By Neil Cohen, CMO, Kasada
A recent Forrester CIO/CISO research study reported that 19% of businesses with more than 1,000 employees are currently using a bot management system. The research also found that, on average, those using bot management are most commonly protecting themselves against three specific types of automated attacks: card fraud, ad fraud, and influence fraud.
This is surprising, given that more than half of those surveyed (52%) said their C-level executive team asked about bot attacks in the past 6 months. This leads me to believe that two gating factors must be overcome to help facilitate the use of bot mitigation from early adopters to mass market:
- A better understanding of how bot attacks are impacting businesses, fraud and otherwise, that span well beyond industries such as eCommerce
- More accessible and simpler to use bot mitigation system for all businesses to benefit from
How Bad Bots Impact Businesses
Unlike DDoS attacks that are easy to “see” (i.e., your website is unavailable), bot operators leverage automation to fly beneath the radar in ways businesses often do not even realize. With an estimated 30% of all internet traffic being generated by bad bots and a belief that most login attempts across industries are fake, the impact is undoubtedly there. In fact, many organizations can justify the cost of bot mitigation simply by the reduced infrastructure costs of not having to process these non-human requests.
The most prevalent use of bot mitigation today is to prevent fraudulent activities, which are closely tied to organizations conducting eCommerce. That said, bots are also used to scrape content, deny service, skip digital lines, take over systems, and skew web traffic metrics - all activities that can negatively impact any online business, not just eCommerce.
These automated threats are much harder to detect and can have detrimental consequences on brand reputation, customer loyalty - and ultimately revenue:
- Fraud - Any website or mobile app requiring credentials is subject to account creation and takeover fraud. By stuffing breached or stolen credentials into existing accounts, accounts can be drained of personally identifiable information and stored value such as credit cards, gift points, and loyalty points.
New fake accounts can be created at scale, which can then be used to spread disinformation such as fake social media accounts, or to sell accounts with an intrinsic value (e.g. free trial accounts, etc.).
- Web and API Scraping - While not illegal, price and content scraping hurts online retailers by providing competitors with valuable insight into IP, content, and prices, undermining your competitiveness. In many cases, scraping is used to steal images and sell counterfeit goods online.
The impact of scrapers extends well beyond eCommerce, as images and other online content take valuable time, money, and effort to produce. One example of a company uniquely hurt by this would be a B2B industrial supplier with a large online product catalog that has been built up over years. Another example would be those who scrape your social media profile and have it reused for a fake account.
- Denial of Service Attacks - Bots can be used to deploy application layer distributed denial of service (DDoS) attacks that overwhelm and crash your website, regardless of your company size or industry.
DDoS continues to be an effective means of hurting online businesses, often used for political motivations or financial motives (e.g. for-profit ransomware to stop the attack). Traditional network layer DDoS attacks have become less effective due to protections that have been put in place, so operators increasingly leverage automation to target the application, making such attacks much more difficult to defend against as they appear like real human behavior issuing legitimate requests.
- Denial of Inventory - It’s not just retailers who have been struggling to maintain the proper amount of inventory and provide goods to legitimate customers, such as PS5 this past holiday season.
Various verticals are experiencing their fair share of bots that have scooped up precious inventory. In the healthcare industry, for example, bots have been used to skip vaccine lines, making it extremely difficult for actual people to secure their vaccines online. Another example is the use of click bots to win promotional sweepstakes.
- Takeover Systems - While Web Application Firewalls (WAF) are supposed to protect against OWASP Top-10 vulnerabilities, the reality is that they can be difficult to use and don’t always do a good job. An example of this is SQLi attacks, which, despite being around for decades, remain highly effective as WAFs must continuously maintain an updated list of rules to protect against them.
Bot mitigation stops the use of automated tools to discover application vulnerabilities - such that reconnaissance that is done with scanners is no longer effective to detect application-specific vulnerabilities for exploitation.
- Skew Analytics - Bots can artificially make your online traffic appear to be higher than it is. Worse still, they skew your analytics to give you a false story of what is happening with your customers. When your web metrics are incorrect, it is nearly impossible to make data-driven optimizations or decisions. Bot mitigation’s importance extends beyond the security department to help companies optimize the effectiveness of their marketing campaigns.
Making Bot Mitigation More Accessible And Easier To Use
Most bot mitigation solutions make it difficult to see ROI - as they require highly specialized security resources to integrate and maintain. They rely on heuristics to learn what to block (a process that can take months), rules that need to be constantly created and managed, and risk scores that need to be assigned. It often requires 1-2 full-time employees to maintain such a solution, each needing a detailed understanding of security to do so.
How do we make bot mitigation easier to deploy, integrate, manage, and see value from, so all can benefit? There are modern solutions that take a different approach - ones that are highly effective “out of the box” and are designed to adapt to new threats as they emerge, including those never seen before. Instead of relying on rules, or by looking for suspicious behavior based on “bad” attributes from the past, they can identify the immutable evidence that exists whenever automation is applied toward your infrastructure - websites, mobile apps, and APIs. This can be done on the client-side, so threats are detected in real-time with high levels of accuracy - and no need for ongoing maintenance and tuning.
In fact, a traditional rules-based approach is unable to detect the more sophisticated bots used today. These difficult-to-find bots look and act like humans by using legitimate IP addresses and user agents, obtained from easy to access and economical residential proxy networks.
What’s happening with bot mitigation is analogous to the evolution of endpoint security, where antivirus rules and signatures became ineffective as adversarial tactics became stealthier. As a result, today’s bot detection technology has since evolved to real-time, client-side detection solutions.
If there’s a way to exploit an online business with bots or conduct fraud with automation, chances are that it’s already happening - especially now, as companies accelerate the pace of their digital transformation. There are ways for companies to enjoy the benefits of sophisticated bot mitigation without large investments in architecture, overhead, and dedicated resources. Identifying new, easy-to-use solutions will help toward mass adoption.
About The Author
Neil Cohen is a versatile tech executive with 25-years of combined marketing, product management, and engineering experience. He was VP of Global Marketing at Akamai Technologies, where he ran worldwide marketing for a $1.3 billion cybersecurity and web performance business. He also was VP of Product Marketing at Akamai where he helped the organization double revenue and repeatedly launched new products and helped grow them into businesses exceeding hundreds of millions of dollars. Neil’s passion lies in bringing disruptive B2B technology to market and achieving rapid customer adoption. His diverse tech experience spans many areas including cybersecurity, cloud/edge computing, Big Data, and blockchain.