Pandemic Unmasks Vulnerability to Automated Bot Attacks

Image from Pixabay

Change is the one constant in the business world. For most organizations, change often results from market shifts or disruptive technology. Make no mistake, however, the pandemic of 2020 has been a change catalyst. COVID-19 has accelerated digital transformation (DX) across the globe – and at the same time amplified the need to support a distributed workforce. The combination of these two factors has created an opportunity for some organizations to thrive while it has caused others to fail. Companies quick to adapt online have gained market share and streamlined business practices, resulting in increased profits.

An organization’s cybersecurity team must also adapt to change. No longer is it sufficient to create a website and mobile app, build a firewall and move on to the next project. Because an organization’s most valuable and vulnerable assets are accessible online, it is imperative that organizations recognize the threats, understand how they operate and create strategies that not only mitigate threats but dissuade further attacks against intellectual property, revenue, customer information, and user experience.

The Trouble with Bots

This shift towards fully digitizing the workplace and enabling remote work has created a hacker’s playground with new, vulnerable endpoints and access points being easily exposed using malicious automated bots. Used for good or bad purposes, a bot is a software application that runs automated tasks that are simple and repetitive at a high speed. Automation, when used for malicious activity, can scale to overwhelm an organization’s digital properties (including websites, mobile apps, SaaS apps, and APIs) and become untenable for current cybersecurity defenses. Once the bots penetrate an organization’s defenses, they can take over accounts, skew business analytics and scrape intellectual property, as well as many other destructive actions. Identifying an automated attack from the very beginning allows organizations to safeguard intellectual property and mitigate high-risk activity, provide real-time analysis of web and mobile traffic, empower businesses with actionable intelligence, and improve overall performance and customer experience.

Automated bot activity creates blind spots in understanding who is a real human and who is not. Bots, in general, are estimated to make up 38% of all internet traffic, and more than 25% of internet traffic on any given day is made up of bots, the Kasada Research Team has found. On February 2nd, CBS News stated 97% of WallStreetBets posts analyzed appeared to be generated by bots. For example, the hospitality industry relies on understanding what it calls the “look to book ratio” to ensure the availability of rooms, especially when getting hit with bots performing content scraping. Simultaneously, a barrage of bad bots can act more nefariously and drop DDoS or credential stuffing attacks on competitors’ sites, or clog email servers with spam. This activity results in loaded servers and clogged bandwidth to slow the business processes, create friction with the customer experience, skew visitor metrics and steal assets such as loyalty points or gift cards.

Fraudsters are highly motivated given automated bot attacks are typically highly profitable. As such, they are continuously retooling their efforts to work around defenses. Bots’ dynamic nature allows them to change tactics on such a regular basis that existing web application firewalls and bot management solutions’ use of signatures and rules can be rendered ineffective. This is because common defenses cannot differentiate between quickly changing attack patterns and the small footprint attacks that are common today. Similarly, big data analytics and machine learning algorithms that detect irregularities within a network result in the organization playing catch up and being slow to respond to zero-day attacks. This is because machine learning is looking for trends based on what’s happened in the past and struggles to identify attacks that leverage new botnets and attack methods until trained to do so.

The Need to Protect APIs

Bot technology is escalating at a rampant pace and targeting an organization’s weakest entry points. According to Gartner, by 2021, 90% of web-enabled applications will have more attack surface area in the form of exposed APIs rather than user interfaces, an increase from 40% in 2019. In today’s digital economy, amidst accelerated digital transformation efforts, one of the most targeted areas is an organization’s application programming interface (API). APIs streamline communication between products and services, helping simplify application development and saving time and money. APIs play a critical role in allowing business units (sometimes beyond the eyes of security) to extend applications to consumers and, if not coordinated with cyber security teams, can also create the greatest vulnerability. Examples of common API generated entry points include modern single page websites, mobile apps and login infrastructure.

It is time to rethink bot mitigation architecture. This begins for most organizations by evaluating security from a philosophical approach. In identifying the bots, organizations can mitigate activity and damage. This approach allows organizations to become proactive in their security against bots and no longer be the victim. In becoming preemptive in their defense against malicious automated bots, organizations can drain a bot operator’s keys to success, such as time and energy. Because fraud is most effective when it is completed at scale, the longer a bot and the resources that support its attack fail to produce results, the longer that bot is missing the opportunity to attack another location.

How to Make Sure You’re Catching Bots

Below is a checklist for ensuring successful bot mitigation:

  • Proactive Security: By applying a zero-trust philosophy to detecting bots, an organization can manage the bot versus playing “whack a mole.” This allows an organization to occupy a bot’s time and dissuade future activity. Proactive security is only effective if it is obfuscated and cannot be reverse-engineered.
  • Advanced reverse engineering defense: Sophisticated attackers retool. To do this they must understand the defense. Solutions need to make it extremely difficult and expensive for attackers to retool their efforts with a new proprietary, dynamic obfuscation method. Observed by attackers as indecipherable bytecode, it further disguises defenses. This obfuscation dramatically slows any reverse engineering attempts and will frustrate even those most skilled in JavaScript de-obfuscation techniques.
  • Cryptographic Challenges: Bots (powered by machine learning and artificial intelligence) are tasked with deciphering barriers and challenges to gain access. If an organization can occupy a bot’s time with ever-increasing challenges, it can occupy its resources and wreck the economics of an automated attack. Additionally, organizations can provide misleading and outdated information so that the bot’s attacks are delivering useless information. For example, in the hospitality sector, a national hotel chain may deliver outdated prices (i.e. intellectual property) that are of no value to bot operators or their customers.
  • Analytics: Understanding where the bot attacks are originating from and identifying what is synthetic traffic versus human traffic has implications across the entire business. With increased insight, organizations can plan accordingly and commit resources to improve the customer experience, company spend, and the speed of their applications.

Conclusion

As organizations continue to drive business across digital channels, bot mitigation will become essential for all companies conducting business online. No longer is it acceptable to use outdated techniques to identify who is real and who is fake. If organizations do not have the insight and ability to identify what is real human traffic from the very first request, they should expect negative consequences, as the most valuable assets, including customers, brand, and intellectual property, are left vulnerable.

The pandemic has been a catalyst for digital transformation, but with this catalyst comes an expanded threat surface and the renewed need to make bot mitigation imperative for organizations to be successful.

Latest posts by Brad LaPorte (see all)
Brad LaPorte: Brad LaPorte is the Chief Evangelist at Kasada. He is a seasoned technology executive with over 15 years of combined cybersecurity, product management and business experience. During this time, he has been on the frontlines fighting cyber criminals and advising top CISOs, CIOs, CxOs and other thought leaders on how to be as efficient and effective as possible. This was conducted in various advisory roles at the highest levels of top intelligence agencies, as a senior product leader at both Dell and IBM, at a late stage start up, and as a Gartner analyst where he conducted over 1,000 conversations with leading corporations about the rapidly expanding threat landscape.

View Comments (0)

Related Post