Holiday Readiness, Part II: Best Practices for Detecting and Mitigating Attacks

In Part I of our 2022 holiday readiness series, we discussed how to prepare for and manage peak application and system performance in a post-pandemic retail environment. Now, we’ll dive into application security best practices and focus on recommendations for detecting and mitigating a variety of abuse scenarios.

Three important insights for retailers

In preparation for this year’s holiday season — and beyond — it seems appropriate to start by taking a look at the current threat landscape. In our most recent Akamai Web Application and API Threat Report, our security research team provided an in-depth look at the attack trends they derived from the tens of millions of attacks Akamai mitigates every day. A number of key trends were uncovered, but the three most important insights retailers should take note of are:

1. Retail is now the most attacked subvertical, taking the top spot from hotel and travel in April 2022. Attackers are “following the money” as consumers and retailers transact more and more through digital channels. Whatever you saw for attack traffic last year, last month, or last week — expect even more this holiday season.

2. Local file inclusion (LFI) is now the most observed web application attack vector, followed by cross-site scripting (XSS), with Structured Query Language injection (SQLi) dropping to third. Attackers are no longer just looking for data exfiltration, they want the ability to inject malicious code into your application. The good news is Akamai App & API Protector provides advanced protection against LFI attacks straight out of the box.

3. The United States is now the most common attack source and attack destination. Attackers are leveraging the same networks and devices that your customers are using. Geo-based controls and IP reputation still have a place in an overall security strategy, but the value from this data source is not what it once was. Now, retailers must leverage more advanced detections.

Three attack campaign patterns

Additionally, the report identified three notable attack campaign patterns. In preparation of the holidays, we can use these scenarios to better tune our detection, response, and mitigation plans.

Pattern #1 — persistent attack campaigns

Not surprisingly, attacks happen all day, every day. The Akamai Web Application and API Threat Report showed that customers across all verticals and geographies experienced consistent levels of attack traffic. This constant assault is the “noise” generated by doing business on the internet. While it cannot be ignored, this noise can essentially be “tuned out” by ensuring your security systems automatically mitigate attacks without alerting your incident responders or requiring manual intervention.

Although there aren't any holiday-specific readiness activities necessary to prepare for persistent attacks, you should use this time every year to review the fundamentals to help reduce threat noise. You can:

• Ensure all Akamaized hostnames are covered by an appropriate match target within your security configuration. You can View Protection by Hostname to check for any coverage gaps.

• Ensure you have created Allow and Deny Network Lists so that you can quickly add geographies or IP addresses without requiring a security configuration deployment.

• Ensure your Burst and Average rate thresholds are appropriate for the different rate controls you may have in place. If your edge hostname is IPv6-enabled, ensure you have IPv6 rate controls enabled.

• Ensure your SiteShield maps are up-to-date with the latest IP sets and your origin ACLs are appropriately configured.

• Review the Users and Roles that have access to your security configuration to ensure least privilege is enabled, and all team members have the appropriate level of access.

Now that you have the basics covered, let’s look at the other attack campaign trends that are more directly applicable to holiday readiness.

Pattern #2 — short-burst attack campaigns

This second attack pattern shows volumetric activity on the order of 10x to 30x normal volume, which tends to run for just a few days and then disappear. Generally, these attacks show a broad range of exploits, suggesting the attackers may be scouting or probing infrastructure to look for weak areas, or to determine at what traffic volumes your defenses may start to be adversely affected.

Retailers should expect to see these short-burst attack campaigns in the lead-up to the holiday period. What this means is you need your security infrastructure ready for the holiday period now, rather than in a few months. You should:

• Ensure you have Alerts configured at the appropriate thresholds for “high warned volumetric activity” and that these alerts are sent to your incident response team, as well as the Akamai Security Operations Command Center. This particular alert will indicate when attack traffic potentially finds a control that is not appropriately tuned, or that the attack could start to degrade the performance or functionality of your application.

• Review weekly attack trend data and start identifying these short bursts, and use them to anticipate what sort of attacks you may see during your peak days. Set a 45-minute weekly meeting with the stakeholders on your security and threat teams to review Web Security Reports, Bot Trends, and Reputation Trends. Make sure to include a short review of the response to all triggered alerts seen in the last week and update any response procedures (for true positive alerts) or thresholds (to eliminate false positive alerts) as needed.

Pattern #3 — big-bang attack campaigns

The third attack pattern is the most critical to prepare for this holiday season. Our study showed that customers are seeing surprise attacks at up to 30x normal attack traffic volume. These attacks arrive with little to no warning and last from just a few hours to a day in duration. 

