3113: Inside Akamai's State of the Internet Report

[00:00:04] Are we truly safe online? Today, I'm going to peel back the digital curtain and reveal the forces shaping the cybersecurity landscape.

[00:00:15] With my guest Richard today, he's the Director of Security Technology and Strategy, EMEA at Akamai.

[00:00:23] And Richard joins us to dissect the findings of Akamais' latest State of the Internet Report.

[00:00:30] And that report spotlights the escalating threat of DDoS attacks, the intricate anatomy of ransomware attacks, and the practical pathways to implementing zero-trust architectures.

[00:00:44] But if we zoom out for a moment as this digital domain becomes an almost front line for financial services, I think understanding these dynamics is more crucial than ever.

[00:00:55] So, big question, what can businesses and individuals alike learn from these developments to bolster their defenses?

[00:01:04] These are just a few of the things we're going to explore together today.

[00:01:08] But enough from me. Let's get Richard onto the podcast now.

[00:01:12] So, a massive warm welcome to the show. Can you tell everyone listening a little about who you are and what you do?

[00:01:19] So, thanks, Neil. Yeah, my name is Richard Mears. I'm the Director of Security Technology and Strategy for Akamai, EMEA, which is a very long way of saying that I talk about security a lot.

[00:01:34] And I talk to Akamai's customers, Akamai's partners and the industry at large about security, about cybersecurity, and how Akamai can help organizations with our products, with our intelligence that we get from our platform to ensure that organizations and everything is protected going forward into the future.

[00:01:58] Fantastic. There's so much I want to talk with you about today. One of the big reasons I invited you to join me on the podcast was to talk about one of your recent reports.

[00:02:06] And just to set the scene for listeners who might not be familiar, can you just provide a brief introduction to Akamai's State of the Internet report and maybe explain its significance in understanding the current cybersecurity landscape, particularly for the financial services sector?

[00:02:24] Because there's some pretty revealing insights there. But could you just set the scene for me?

[00:02:30] Absolutely. Yeah. So the state of the Internet report, or as we call it, the SOTI, because it tends to be a bit of a mouthful otherwise.

[00:02:37] We've been doing this for about 10 years now, and it sort of leverages the traffic that we see on a daily basis.

[00:02:47] So we see sort of trillions of DNS requests and billions of cyber attacks every single day.

[00:02:53] And this gives us a veritable treasure trove of information that we can slice and dice and use it to provide sort of thoughts and ideas about the statistics and the trends that are happening in the cybersecurity industry.

[00:03:10] So sometimes we'll do this by vertical. So we may focus on medical or commerce, or in this case, financial services.

[00:03:19] We also slice and dice it through attack types. So we may focus on ransomware.

[00:03:24] We may focus on bots, which are sort of particularly prevalent in commerce, for example, or we may focus on APIs.

[00:03:32] So depending on sort of what we think is relevant and the interesting stories that we can back it up with the data that we see gives us a really good rapport that we can produce every sort of couple of months.

[00:03:44] And we generally bring in sort of guest contributions as well from relevant parts of the industry to further back up that validity.

[00:03:52] And we are at that time of the year, which is the busiest time in retail, and there's so many different attacks going on.

[00:03:58] But as we talk about the financial sector, one of the things that stood out for me in your report was the dramatic spike in layer three and four DDoS attacks.

[00:04:08] So I've got to ask, what is it you think that's driving this increased frequency of these layer three and four DDoS attacks, especially in the financial services sector?

[00:04:19] Yeah, so DDoS or distributed denial of service attacks are a bit around for years.

[00:04:25] It's just a way of basically sort of maximizing out the capacity of a service to provide either a website or an API.

[00:04:34] It's like resource exhaustion.

[00:04:37] And the layer three, layer four DDoS attacks are either designed to exhaust the pipe capacity that are not organized.

[00:04:47] If they have a 10 gig pipe to the internet, we'll send it 11 gigs of DDoS and it's going to fall over.

[00:04:53] We'll send out enough types of rubbish traffic that it's going to really tire out the routers and the firewalls so that it can't actually take in all the legitimate requests.

[00:05:05] And we've seen a lot of these types of DDoS attacks because what's been happening recently is that unfortunately financial services is the number one vertical attack across the globe that we see in these types of attacks.

