Security

From DDoS to Agentic AI: The New Threat Landscape for Financial Services | Steve Winterfeld, Akamai | TFiR

0

Geopolitical conflict is no longer just a physical phenomenon. It is producing measurable, quantifiable spikes in DDoS campaigns, API abuse, and layer 7 attacks against financial institutions across multiple regions simultaneously. Security teams that model their defenses on last year’s threat landscape are already behind.

In this interview on TFiR, Steve Winterfeld, Advisory CISO at Akamai, breaks down the regional attack trends, hacktivist coordination patterns, and infrastructure decisions covered in Akamai’s State of the Internet report for financial services, and explains what practitioners must update in their SOC strategy right now.

Guest: Steve Winterfeld, Advisory CISO at Akamai
Show: TFiR

Here is what every security leader and SOC practitioner in financial services needs to know.

Technical Deep Dive

Q: What are the biggest regional shifts in DDoS attacks targeting financial services this year?

Steve Winterfeld, Advisory CISO at Akamai, explains that while the previous three years saw heavy DDoS activity centered on Europe driven by the conflict there, this year’s State of the Internet report shows a significant shift toward the Middle East. Pro-Iran hacktivist groups, both operating in isolation and in coordinated campaigns, dramatically increased DDoS attacks against banking and payment systems in the region. Europe and the Middle East were dominated by layer 3 and layer 4 infrastructure-level attacks, Asia-Pacific saw a 52% increase in layer 7 application-targeted DDoS, and North America experienced a 44% increase in layer 7 attacks focused on APIs and web properties rather than CDN traffic.

“We saw pro-Iran hacktivist, both isolated and coordinated DDoS attacks dramatically increased going after banking payment systems.” — Steve Winterfeld, Advisory CISO, Akamai

Q: How does the cyber dimension of geopolitical conflict translate into specific attack patterns for financial institutions?

Winterfeld describes a parallel structure that now characterizes modern conflict: a kinetic layer involving physical events, and a cyber layer involving coordinated digital attacks that run alongside or in response to those events. For financial services, this means threat actors are using DDoS campaigns as a direct instrument of geopolitical pressure, with APIs as a concentrated point of focus. The implication for security teams is that threat modeling must account for geopolitical triggers, not just technical vulnerability cycles.

“You have the kinetic war where there’s physical stuff happening, and then you have that cyber war where there’s these digital conflicts happening.” — Steve Winterfeld, Advisory CISO, Akamai

Q: What special topics in Akamai’s State of the Internet finance report deserve more attention from security leaders?

Winterfeld highlights two areas that stand out beyond the core DDoS and API data. First, the report features a guest column from the CSO of FS-ISAC, the Financial Services Information Sharing and Analysis Center, which he describes as one of the most well-structured ISACs in existence and worth reading in full. Second, the report addresses how organizations should think about large language model and agentic AI workloads in the context of infrastructure and security architecture, an emerging decision point that many security teams have not yet fully engaged with.

“The CSO from FS-ISAC, they’re one of the most well put together, strongest ISACs out there, and so we had a guest column from him, well worth reading.” — Steve Winterfeld, Advisory CISO, Akamai

Q: What is the Akamai Inference Cloud and why does agentic AI require a different security infrastructure?

Winterfeld draws a clear distinction between conversational AI interactions, where latency tolerance is relatively high, and agentic AI or large language model inference workloads that must be highly responsive because they are making real-time decisions. That responsiveness requirement demands different infrastructure, and Akamai addresses this with what it calls the Inference Cloud, a purpose-built environment focused on speed for inference workloads. The security stack associated with that infrastructure also needs to be matched to the performance and threat profile of those workloads, which differs meaningfully from general cloud deployments.

“If it’s agentic AI making a decision or a large language model that needs to be really responsive, then that requires different infrastructure. At Akamai, we call that the inference cloud.” — Steve Winterfeld, Advisory CISO, Akamai

Q: What changed in MITRE ATT&CK version 19 and why does it matter for SOC teams?

Winterfeld notes that MITRE released version 19 of the ATT&CK framework and made a structural change worth immediate attention: the defensive evasion tactic has been split into two distinct categories, stealth and defense impairment. This is not a cosmetic update. SOC teams that use ATT&CK for threat modeling, detection engineering, and analytics coverage mapping need to review whether their current detections and playbooks account for this split correctly. Winterfeld recommends SOC leaders use this as a prompt to revisit their analytics framework and update defenses accordingly.

“MITRE just came out with version 19. They split the defensive evasion tactics into two different ones, stealth and defense impairment. How should we update our SOC defenses and our analytics based on this?” — Steve Winterfeld, Advisory CISO, Akamai

Q: What is the MITRE ATLAS framework and how does it differ from ATT&CK?

