentiation in terms of attack type. Customers in the Europe, Middle East and Africa and Asia/Pacific theaters saw more DoS attacks than any other, with Asia/Pacific attacks in particular totally dominated by DoS. In North America, brute force and credential stuffing attacks predominated, while web attacks were conspicuously infrequent. See Figure 2 for more details.