Post on 09-Apr-2020
The Big Bad Bot Problem2020Trends in the Automated Attack Landscape and the Impact on Businesses Across Industries
Executive Summary
Automated Threat Landscape — 2019
DistributionofInternetTraffic
Four Types of Bad Bots
The Behavior of Bad Bots
ApplicationsMostExploitedbyBadBots
Origins of Bad Bots
Bad Bots from Public Clouds
TrafficDistributionbyIndustry
BadBotsTargetsbyVertical
E-commerce
Media and Publishing
OnlineMarketplacesandClassifieds
Travel and Hospitality
Case Studies
HowACreditUnionDealtWithDistributedAccountTakeoverAttacks
HowBotsSkewedtheConversionRateofaGlobalEducationSystemProvider
Predictions
Recommendations
03
06
07
09
11
13
15
17
17
19
20
23
24
25
27
27
31
35
37
Table of Contents
Executive Summary
THEBIGBADBOTPROBLEM2020| 03
Radwarestudiestheinternettrafficofourglobalclientbasetoanalyze the behavior of bots and identify trends in automated, bot-generatedthreatsfacedbybusinesses.Thefindings,basedonoriginalresearchandrealattackdata,arepublishedannuallyin The Big Bad Bot Problemreport.
Thereportprovidesadetailedexaminationoftheimpactofbadbotsacrossindustriesandshedslightonrecommendedpreventivemeasurestosafeguardbusinessoperations.
Organizationsrelyonroboticprocessautomation(RPA),essentiallytheuseofbots,tobemoreefficientandboostproductivity.Goodbots,likethoseusedtocrawlwebsitesforwebindexing,contentaggregationandmarketintelligence,freehumanresourcestofocusonotherresponsibilities.Ofconcernarethebadbotsdeployedbybadactorstodisruptnetworkservices,stealdata,performfraudulentactivitiesandevenspreadfakenews.
Thisyear’sreportrevealsincrementalgrowthinbothtypesofbottraffic.Acrossallindustriesandgeographies,companiesareexperiencinganincreaseinautomatedattacksontheirwebandmobileapplicationsaswellasontheirapplicationprogramminginterfaces(APIs).Ourresearchfoundthatin2019,badbottrafficroseto24.5%ofthetotalinternettraffic,a20%increaseyearoveryear.
Key Findings:
In2019,overallbottrafficgrewby10%yearoveryear.Badbottrafficgrewby26%duringthattimeperiod.
Sophisticatedbotsthatcanmimichumanbehavioranddeceiveconventionalsecuritymeasuresincreased18%andnowaccountfor45%ofthebadbottraffic.
AutomatedattacksonmobilephonesandAPIsarerising.Badbottrafficaccountedfor15.4%ofthetotaltrafficonmobiledevicesand16.6%ofthetotaltraffic.
Thee-commerceindustryistheindustrymosttargetedbybadbots,followedbytravel.
Theuseofbadbotstodisseminatemisinformationislikelytoincreasein2020inresponsetoeventssuchaselectionsandtheCOVID-19pandemic.
TheincreaseinautomatedattacksonAPIsisexpectedtointensifyasmoreAPIsaredeployedtofacilitatecommunicationbetweenwebapplications.
THEBIGBADBOTPROBLEM2020| 04
Theresearchalsofindsthatbadbotsareevolvingtobemoresophisticatedintheircapabilitiestomimichumanbehaviorandcircumventconventionalsecurityprotections.Thesedevelopmentsnotonlythreatenapplicationsecurityanduserdatabutalsodirectlyimpactrevenue-generatingtransactions.
Asaresult,organizations’brandreputations,customertrustandsensitivedataareatgreaterriskthaneverbefore.Goingforward,networksecuritysolutionsmustmatchthelevelofsophisticationfoundinbotstosecurecriticaldataandbusinessapplications.
Methodology and Sources
Radware’s Data Lake of Bots
Radware Bot Management Expert Team
The Big Bad Bot Problemreportcombinesstatisticalresearchandfrontlineexperiencetoidentifyautomatedthreatsthataremeaningfultoorganizationstohelpdeterminelong-termgrowthstrategies.
ThequantitativedatasourceforthisreportwascollectedandaggregatedfromthetrafficofRadware’sglobalclientsin2019fromnearly200countriesandincludeshundredsofmillionsoflegitimateandmaliciousbotbehaviors,fingerprintsandsources.
TheRadwarebotmanagementteamiscomposedofdedicatedsecurityconsultants,dataanalystsandresearchersprovidingbotmanagementservices.Thisreportsharestheirinsightfromfrontlineexperiencestoprovideanin-depthforensicanalysis.
THEBIGBADBOTPROBLEM2020| 05
Organizationsacrosstheglobeseekmoreefficientwaystoconnectwithnewcustomersandretainexistingclients.Secureandeasy-to-useapplicationsarecriticaltoensuresuccessinrapidlychangingmarketconditions.