[00:05:18] And in EMEA, this is the number one region for DDoS attacks across the globe.

[00:05:25] So if you're in financial services and in EMEA, you're really right in the crosshairs of these volumetric DDoS attacks.

[00:05:35] And I think it's not really sort of a huge stretch to sort of attributing a lot of this towards hacktivism.

[00:05:43] And the hacktivism is due to the fact that we have two wars going on in the region and a lot of people who are leveraging that to launch DDoS attacks.

[00:05:54] And financial services have been typically being seen as like a prominent flagship or a prominent beacon for a certain country.

[00:06:06] So when a country offers support for a particular side of the conflict, you'll tend to find attacks against their financial institutions.

[00:06:15] Is it seen as a good way of eroding trust in those organizations and in those countries?

[00:06:23] If you want to impact the population, great ways to start taking their banks offline.

[00:06:30] Take their banks offline, they get concerned that they might not be able to get money.

[00:06:34] And therefore, it's a great way to erode trust.

[00:06:37] And this is what the hacktivists rely on.

[00:06:39] And as you said, we are in a period of extreme global conflict right now.

[00:06:44] We've got two big wars going on.

[00:06:45] So perhaps unsurprisingly, the report mentions a significant politically motivated rise in DDoS attacks in Israel, for example.

[00:06:56] So are you able to provide any more details on the nature of these attacks and how you're helping to mitigate them?

[00:07:03] Yeah, there's been a lot of attacks across the region in support of the sides on either side of the war.

[00:07:11] And there's been a lot of attacks going into Israel and some quite interesting ones that are sort of slightly atypical to a lot of the attacks that we're seeing recently.

[00:07:23] A lot of attacks that you sort of see in the press are very short and sharp attacks.

[00:07:29] They may be very big, but only last for a few seconds.

[00:07:32] One of the attacks we saw earlier on this year into Israel wasn't particularly large in terms of record breaking.

[00:07:38] It's only about 800 gigabits per second, which is still pretty chunky when you're talking about normal DDoS attacks.

[00:07:46] But it lasted, or the attack duration was like 24 hours with a constant attack rate of like 300 or 400 gigabits per second for three or four hours at a time.

[00:07:57] And using a number of different attack vectors.

[00:08:01] So this was quite an interesting attack from our perspective because normally, as we sort of said, attacks are normally short and sweet with very high packets per second, very high bits per second, but only for a few minutes.

[00:08:13] This one for this duration was very interesting in the sense that that level of capacity for that duration certainly indicates an upskilling in the attack tools that the hacktivists have.

[00:08:28] Because this really sort of demonstrated the firepower to be able to generate an attack of that duration.

[00:08:34] And something else that stood out in the report was the emergence of shadow APIs and becoming an increasing concern too.

[00:08:44] So how significant is this threat?

[00:08:47] And what steps should organizations be taking to protect against these hidden vulnerabilities?

[00:08:52] The concept of shadow APIs is quite an interesting one.

[00:08:57] So organizations have been using APIs for a number of years now, and for a very good reason.

[00:09:04] They're a fantastic way of optimizing performance.

[00:09:08] They're a fantastic way of doing data transfer far more easily than traditional methodologies.

[00:09:15] And because of that, they are becoming prevalent in all aspects of B2B, B2C, interoperations.

[00:09:22] And what tends to happen is that APIs are sprung up for a variety of reasons, for testings, for quick data transfer, for interaction with defunct websites, or that may have happened.

[00:09:36] And what tends to happen is that there is not effectively, there's nobody sweeping up afterwards.

[00:09:43] So what happens is once APIs have been sort of made redundant, they've been superseded, or maybe the project that were being used for has been disbanded.

[00:09:55] There's nobody going through then and actually sweeping up afterwards and turning these APIs off.

[00:10:00] And what this means is that there is the potential for lots of maybe personal data or business data that is still being exposed to the internet or to various other aspects that hasn't a degree of control over it.

[00:10:18] And certainly when we go to organizations nowadays and sort of say, look, how many APIs are you exposing to, say, B2C, to your business, to consumer traffic and direct to the internet?

[00:10:30] And how much APIs have you got exposed to B2B, to other businesses?

