There are good bots - and there are bad bots. Which is why you should care and know how to manage them so that you remain secure, but can continue to successfully conduct your business over the Internet. Presentation by Xavier Daspre at the Akamai Trust No One City Tour.

1. © 2019 Akamai | Confidential1
Trust No One City Tour
What is a bot and why you
should care
Xavier Daspre
Sr. Cloud Security Architect - EMEA

2. © 2019 Akamai | Confidential2
AGENDA
• Understanding the bot problem
• Bots families
• Nice business
• Wrap up

3. © 2019 Akamai | Confidential3
What is a bot ?

4. © 2019 Akamai | Confidential4
THE “BOT PROBLEM”
Understanding the bots…
Your site traffic What you think your traffic looks
like
What your traffic actually looks
like

5. © 2019 Akamai | Confidential5
Those who eat

6. © 2019 Akamai | Confidential6
How to scrap digital content
Protect content

7. © 2019 Akamai | Confidential7
Scrap and consume

8. © 2019 Akamai | Confidential8
Transactional Endpoints- Two Classes of Bots
1. Scraping Bots
2. Transactional Bots
Example1 : Price Scraping (Good or Bad)
Example2 : Content Scraping (Good or Bad)
Example3 : Google Web Crawler (Good)

9. © 2019 Akamai | Confidential9
Transactional Endpoints- Two Types
1. Scraping Bots
2. Transactional Bots
Example 1 : Login Attack :: Credential Abuse (Bad)
Example 2 : Fake Account Signup (Bad)
Example 3 : Concert Ticket Grabbers (Bad)

10. © 2019 Akamai | Confidential10
Those who attack

11. © 2019 Akamai | Confidential11
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
Sign In
CS
User name
Password

12. © 2019 Akamai | Confidential12
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
CS
User nameXavie
PasswordLet’s talk credential stuff
Sign InSign In
in
r
g

13. © 2019 Akamai | Confidential13

14. © 2019 Akamai | Confidential14

15. © 2019 Akamai | Confidential15
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
Sign In
CS
Xavier
Let’s talk credential stuffing

16. © 2019 Akamai | Confidential16
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
Sign In
CS
Xavier
Let’s talk credential
Sign In
stuffing

17. © 2019 Akamai | Confidential17
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
Sign In
ABC
User name
Password

18. © 2019 Akamai | Confidential18
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
ABC
User nameXavier
PasswordLet’s talk credential
Sign InSign In
stuffing

19. © 2019 Akamai | Confidential19
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
Sign In
AFF
User name
Password

20. © 2019 Akamai | Confidential20
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
AFF
User nameXavier
PasswordLet’s talk credential
Sign InSign In
stuffing

21. © 2019 Akamai | Confidential21
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
My-Carrier 12:00 PM 21%
Edit
Hello!
Sign in to access your money.
Sign In
User name
Password

22. © 2019 Akamai | Confidential22
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
My-Carrier 12:00 PM 21%
Edit
Hello!
Sign in to access your money.
Sign In
User nameXavier
PasswordLet’s talk credential
Sign In
stuffing

23. © 2019 Akamai | Confidential23
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
Xavier D paid Joe Smith
for the lulz
Like Comment $-1,999.00
1m
Xavier D paid AdultFriendFinder
for XoXoXo
Like Comment $-1,000.00
1m
Xavier D paid Need Mulaah
for alcohol and drugs
Like Comment $-1,500.00
1m
Xavier D paid YouGotPwned
for 10QSucka
Like Comment $-1,999.00
1m
Xavier D
@Xavier_D
Member since Yesterday
Account balance: $6,500.00
My-Carrier 12:00 PM 21%
Edit
$4,501.00$3,501.00$2,001.00$2.00
2m
3m
4m
2m
3m
2m

24. © 2019 Akamai | Confidential24
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
Xavier D paid YouGotPwned
for 10QSucka
Like Comment $-1,999.00
1m
Xavier D paid Need Mulaah
for alcohol and drugs
Like Comment $-1,500.00
2m
Xavier D paid AdultFriendFinder
for XoXoXo
Like Comment $-1,000.00
3m
Xavier D paid Joe Smith
for the lulz
Like Comment $-1,999.00
4m
Xavier D paid YouGotPwned, Need Mulaah,
AdultFriendFinder, and Joe Smith
Like Comment WTF?
$-6,498.00
Xavier D
@Xavier_D
Member since Yesterday
Account balance: $2.00
My-Carrier 12:00 PM 21%
Edit

25. © 2019 Akamai | Confidential25
Xavier D paid YouGotPwned, Need Mulaah,
AdultFriendFinder, and Joe Smith
Like Comment WTF?
$-6,498.00
Xavier D
@Xavier_D
Member since Yesterday
Account balance: $2.00
My-Carrier 12:00 PM 21%
Edit
WTF?