Automated Threat Landscape — 2019
THEBIGBADBOTPROBLEM2020| 06
Manyfirmsreportincreasingbadbotattacksontheirwebapplications,mobileappsandAPIs.Analysisofthedata for this report reveals:
THEBIGBADBOTPROBLEM2020| 07
Typesofautomatedattacks
Intentofautomatedattacks
Themostexploitedsurface
Newtechnologiesusedtoexploitvulnerabilities
Theimpactofautomatedattacksonspecificindustries
Figure1:Internettrafficdistribution—2018vs.2019
Distribution of Internet Traffic
In2019,overallbottrafficgrew24%incomparisonto2018.Badbottrafficaccountedforaquarter(24.5%)ofthetotaltraffic.InQ4whenmorepeopleshoponline,badbottrafficspikedto29.3%ofthetotalinternettraffic.
THEBIGBADBOTPROBLEM2020| 08
Figure2:Quarterlydistributionofinternettraffic—2019
THEBIGBADBOTPROBLEM2020| 09
Four Types of Bad Bots
Botshaveevolvedsignificantlysincetheiroriginsassimplescriptingtoolsthatusedcommand-lineinterfaces.BotdevelopersnowuseJavaScriptandHTML5webtechnologiestoenablebotstoleveragefull-fledgedbrowsers.Thebotsareprogrammedtomimichumanbehaviorwheninteractingwithawebsiteorapptomovethemouse,tapandswipeonmobiledevicesandgenerallytrytosimulaterealvisitorsinordertoevadesecuritysystems.
Radwarecreatedanindustry-standardclassificationsystemthatdividesbadbotsintofourcategoriesbasedontheirlevelofsophistication.
FIRST GENERATION
Script Bots
THIRD GENERATION
Single Interaction
SECOND GENERATION
Headless Browsers
FOURTH GENERATION
Distributed, Mutating Bots
Typicallyusejustoneor two IP addresses toexecutethousandsof webpage visits to scrapecontentorspam forms
Easytodetectandblacklistthankstorepetitiveattackpatterns and a small number of originating IP addresses
Leverageheadlessbrowsers—whicharewebsite development andtestingtools—totap their abilities to runJavaScriptandmaintaincookies
Mimichumanbehaviorsuchasmoving the mouse, scrollingandclickinglinkstonavigatewebsites
Exhibitsophisticatedbehaviors that may overcomecertainchallengesbutcannotfoolinteraction-baseddetection,suchasCAPTCHA or invisible challenges
Rotatethroughlargenumbers of user agentsanddeviceIDs—generatingjustafewhitsfromeachtoavoiddetection
Makerandommousemovements(notjustinastraightlinelikethird-generationbots)andexhibitotherhumanlikebrowsingcharacteristics
Recordrealuserinteractions,suchastaps and swipes on hijackedormalware-laden mobile apps, to beabletoreplicatethe movements and blend in with human trafficandcircumventsecuritymeasures
Figure3:Fourtypesofbadbotsbasedonlevelsoftechnologicalsophistication
TheIncreasingSophisticationofBadBots
In2018,thethirdandfourthgenerationsofbadbotsaccountedfor22.1%and16.6%ofinternettraffic,respectively.In2019,thenumberreached27.2%and18.3%,respectively.
THEBIGBADBOTPROBLEM2020| 10
Figure4:Badbotsophisticationlevels—2018vs.2019
The Behavior of Bad Bots
THEBIGBADBOTPROBLEM2020| 11
ThebehaviorofbadBotsiscontinuouslychanging.Cybercriminalsnowleveragecutting-edgetechnologiestoadvancethesophisticationoftheattackcapabilitiesofbadbots.(SeeFigure5).In2019,cyberattackersfavoredfourth-generationbadbotsthatmimichumanbehaviorwhenexecutingautomatedattacks.Forexample,37.9%ofbadbotsusedtoexecuteaccounttakeoverattacksareclassifiedasfourthgeneration.
Figure 5: Behavior of bad bots by generation
THEBIGBADBOTPROBLEM2020| 12
Atatimewhentransparencyandfactsareessential,aninfodemicunderminesthepublic’strustininformation.Disinformationandfakenews,whichdrivesfearanddoubtamongpeople,caneasilybecomeaweaponofinfluenceandpoliticalbias—withfar-reachingsocial,economicandgeopoliticalimplications.
Inthisdigitalera,weconsumeinformationfrommultiplechannelsandarelessdependentonthemainstreammedia.Thepenetrationofsocialmediainourdailylivesmeansthatinformation,goodandbad,trueandfake,spreadsfasterandfurtherthanever.
Botscanservemultiplepurposesinthiscontext.Accordingtomostcurrentreports,humanbotsarecreatingfakenews,butbadbotsareusedtospreadspaminanefforttoinfluencesearchenginerankings,sofake“facts”getmoreexposure.WeneedonlylookatrecentelectioncampaignsinanumberofcountriesandincorrectinformationcirculatingabouttheCOVID-19virusoutbreak.