Winterfeld explains that while the MITRE ATT&CK framework is focused on adversarial tactics and techniques against enterprise environments, MITRE has now published the ATLAS framework, which is specifically designed to map adversarial techniques targeting AI inference systems. For security teams beginning to deploy or defend AI workloads, ATLAS provides a structured threat model to work from, analogous to how ATT&CK is used for enterprise red team and SOC operations. Winterfeld also notes that MITRE’s threat group database, which maps specific APT groups to the methodologies they use, remains a highly practical resource for red teams.

“They now have the ATLAS framework, which is against AI inferences. And as always, MITRE has a great section on threat groups, where you can tie a specific threat group to what methodologies they use, which is great to use with your red teams.” — Steve Winterfeld, Advisory CISO, Akamai

Resources & Documentation

  • Akamai State of the Internet Reports, Akamai’s primary threat intelligence publication series, including the financial services edition referenced in this interview
  • MITRE ATT&CK Framework, Industry-standard adversarial tactics and techniques matrix for enterprise environments, version 19 now available
  • MITRE ATLAS Framework, Adversarial threat landscape for AI systems, covering attack techniques targeting machine learning and inference workloads
  • FS-ISAC, Financial Services Information Sharing and Analysis Center, referenced for their guest column contribution to the Akamai report

***

👇 Click to Read Full Raw Transcript

Swapnil Bhartiya: This year, were there any threat groups, attack patterns or regional trends? As you also mentioned, geopolitical conflict crisis going on in this report that really stood out to you as an outlier.

Steve Winterfeld: I think that we’ve been talking the last three years really around a lot of the stuff going on in Europe. A lot of the shift in DDoS attacks is due to that in Europe. But this year what we saw was really a shift to the Middle East. And so we saw, you know, pro Iran hackivist, both isolated and coordinated DDoS attacks dramatically increased going after banking payment systems. Again, focus as you just talked about on APIs. So we’ve really seen a dramatic increase in, you know, the, the second half of that you have the kinetic war where there’s physical stuff happening and then you have that cyber war where these, there’s these digital conflicts happening. And that’s the biggest increase in threat that I think I would call out in this report for finance. The second is for region. So Europe, Middle east really it was layer three, four DDoS attacks that infrastructure Pacific Asia there we saw a lot more layer seven. We saw you know, a 52% increase in layer seven against application for DDoS and then North America, you know, it was at API webpage or web attacks. We saw a 44% increase in, in that layer seven attack not against CDOs but traditional traffic. So those would be the things that worth it. There’s a lot more detail in the report itself, a lot of great graphics. I encourage people to go to Akamai Soti Soti and as soon as you get to our threat page you’ll see all our state of the Internet reports and finance is the one you’re looking for.

Swapnil Bhartiya: Were there any special topics in this edition of the report that kind of deserve more attention from security leaders? The topics that either we have been seeing or topics just emerged.

Steve Winterfeld: So the one is we had a guest columnist, the CSO from fsisac so Financial Services Information Sharing Association. They’re one of the most well put together strongest ISACs out there. And so we had a guest column from him, well worth reading. We talked a little bit about this move towards, you know, where we’re building all these large language models, these agent decay models and how to think about that. Some of it’s around, you know, how, how responsive do I need to be if it’s me talking to Pick a model. Perplexity chatgpt Pick a model. Just having a discussion, asking about, you know, where to get the best disc golf game in because that’s my hobby I love to play Frisbee golf or disc golf. You know, that kind of conversation, it doesn’t need to be fast, but if it’s a gentic AI making a decision or a large language model that needs to be really responsive, then that requires different infrastructure. In Akamai, we call that the inference cloud, where you’re focused on speed. So we talk a little bit about how to think about where you’re buying your cloud infrastructure and what kind of a security stack you want to associate with that. And so the second thing we talked about was, again, you know, we like to. We talk about things like oas. This one, we talked a little bit more about Mitre. If you don’t know, Mitre just came out with version 19. They split the defensive evasion tactics into two different ones, stealth and defense impairment. So it’s worth kind of thinking through when you talk to your soc. How is the best industry model, in my opinion, on threat modeling? How are we thinking about that? How should we update our SOC defenses and our analytics based on this? Is it something we want to pay attention to? There’s now we. We’ve talked before about the ATTCK framework, which is, you know, against enterprises. They now have the ATLAS framework, which is against AI inferences. And as always, MITRE has a great section on threat groups, where you can tie a specific threat group, you know, apt, you know, pick your number and what methodologies they use, which is great to use with your red teams.

Token Governance, AI Harnesses, and Bare Metal AI Infrastructure at Scale | Rob Hirschfeld, RackN | TFiR

Previous article