26. © 2019 Akamai | Confidential26
Credential Abuse to ATO

27. © 2019 Akamai | Confidential27
Darknet insight : Sales !

28. © 2019 Akamai | Confidential28
Darknet insight : Sell the valued accounts

29. © 2019 Akamai | Confidential29
Money lost to fraud per
compromised account
25%
29%
22%
14%
10%
Less
than
$100
$100
to
$500
$501
to
$1,000
$1,001
to
$5,000
More
than
$5,000
Ponemon—The Cost of Credential Stuffing, Oct 2017
BUSINESS IMPACT
Understanding the cost of credential stuffing
Number of accounts
targeted per attack
19%
35%
28%
11%
7%
1 to
100
101 to
500
501 to
1,000
1,001
to
5,000
More
than
5,000
Number of credential
stuffing attacks per month
0%
41%
38%
12%
9%
None 1 to 5 6 to 10 11 to
20
More
than
21

30. © 2019 Akamai | Confidential30
Industry IPs Participating Login Requests % of Total Requests
Gaming 7,712,894 1,358,045,044 61.30%
Hotels & Resorts 122,026 232,309,946 10.49%
Cards & Payments 477,507 148,304,255 6.69%
Department Stores 326,151 104,748,065 4.73%
Commerce Portal 66,321 60,199,822 2.72%
Banking 349,474 55,356,808 2.50%
Airline 86,346 41,004,594 1.85%
Cosmetics 82,808 38,197,524 1.72%
Consumer Software (B2C) 224,707 28,202,339 1.27%
Social Media 127,396 26,557,605 1.20%
Enterprise Software (B2B) 21,290 25,383,158 1.15%
Consumer Electronics 50,984 25,264,381 1.14%
Apparel & Footwear 66,414 19,692,260 0.89%
Online Travel Agents 102,555 8,935,366 0.40%
Federal 3,403 7,454,257 0.34%
INDUSTRY BREAKDOWN
A 1-week view into Akamai customers

31. © 2019 Akamai | Confidential31
• Majority of IPs performing credential
stuffing make less than 1 request
per minute
• Average is 28 requests per hour
• Maximum request rate observed
from a single IP during the sampled
period - 625,000 requests per hour
(173 login requests per seconds)
Rate Controls are only effective against the rare bots that fall outside typical human request rate thresholds
ATTACK CHARACTERISTICS
What an attack looks like

32. © 2019 Akamai | Confidential32
CONSEQUENCES
Wide-ranging impacts of credential stuffing
5%
17%
41%
43%
50%
63%
67%
Other
Damaged brand equity from news
stories or social media
Lost business due to customers
switching to competitors
Compromised accounts leading to
fraud-related financial losses
Lower customer satisfaction
Cost to remediate compromised
accounts
Application downtime from large
spikes in login traffic

33. © 2019 Akamai | Confidential33
RESPONSIBILITY
Dispersed throughout the organization
5%
2%
3%
3%
9%
13%
16%
20%
21%
28%
3%
40%
Other
Compliance / audit
CEO / COO
Head of legal
Data center / IT…
Web hosting service…
Head of risk…
CISO / CSO
Fraud prevention /…
CIO / CTO
Line of business /…
No one function has…

34. © 2019 Akamai | Confidential34
IP Rate
Limiting
Network
Header
Analysis
Browser
Property
Analysis
BM Premier exploits ”what makes us human”.
Neuro-muscular interaction is much harder for
machine scripts to replicate.
Traditional Methods : Less Effective
against Credential Abuse.
How Akamai approaches the challenge

35. © 2019 Akamai | Confidential35
Conclusion

36. © 2019 Akamai | Confidential36
Achieving desired outcomes
AKAMAI DIFFERENCE
Ability to manage bot traffic on the Akamai
CDN before it reaches your website,
offloading your origin infrastructure
The latest technologies that can detect the
most sophisticated bots today even as they
evolve to avoid detection
Real-time intelligence from visibility into bot
traffic interacting with many of the largest web
presences around the world
Ability to manage wide array of both good and
bad bots and customize response based on
your business and IT goals
Granular visibility / reporting allows you to
analyze your bot traffic and implement your
bot strategy without being a black box
Security experts who can help implement
and tune your bot management strategy and
respond to security events

37. © 2019 Akamai | Confidential3737 | Akamai Nordics City Tour | © 2019 Akamai | Confidential
Thanks for your attention
Questions ?!

38. © 2019 Akamai | Confidential38