[00:10:34] And how are you managing and controlling that?

[00:10:36] And there's generally a risk that the majority of APIs aren't really known about and they aren't controlled.

[00:10:44] And because of this, there's a huge risk that we have a lot of PII, a lot of credit card data, a lot of passport data, a lot of personal information and business information that could be unwillingly exposed and just waiting to be found by casual attackers.

[00:11:00] And given everything that we're talking about here today, unsurprisingly, zero trust is also increasingly being viewed as a critical strategy for cybersecurity.

[00:11:11] And in your view, though, from everything that you're seeing out there, what would you say are the key challenges organizations are facing in implementing that zero trust strategy?

[00:11:21] And how do they overcome them?

[00:11:23] Because I think traditionally it's been seen as a lot of hard work, very complex.

[00:11:27] Is that changing?

[00:11:29] So, yeah, zero trust has been a topic that's been discussed for many years.

[00:11:36] And I think a lot of people now realize that the naming was probably not the most ideal because it has a sort of a negative connotation.

[00:11:45] And I think sort of say, right, we're going to go zero trust always has a bit of a sort of never had the right impacts that we wanted it to do with the board.

[00:11:54] And I think, therefore, when organizations are going out and we had this conversation recently around the table I did.

[00:12:01] And we were talking about the fact of why zero trust is hard.

[00:12:05] And a lot of it was down to how it's positioned within the business.

[00:12:09] And if you sort of say, right, we're going to implement zero trust for all our employees.

[00:12:16] That sounds like a quite a major operation.

[00:12:18] It sounds like a fundamental change in the way that you're thinking about how your users are working.

[00:12:25] But if you say we're going to replace our VPN, that doesn't quite sound quite the same.

[00:12:31] But essentially, if you move to zero trust network access, you're replacing your VPN.

[00:12:36] It's the same thing.

[00:12:38] It's just a different way of positioning it.

[00:12:40] And it puts it in a way that actually makes sense.

[00:12:44] It's replacing the VPN with something that's more more opposite for 2024.

[00:12:49] It's something that gives us authentication, authorization and a greater degree of reporting and control.

[00:12:57] But it's essentially just replacing the VPN.

[00:12:59] So I think the way we need to look at it is look at how we're looking at the individual aspects of it.

[00:13:05] And when we're looking at things like micro segmentation, micro segmentation is something that is a really, really good tool in terms of visibility, for example,

[00:13:15] which is key to a lot of the resilience challenges organizations have.

[00:13:19] But it's also a great way to think about what zero trust is, which is essentially least privilege with lots of bells and whistles.

[00:13:27] But if we think about what we need to have as core for our minimum viable business, what is it?

[00:13:35] What is the bit that we really have to ensure works no matter what?

[00:13:40] Micro segmentation is great then for to say, OK, let's ensure we know everything about what goes into and out of that application.

[00:13:48] Every single user request, every single device access.

[00:13:52] We need to know what's happening around that.

[00:13:54] And then you've got something that's a lot more tangible.

[00:13:56] You could actually control that.

[00:13:58] You can see how that works.

[00:13:59] Once you've got that nailed down and ring fence, then you can start expanding out from there.

[00:14:04] But I think sort of thinking about how can we replace our VPN for our users and then looking at how we can protect our most viable core components for our minimum viable business.

[00:14:17] I think that's a way of sort of breaking down the problem into something that's a bit more digestible and achievable.

[00:14:25] I think inside every IT department is a certain amount of firefighting that goes off during the business as usual event.

[00:14:34] So with DDoS attacks evolving in both frequency and intensity, how should organizations better balance their resources between preventing attacks in a more proactive way and responding to incidents when they occur?

[00:14:48] I think everyone can agree we need to get to a more proactive than reactive approach, but getting there is not always as simple.

[00:14:55] So any advice on that?

[00:14:57] I think for DDoS, a lot of it actually can be prevented.

[00:15:02] And I think when you put in suitable DDoS controls in front of your networks, in front of your APIs, in front of your websites,

[00:15:13] there's a lot of automatic mitigation and preventive mitigation that can be put in there that kicks in automatically.

