Akamai CTO on Shifting Threat Landscape

Akamai Intelligent Edge Platform handles trillions of internet requests on a daily basis, and it has stopped massive DDoS attacks of 1.44 terabits per second and 809 million packets per second. Akamai claims all network layer DDoS attacks are instantly dropped at the edge with a zero-second service-level agreement.

See Also: Live Webinar | Integrating Splunk and Panther for Real-Time Alerting and Custom Dashboarding

Robert Blumofe, executive vice president and CTO at Akamai, played an instrumental role in the early design and development of the Intelligent Edge platform and led all of Akamai’s networks and operations groups from 2004 to 2021.

In this Q&A with Information Security Media Group (edited for brevity), Blumofe discussed the major attack vectors in 2024 and steps organizations need to take to protect their systems.

How have attackers changed their tactics in the past five years?

Blumofe: There has been a significant change from hacktivists being the primary threat actors to organized criminals driven by financial motives. Hence, the increase in extortion via ransomware and DDoS attacks.

Previously, attacks were relatively unsophisticated and low-scale, meaning they were perpetrating attacks opportunistically. Today, attackers use sophisticated tools and operate at scale. They are organized criminals and have their own HR, recruiting and marketing teams.

It’s no longer one attack a day, it’s now thousands of attacks every hour. They can even attack mid-market and small companies.

During and after the COVID-19 pandemic, we saw more people using the internet, and using the same devices at home and for enterprise work, leading to a surge in all these attacks. All it takes is one careless click on a link in an email, by one employee, to infect the enterprise network with malware.

What were the biggest initial access vectors in 2023? What can we expect this year?

Blumofe: Application programming interface or API is now emerging as a new attack vector. There is a constant time-to-market with rapid digitalization, where security often takes a backseat, especially on APIs. There is a greater degree of control with internal APIs. However, with external APIs – partner, B2B and shadow APIs – there’s zero visibility around how many APIs are vulnerable and how many APIs carry personally identifiable information.

Stolen credentials is another one. However, more than half of the initial penetration comes from phishing attacks.

The model is the attacker that has to first get a beachhead, and then find something that they can hold for ransom. There are multiple ways to get a beachhead. I already mentioned public APIs, phishing and application vulnerabilities. They also try to attack endpoints including employee laptops with weak network security at home.

The key is to ensure that the initial beachhead is not able to propagate within the enterprise to something that’s of high value that can be held for ransom.

I think the next five years are going to be characterized by criminal adoption of AI. Social engineering attacks and threats from AI, including deepfake, will be major attack vectors in 2024.

How do you control the lateral spread of these attacks?

Blumofe: There are two dominant technologies that prevent lateral spread: zero trust and microsegmentation.

Microsegmentation involves dividing a network into segments and applying security controls to each segment based on the segment’s requirements. With this, you can have rules to ensure that each application is only able to see the application it needs. That’s how you control east-west lateral spread.

Then there’s zero trust access, which is a similar idea, but for north-south traffic. A user device should only be able to see, and route to, applications based on the user role. That’s very different from what a VPN allows a user to do. With a VPN, a user can scan the network and see everything, and if that laptop is compromised, then the attacker can see everything on your network. If they have visibility, they can execute (malicious) code and exploit a vulnerability.

A non-HR person should not be able to log into or see an HR database. The key thing is visibility and routing packets to the HR database. If an attacker can route packets to it, they can execute code and cause damage – including preventing authorized users from accessing it – or they could steal data.

What forms of negligence are you seeing in enterprises? How do you help?

Blumofe: Many companies have not yet implemented microsegmentation and zero trust access. They continue to use traditional VPNs. They should also be using FIDO2-based multifactor authentication or MFA.

Breaches continue to persist through the use of stolen credentials. We have some capabilities that can help identify when stolen credentials are being used. We also have a whole suite of cybersecurity products and solutions, which include solutions for zero trust. We have a leading solution for microsegmentation called Guardicore. Included in our portfolio is a web application firewall for API security.

Approximately 35%-40% of the total internet traffic is observed daily on the Akamai Intelligent Edge Platform. It’s both good and bad traffic, and we are using that data to train our AI models. We’ve been doing that for nearly 10 years.

Any words of advice to CISOs and CIOs?

Blumofe: Beware of security vendors who try to sell you AI-powered solutions they claim are the answer to all your security woes. Deploy FIDO2-based MFA. Adopt zero trust and microsegmentation solutions. CIOs and CISOs need to have full visibility into their networks – not attackers.

Dr. Blumofe has more than 20 years of leadership experience in 5G, IoT, edge computing and zero trust. At Akamai, he guides the company’s technology and strategy to capitalize on growth opportunities and assess new markets and platforms for innovation.