互联网现状安全性：零售业面临的攻击与API流量（英文版）.pdf

state of the internet / securityRetailVolume 5, Issue 2AttacksandAPITraffic2state of the internet / security Retail Attacks and API Traffic Report: Volume 5, Issue 2Letter from the EditorIn the past decade, one of the biggest changes in security has been the understanding that were not simply technologists divorced from the business. Our work is an integral part of every aspect of business. To security practitioners who are relatively new to the industry, this might sound like an obvious statement. However, at some organizations, this type of integrated thought process is still a work in progress. Theres a definite continuum between organizations that see the security team as an integrated part of the corporation and those that see it as separate from other business concerns. An important part of a security team being seen as a legitimate business partner is their ability to identify the risks that the business faces. In the Dark Ages of the 1990s, this resulted in security teams being viewed as the “Department of No.” Since then, security leaders have learned to better quantify and communicate risks. The best security teams have clear definitions of risks and risk assessment processes that enable them to explain our perceptions in a way thats more nuanced than the simple binary of yes or no. More importantly, they can often attach a theoretical monetary cost to those risks, thereby giving business leaders the ability to better weigh potential costs.But identifying risks is hard. Really hard. Understanding the variations and nuances that might have a significant effect on a business decision is a difficult process, even for the topics we know intimately. We might overestimate the impact, which lessens our standing within the business, or we might underestimate the risk, which leads to finger pointing when things go wrong. Like so many aspects of security, there is not one singular path its a balancing act unique to the individuals and the organization.This issue becomes exponentially harder when were facing unknowns and issues we have little or no visibility into. All three stories in this issue of the State of the Internet / Security report cover aspects of security that we feel numerous organizations are not as cognizant of as they should be. Our survey of API traffic surprised us by revealing that 83% of the hits we see there are API driven. Research into DNS traffic revealed that IPv6 traffic may be underreported, as many systems capable of IPv6 still show a preference for IPv4. Finally, our look at credential abuse and the botnets abusing retailer inventories shows that this is a rising problem that needs attention.Part of risk assessment is constantly wondering about what problems we should be looking at but arent. There are things that we dont (and cant) know, simply because we lack visibility. Hopefully we can help chip away at this and move one or two more topics into the knowable category.3state of the internet / security Retail Attacks and API Traffic Report: Volume 5, Issue 2Table of Contents04Overview05 Tools of Mass Retail Destruction07 Top Market Segments13 Rise of API Traffic13 Its All About JSON17 Takeaways18 Is IPv6 Being Underreported?05Akamai Research21Looking Forward24 Credits22AppendixTL;DR Akamai detected nearly 28 billion credential stuffing attempts between May and December 2018. Tools like the All-in-One botnet are responsible for a large number of the attempts against retail organizations. A recent analysis of Akamais ESSL network revealed an 83% to 17% split between API and HTML traffic on our secure content delivery network. This is a significant increase since the same survey was performed in 2014. The reporting of IPv6 usage might be underreported based on Akamais analysis. This leads to a dangerous assumption that IPv6 isnt worth monitoring.4state of the internet / security Retail Attacks and API Traffic Report: Volume 5, Issue 2OverviewAll three of our stories in this issue of the State of the Internet / Security report are about things most organizations arent examining. Whether the cause is that organizations dont perceive some issues as important to their environment, if they dont have tooling to monitor these issues, or if the resources to monitor this traffic are not available, this traffic is often being overlooked.Although organizations examine the traffic generated by botnets, without specialized tools that traffic is often treated the same as any other type of network activity. There are very few places where this is more dangerous than in the retail sector, where botnet creators and retail defenders are playing a multidimensional game, with real money on the line. Our team looked at All-In-One (AIO) bot tools and considered them in the context of the billions of credential abuse attempts we see on a monthly basis.Another type of traffic that a lot of organizations have limited visibility into is API traffic. In 2014, Akamai did an internal audit of the JSON and XML traffic on our Enhanced SSL (ESSL) network and found that 47% of the traffic was driven by these two protocols. A similar survey of our traffic in October 2018 showed that 69% of the traffic is now JSON, 14% is XML, and only 17% is HTML. The Internet has been slowly moving to IPv6, and according to the Internet Society, 28% of the top 1,000 sites are IPv6 capable, while only 17% of the top 1 million sites can say the same. But our research suggests that this might be an underreporting of the numbers, because so many systems show a preference for IPv4, even when theyre capable of handling IPv6 traffic. Because IPv6 is still seen as a minority of traffic, its not a major selling point for a number of security tools. Not all organizations consider the IPv6 space worth monitoring, even when the capability is present.Although organizations examine the traffic generated by botnets, without specialized tools that traffic is often treated the same as any other type of network activity.