[00:15:20] And that's essentially what you want to be doing is you want to have a lot of these controls where it's going to be able to block a 400 gigabit DNS flood automatically without thinking about it.

[00:15:31] Because if it's going to happen and it's going to last, you're going to have no warning and it's going to hit.

[00:15:36] You've got to have the automatic prevention in place.

[00:15:39] However, it's also worth thinking about, OK, well, they're going to hit me with a DDoS attack.

[00:15:44] That's not just a UDP flood or not just a DNS flood or not just a SYN flood.

[00:15:50] What happens if they hit me with something that's a little bit more bespoke and a little bit more crafted?

[00:15:54] And that's when you need to have DDoS prevention tools that actually have a sock behind it as well.

[00:16:02] Because there are times when we've seen sort of crafted DDoS design for a particular organization where you need to have sort of engineers who can step in and start crafting rules on the fly as well.

[00:16:13] So it's a combination of working with your sock analyst within your organization itself to understanding what can be prevented automatically.

[00:16:24] And as I said, with most of DDoS, you can do this automatically.

[00:16:27] You can put the rules out in place.

[00:16:29] But it's also worthwhile ensuring that you have sock analysts in your own environment that can work with the bits that get through because they've gone for something particularly crafted.

[00:16:39] But also ensuring that the DDoS protection tools you put in place, ensuring they have the backup in terms of manpower to be able to craft specific rules as well to ensure that the multi-vector attacks and the specifically crafted attacks can be protected against as well.

[00:17:00] And the report also mentions that some of the high-profile threat actors have been particularly active in targeting financial services.

[00:17:10] And how should organizations be better preparing for defending against such well-resourced and motivated adversaries?

[00:17:17] Because it's something that can happen when you least expect it.

[00:17:21] But anything else that businesses should be doing?

[00:17:24] Yeah, we talked about our evil and anonymous Sudan in the report, amongst a few others.

[00:17:31] And anonymous Sudan, actually, we released a blog post last week where Akamai was able to assist government in the US in actually doing a DDoS takedown.

[00:17:43] So we were able to provide telemetry and information that was able to assist the authorities in taking down that particular threat actor.

[00:17:52] Unfortunately, there are a lot of other ones.

[00:17:54] There's people like Kilnet and Dark Meta who are still doing that DDoS hacktivism in their place.

[00:18:02] But things like Our Evil, that's more of a ransomware threat group.

[00:18:08] And ransomware and hacktivism DDoS are two different attack vectors which you need to treat as separate entities.

[00:18:17] There's ransomware.

[00:18:18] This is a financial game.

[00:18:21] This is purely for financial game.

[00:18:23] This is an organization that wants to get inside your business.

[00:18:26] They want to get inside.

[00:18:27] They want to find your critical data.

[00:18:29] And they either want to encrypt it or they want to exfiltrate it.

[00:18:33] Or potentially both.

[00:18:36] And this means they have to get inside your network.

[00:18:40] So first of all, they need to breach.

[00:18:41] And they can do this by a number of different mechanisms.

[00:18:45] They can do this by exploiting breached usernames and passwords that may exist on the dark web.

[00:18:51] They may exist to do like a local file inclusion on a website that you're hosting.

[00:18:56] They may be doing it through aiming people within your organization to reveal usernames and passwords.

[00:19:03] So things like multi-factor authentication, things like having zero trust network access to protect your end users is critical in that first initial part of the ingress.

[00:19:16] But then once, if the attackers do get inside your estate, one of the things that they're often presented with is what we call a flat network.

[00:19:24] Or a network that has a couple of internal firewalls but not a lot else.

[00:19:30] So once they're in, they have free reign to go and look all around the estate for whatever data they can find and encrypt.

[00:19:40] And this is where we found that things like micro-segmentation is really good at being able to protect organizations against that what we call east-west movement.

[00:19:51] When an attacker is in your estate and they're able to move left and right and look for other machines.

[00:19:59] Once they get to that machine, they can get information, intelligence, other usernames and passwords, then move on to another machine.

[00:20:05] So be able to put in stuff like micro-segmentation, which stops that lateral movement.

[00:20:12] It stops the ability for the attackers to use living off the land techniques that allow them to say, use SSH or RDP or tools like that to jump onto other machines.

