Q3 ThreatX Platform Data: Spotlight on the Banking Industry

PUBLISHED ON December 12, 2023
LAST UPDATED Dec 12, 2023

In our recent analysis of our Q3 platform data, we found that the banking industry stood out in a couple areas. First, its use of APIs is much higher than other industries. In fact, 76.17 percent of its HTTP traffic is API-driven. This high percentage highlights the need for specialized security solutions to safeguard against API-specific vulnerabilities and to offer API protection and insights.   

In addition, banking is subjected to higher rates of brute force attacks, like programmatic access and credential stuffing, than other industries. Together, these types of attacks make up approximately 57 percent of the total attack classifications within the sector, a notably high concentration. These attack vectors are often employed to gain unauthorized access to financial data and should be critical focal points in any robust security strategy.   

A Deeper Look at the Top Attacks in the Banking Sector  

Credential stuffing: This is the most prevalent attack type in the banking sector, with an average percentage significantly higher than other attacks. Credential stuffing attacks aim to gain unauthorized access to accounts by using known username-password combinations, often obtained from previous data breaches. Given the sensitive nature of banking data, the high prevalence of credential stuffing attacks is a critical security concern.   

Keep in mind that credential stuffing techniques are able to sidestep traditional WAF signatures and rate-based rules for several reasons. Most notably, the techniques do not rely on an exploit or other overt malicious action, and instead, use/abuse the exposed functionality of an application in unexpected ways.   

In this case, the attacker, usually in the form of a bot, is using the application’s login functionality in much the same way that a legitimate user does.  

Additionally, since attackers have many username/password combinations to cycle through, the work is typically done by a large, distributed botnet or other forms of malicious automation. This not only speeds up the work, but it allows the attacker to distribute the attack over a large number of IP addresses so that it isn’t obvious that the attack traffic is coming from a specific set of IPs.  

Get more details on our research into credential stuffing in our new report, Trends in Credential Stuffing and How to Identify It.

Programmatic access: This type of attack involves automated or non-human interactions with web applications and APIs, potentially aiming to scrape data, perform unauthorized transactions, or exploit vulnerabilities.   

Brute force: Brute force attacks attempt to gain access to resources by trying multiple combinations of credentials. Given the sensitive nature of financial data, this type of attack is particularly concerning for the banking sector.   

Error rate: This could indicate an abnormally high rate of errors in HTTP requests, often a red flag for either malfunctioning applications or malicious activity such as probing for vulnerabilities.   

Customer rule: This represents matches to custom-defined rules within the ThreatX API and Application Protection platform. Its appearance among the top attacks suggests that bespoke rules could be effective in the banking sector for identifying and mitigating unique risks.   

The high level of brute-force type attacks underscore the need for specialized security measures in the banking sector, including multi-factor authentication, rate-limiting, and advanced behavioral analytics. Given that these types of attacks constitute a significant portion of the security challenges in this vertical, targeted solutions are crucial for robust protection.   


Get more details on the on our API and application security data for Q3 2023.


About the Author

Neil Weitzel

Neil is the Manager of the ThreatX Security Operations Center and is located in Boston, MA. He has 15 years of experience working in various roles, from user support to leading security programs. Neil has profound experience in security architecture and cybersecurity best practices, which helps him provide valuable insight to security teams. Before ThreatX, Neil worked with organizations such as Cognizant as an Application Security Architect, Cigital (now Synopsys) as their Practice Director of Vulnerability Assessments, and EIQ Networks (now Cygilant) as their Director of Security Research. Neil also served as a Cybersecurity Instructor and delivered numerous Security and Defensive Programming courses to various clients such as NASA and PayPal. He is an active member of the security community and has delivered lectures at DEF CON, OWASP and local security meetups. Neil also acts as an adjunct lecturer on Software Engineering at his alma mater, Indiana University.