Knowing that retail customers will already be stretched thin to support the additional online shopping volume, an attack of this magnitude during a peak event could completely overwhelm critical applications. A dedicated attacker will know your promotions schedule and will plan their attacks accordingly to inflict the most pain.

In addition to taxing your infrastructure, big-bang attacks will also stretch your most critical resource — your incident responders. Planning must extend beyond just your technical controls and take into account your human resources. With this in mind:

• Ensure you leverage protections that automatically adapt to new exploits and changes in traffic volumes. Akamai Adaptive Security Engine is designed to provide precisely this kind of protection. In fact, customers who were leveraging Adaptive Security Engine in “automatic” mode during the holiday season of 2021 were automatically protected against the zero-day Log4j vulnerabilities with no manual intervention required. 

This not only ensured applications were immediately protected, but also meant that incident response teams did not have to scramble to build manual rulesets under pressure. If you are currently leveraging App & API Protector, plan to update your rulesets to leverage Adaptive Security Engine in automatic mode as soon as possible.

• Use a risk-scoring approach for application security and bot controls, rather than a binary “good” or “bad” request model. This scoring approach allows you to more aggressively defend against suspect traffic while providing any real users a “safety valve” if they are inadvertently classified as suspicious. This means you can reduce the false negative rate without increasing the false positive rate. 

  • Akamai’s bot scoring is a perfect example of this kind of approach. High-confidence bot detections are mitigated with traditional deny/tarpit, while midrange confidence transactions are presented with a challenge action. In this scenario, any suspect bots fail the challenge, while real users are allowed to pass. 

  • Risk scoring is also leveraged within Adaptive  Security Engine, Client Reputation, and other Akamai controls. As a bonus, you can use our tuning simulator to ensure your thresholds are appropriately set prior to the holiday season.

• Leverage a defense in-depth approach, mitigating traffic as far from your origins as possible, but ensuring that detection intelligence at each layer is shared down the rest of the defensive stack. A solid security strategy will treat traffic like a “funnel” in which total traffic volume is reduced at each protection layer as it is deemed malicious. 

Simple controls are deployed first (network controls, rate controls, etc.) and then passed to more sophisticated detections as total volume is reduced. This goes beyond simply moving controls to “deny” mode at the edge. 

• Retailers should also enable intelligence sharing between layers by enabling forward notification by turning on Bot Headers, Client Reputation headers, and other custom instrumentation. As traffic moves to the next layer of detection, there is no “cold start” that allows for progressive improvement of detection. 

This also allows for “step-up” challenges at lower layers where you may want to enforce two-factor authentication, re-login, CVV authentication, or referral to fraud tools. Finally, ensure each layer is sending logs to your SIEM so you can retain full visibility over what traffic was denied and where.

What about DDoS? Is that still a thing?

Even in today’s world of cloud-hosted applications and distributed microservices, the distributed denial-of-service (DDoS) threat is alive and more powerful than ever before. In fact, on Monday, September 12, 2022, Akamai successfully detected and mitigated the now-largest DDoS attack ever launched against a European customer on the Prolexic platform, with attack traffic abruptly spiking to 704.8 Mpps in an aggressive attempt to cripple the organization’s business operations. The most interconnected cloud data center simply cannot absorb this level of traffic. 

The bottom line: -Retailers need a proven DDoS mitigation strategy and platform in place prior to the holiday season to reduce the risk of disruption or business-impacting downtime. 

Retailers should review critical subnets and IP spaces, and ensure that they have mitigation controls in place. Protections should extend not only to traditional data centers but also to critical cloud-hosted IP ranges. For those organizations that choose to leverage protections in an on-demand manner, consider moving to an always-on model for some or all of this holiday season.

Wrapping up

Retailers should also honestly evaluate the skill, capability, and capacity of their in-house security and incident response resources. Akamai not only provides all the technical controls and platforms to enable success, but we also have some of the world's foremost security experts who can help augment your internal capabilities — whether that is during the planning and preparation stages or in a 24/7 response capacity when you are under attack.

If 2021 was any indication, 2022’s holiday season is poised to present new security challenges at levels not seen before. The good news is that by preparing early, planning and reviewing attack trend data, and tuning your controls and response plans appropriately, you can set yourself up for success and improve resiliency throughout the holiday season. 

To talk more about best practices for improving your defensive posture, reach out to us.