[00:20:23] Or it leverages, it removes the possibility for the attackers to find vulnerabilities in other machines by reducing the opportunity they have to run certain scanners and tools like that.

[00:20:36] And the point is, is that we really need to ensure that these tools are in place because the attackers will get in.

[00:20:42] In a recent search report that we did, we looked at all of the DNS traffic that we see and we see trillions of DNS requests every single day.

[00:20:52] And when we looked at all of the data, we looked at all of the DNS requests that were going out to malware sites and phishing sites and command and control.

[00:21:02] Command and control is basically when something's inside your estate and calling out.

[00:21:07] So it's basically they're already inside an organization.

[00:21:10] When we looked at the DNS requests that were going to phishing, malware and control,

[00:21:16] one in five devices that we were tracking were calling out to one of those at least once a quarter, at least once a quarter, one in five, 20%.

[00:21:24] When we spoke it down by individual organization, one in eight organizations were talking to command and control server.

[00:21:34] So one in eight organizations already had malware inside their estate that was talking out.

[00:21:40] So it's basically essentially breached.

[00:21:42] So this is why putting things in place that prevent that lateral movement is really important.

[00:21:48] When over 10% of organizations are already breached.

[00:21:52] In terms of anonymous Sudan, who we've got taken down, but also the similar organizations such as Dark Matter and Kilnet really need to put this preventative DDoS in place.

[00:22:05] And this means looking outside your organization, because if you have a one gigabit per second bike to the Internet or even a five gig or 10 gig per second,

[00:22:14] that's very easily defeated by a $15 DDoS booter, which you can go on and get off the Dark Net.

[00:22:22] So you really need to put in sort of cloud protection, something that's in front of you that has capacity to suck up that huge amounts of DDoS traffic,

[00:22:33] but also has the capacity to have SOC engineers in there as well so they can pivot and ensure that you're protected against the multi-vector style attacks.

[00:22:43] Wow, some powerful stats in there.

[00:22:46] And if we were to look beyond the report and into 2025, which is just a matter of weeks away now,

[00:22:53] what emerging threats or trends are you seeing that financial institutions should be maybe concerned about, maybe monitor from afar?

[00:23:02] And how are you positioning yourself to help your clients navigate some of these challenges on the horizon?

[00:23:07] What are you seeing here?

[00:23:08] Well, I think with financial institutions, especially obviously in the EU, they're going to be massively focused on legislation.

[00:23:17] There's the DORA Digital Operational Resilience Act that's coming in place in the EU.

[00:23:22] And that will have a knock-on effect to a lot of organizations within the UK.

[00:23:27] So a lot of those organizations are going to be focused on how they can ensure that their platforms are geared up for the testing,

[00:23:35] the third-party resilience, the information sharing, the reporting, which I think is going to be a big challenge to do that within the time.

[00:23:42] And I think one of the things that's going to be key to these financial institutions is visibility into their assets.

[00:23:49] Because one of the things around the risk that they need to be quantifying within their estate and the reporting

[00:23:56] is knowing what they have and what it's doing.

[00:23:59] And real-time visibility into what their assets are communicating, real-time visibility into what their APIs are doing,

[00:24:08] is going to become ever more critical in 2025.

[00:24:13] And I think that's going to be the biggest driver, is really ensuring that organizations have a grasp into what's happening in real time.

[00:24:22] Because if you're a financial institution and somebody says,

[00:24:26] has this happened or what happened?

[00:24:28] Why are we getting this alert?

[00:24:29] Why do we think we've been breached?

[00:24:31] Why do we think we need to report?

[00:24:33] You need to be able to go to your data sets, go to your assets and say,

[00:24:36] show me all the RDP connections from this particular user to this asset in the last 24 hours.

[00:24:42] And that needs to be done in real language, in natural language,

[00:24:46] without having to query complex databases.

[00:24:48] You need to have all that data at your fingertips.

[00:24:53] So visibility and access to that data in real time, I think it's going to be the key driver.

[00:24:58] And although we are talking about a very serious topic today,

[00:25:02] I think every techie out there that has earned their stripes in the field will have picked up more than a few stories along the way.

[00:25:09] So to finish on, I'd love to have a bit of fun with you here.