“5state of the internet / security Retail Attacks and API Traffic Report: Volume 5, Issue 2Akamai ResearchTOOLS OF MASS (RETAIL) DESTRUCTIONBetween May 1 and December 31, 2018, there were 10,000,585,772 credential stuffing attempts in the retail industry detected on Akamais network. When thats expanded to all other customer industries, Akamai detected 27,985,920,324 credential abuse attempts over eight months. That works out to more than 115 million attempts to compromise or log in to user accounts every day.The reason for these attempts isnt complex. The malicious actors responsible for them are looking for data such as personal information, account balances, and assets or theyre looking for opportunities to cash in on the online retail market thats expected to hit $4.88 trillion by 2021.The credential stuffing attempts logged by Akamai are automated, thanks to bots. Bots can represent up to 60% of overall web traffic, but less than half of them are actually declared as bots making tracking and blocking difficult. This dilemma is compounded by the fact that not all bots are malicious, as we discussed in Issue 1 of this years State of the Internet / Security report.Play the NumbersFor criminals, credential stuffing attacks are a numbers game. Theyre counting on the fact that people recycle their passwords across different accounts. When this happens, a compromised set of credentials from one website quickly translates into dozens of others.Its a two-step process; stuff the login page with the maximum amount of credential pairs to verify their validity, and once verified, take control of the compromised account. This second stage is commonly known as account takeover, or ATO.Bots can represent up to 60% of overall web traffic, but less than half of them are actually declared as bots making tracking and blocking difficult. “6state of the internet / security Retail Attacks and API Traffic Report: Volume 5, Issue 2Consider the 116 million accounts compromised during the LinkedIn data breach. Using this list of email address and password combinations, criminals targeted dozens of other websites in hopes that people were using their LinkedIn credentials elsewhere. These credential stuffing attempts led to several secondary account takeovers. This is why security professionals stress the use of password managers, as well as the use of long and unique password strings for each website.Fighting Credential Stuffing Attacks Is an Uphill BattleThe battle against credential stuffing isnt an easy one to fight. When asked, 71% of the respondents to an Akamai survey conducted by Ponemon Institute said that preventing credential stuffing attacks is difficult because fixes that prevent such action might diminish the web experience for legitimate users.On average, organizations report experiencing 12.7 credential stuffing attempts each month, with each attempt targeting 1,252 accounts. The reflexive action to just block the bots responsible for these attempts outright makes sense at first, but such a move might cause serious harm to the business if legitimate customers are impacted.Fig. 1Four of the top days for credential stuffing are highlighted between May 1 and December 31, 2018300M250M200M150M100M50M0MMay 1June 2, 2018252,176,323July 25, 2018252,000,593Credential Abuse per DayMay December 2018October 25, 2018286,611,884October 27, 2018287,168,120Credential Abuse AttemptsJun 1 Jul 1 Aug 1 Sep 1 Oct 1 Nov 1 Dec 1 Jan 1Credential Abuse per DayMay 1 December, 20187state of the internet / security Retail Attacks and API Traffic Report: Volume 5, Issue 2The same survey revealed 32% of respondents lacked visibility into credential stuffing attacks, and 30% said they were unable to detect and mitigate them. When asked if their organization had sufficient solutions and technologies for containing or preventing credential stuffing attacks, 70% of those responding said their organization was lacking when it came to such defenses.Credential stuffing attacks are a costly battle to fight as well. The survey determined that the baseline costs associated with such attacks, when considering application downtime, loss of customers, and IT overhead, amounted to annual totals of $1.7 million, $2.7 million, and $1.6 million, respectively.Fig. 2The combination of Video Media and Media department stores (1.426 billion); office supply stores (1.3 billion); and fashion, such as jewelry and watches (129,725,233). Each colored box in Figure 4 represents an individual organization, with businesses grouped by type and bounded by thicker white lines. For example, the upper left box represents a single organization that experienced 1.636 billion attacks.As was the case with retail, the bots and bad actors are conducting these credential stuffing attacks and attempts with multiple goals in mind. When it comes to direct commerce retailers that offer a single item or brand the goal centers on accounts that have existing history, personal information that can be harvested, and unique deals and promotions. The same can be said for department stores, but there is an added bonus from criminals who can easily trade in compromised department store credit lines.Credential AbuseRetail Organizations by Type May December, 2018