[00:25:12] What is the funniest or most interesting story that has happened in your career?

[00:25:16] Because I suspect you've got more than a few.

[00:25:18] Some you'd be able to share, some you can't.

[00:25:20] But what can you share?

[00:25:23] I think, to be honest, it probably goes back to when I first started out in the industry,

[00:25:28] which was more than a few years ago.

[00:25:30] And it was one of those sort of expectation versus reality moments.

[00:25:34] When I finished college and I'd been doing a course that was teaching me machine code programming.

[00:25:44] I was programming in hex.

[00:25:45] I was learning how to build circuit boards.

[00:25:49] We were learning systems programming and all this sort of stuff.

[00:25:53] And I went to work for a company where I was essentially fixing mainframes.

[00:25:58] And that was the idea.

[00:26:00] We were going to fix big computer systems that existed in those days.

[00:26:05] And therefore, I was sort of expecting, I was given a toolkit with a soldery iron.

[00:26:11] I was given oscilloscopes because we had to fix hard drives and do lots of things with those.

[00:26:16] And various other bits and pieces.

[00:26:18] And the first thing that I was told to do was say, right, you need to go and buy.

[00:26:22] I said, well, you need to go and buy a Hoover because the first thing you need to do is you need to go around and clean all the ventilation fans on all the servers.

[00:26:34] I said, why do I need to do that?

[00:26:37] Because they said, because that's the number one cause of all the problems that we have with mainframes and with all the machines and all the terminals is dust from the fans.

[00:26:48] The dust gets sucked in by the fans.

[00:26:51] The dust sticks on all the circuit balls and the capacitors and whatever.

[00:26:55] Everything overheats and everything breaks.

[00:26:57] So if we get rid of the dust, we get rid of the problem.

[00:27:01] So that was my, after years of training, whatever, the first thing I was given was a Hoover to go and fix my, so that was my sort of, okay, so you really do have to start at the bottom.

[00:27:13] It was getting out the Hoover and sweeping up the dust and getting dirty for a couple of weeks was my first job in the industry.

[00:27:19] Oh, I absolutely love that.

[00:27:21] What a great story.

[00:27:22] But anyone listening just wants to learn a little bit more about anything we talked about today.

[00:27:27] Obviously, the report we referenced or contact you or your team.

[00:27:31] Where would you like to point everyone listening?

[00:27:33] I think the report that we do is really, really important.

[00:27:38] We do these every couple of months.

[00:27:40] If you go to akamai.com slash SOTI, that will take you to the Sochi website where we have all of the back catalogs of the last 10 years of reports that we've been doing.

[00:27:51] We also have a security team links on there as well.

[00:27:54] So you can go and look at some of the real-time data that Akamai is producing from what we see around the world.

[00:28:00] Else, you can come and find me on LinkedIn.

[00:28:02] Other than that, it's at the akamai.com website.

[00:28:05] Awesome.

[00:28:05] I'll ensure there's links waiting for everybody so they can find you nice and easily.

[00:28:10] And as you said there, 10 years now, Akamai has been providing expert insights into the cybersecurity and web performance landscapes based on data gathered from Akamai's connected cloud.

[00:28:22] I'd love to stay in touch with you, see what other trends we uncover next year.

[00:28:27] But more than anything, just thank you for shining a light on this research and your incredible insights.

[00:28:32] Thanks again.

[00:28:32] Thank you very much indeed, Neil.

[00:28:34] It's been a pleasure to be on your show.

[00:28:36] So a big thank you to Richard for those invaluable insights.

[00:28:40] And I'd love to hear your thoughts on this, everyone.

[00:28:43] Email techblogwriteroutlook.com, Instagram, X, LinkedIn, just at Neil C. Hughes.

[00:28:50] But that's it for today's episode.

[00:28:52] I'll return again tomorrow with another guest.

[00:28:55] But more than anything, thank you, Richard, for bringing this conversation to life.

[00:28:58] And an even bigger thank you to each and every one of you for listening.

[00:29:02] Without you, without your emails and messages and support, this show wouldn't exist.

[00:29:08] So thank you.

[00:29:08] And hopefully I will get to speak with you all again bright and early tomorrow.

[00:29:12] Bye for now.