Themostpopulartechniqueiscommentspamming.Botsinjectpopularandoftensearchedkeywordsintocommentsonspamanddrug-sellingsitestoincreasethevisibilityandrankingofthesiteinsearchresults.“Coronavirus”isahighlytrendingGooglesearchterm.Usingthattermonapagecanboostitspagerank,apracticethatisgenerallyreferredtoassearchengineoptimization(SEO).Inelectionswe’vealsowitnessedtheuseofbadbotstocreatefakeaccountsanddistributepropaganda.
1Retrievedfromhttps://www.who.int/dg/speeches/detail/munich-security-conference
“…we’renotjustfightinganepidemic;we’refightinganinfodemic,”saidWorldHealthOrganization(WHO)Director-General Tedros Adhanom Ghebreyesus.1
Fake News and Bad Bots:TheNextInfodemicWeapon
Applications Most Exploited by Bad Bots
THEBIGBADBOTPROBLEM2020| 13
Cybercriminalsuseacombinationoftoolstoexploitvulnerabilitiesintheinfrastructureofbusinesseswithanonlinepresence.businesses.AttackersdeployexploitkitsthatconsistofacombinationoftoolssuchasproxyIPs,multipleuseragents(UAs)andprogrammatic/sequentialrequeststodisguisetheidentityofbots,evadedetection,andperformsophisticatedautomatedattacks.BotsmasqueradeasgenuinetrafficbyusingpopularbrowsersanddevicesincombinationwiththeirexploitkitstotargetdifferentchannelsofcommunicationsuchaswebAPIs.
Webapplicationsarethemostexploitedattacksurfaceacrossindustries.In2019,35%ofthetotaltrafficwerebadbotsonwebapplications,anincreaseof10%from2018.
Automatedattacksonmobiledeviceshavealsoincreasedexponentiallyinrecentyears.Thewidespreadadoptionofmobiledevicesandthepersonaldatathatthesedevicesstorearetwoofthecriticalreasonsbehindtheriseinattacks.In2019,15.4%ofthetotaltrafficwerebadbotsonmobileapps,risingfrom13.4%in2018.
Thewidespreadadoptionofinternetofthings(IoT)devices,emergingserverlessarchitectureshostedinpubliccloudsandthegrowingdependencyonmachine-to-machinecommunicationarethereasonsforchangesinthemodernapplicationarchitecture.
APIshaveemergedasthebridgetofacilitateinteractionbetweendifferentapplicationarchitectures.APIsassistinquickerintegrationandfasterdeploymentofnewservices.Despitetheirrapidandwidespreadimplementation,APIsremainpoorlyprotectedandareavulnerablesurfaceforautomatedthreats.
Personallyidentifiableinformation(PII),paymentcarddetailsandbusiness-criticalservicesareatriskduetobotattacksonAPIs.AttacksonAPIshaverampedupinthelastfewyears.In2019,16.6%ofthetrafficonAPIswerebadbots,risingfrom14.3%in2018.
THEBIGBADBOTPROBLEM2020| 14
Figure6:Mostexploitedattacksurfaces—2018vs.2019
Origins of Bad Bots
Badbotsleverageproxyserverstodisguiseidentityandmisrepresenttheirlocationorigins.In2019,42.1%ofbadbotsoriginatedfromtheU.S.,risingfrom30.3%in2018.
THEBIGBADBOTPROBLEM2020| 15
Figure7:Originofbadbots—2018vs.2019
THEBIGBADBOTPROBLEM2020| 16
CountrieswithhighbottrafficandaconsiderablylownumberofgenuineuserscanbeblockedwithasimplerulebasedonIP.ButwhatshouldorganizationsdowithtrafficgeneratedinothercountriesthathaveahighpercentageofbottrafficsuchastheNetherlands,JapanorColombia?Thisiswheresophisticatedsecurityprotectionsthatcanaccuratelydifferentiatebetweenhuman,goodandbadbottrafficcomeintoplay.
Figure8:Percentageofbottrafficasapercentageofthetotaloutboundtrafficfromacountry
Whencomparingcountrieswiththehighestpercentageofbottrafficaspartofthetotaloutboundtraffic,manyofthenationsareverysmall.Forexample,AndorraisatinyprincipalityinEurope,knownasataxshelter.BecauseAndorraisn’tpartoftheEuropeanUnion(EU),ithasnoobligationtosharethedataitstores.Thus,attackersutilizeserverslocatedinAndorratolaunchbotattacksbecausedataissheltered.
Figure9:Overviewofindustriesthatarefrequenttargetsofcybercriminals
BadBotsfromPublicClouds
Asignificantpercentageofautomatedtrafficcomesfrompublicclouds.Inrecentyears,manyorganizationshavestartedtousesecurewebgateways(SWG)hostedinpubliccloudstofilteruser-initiatedtraffic.
Consequently,trafficfromtheseorganizationsisroutedthroughIPslocatedindatacenters.Cybercriminalsknowthatbusinessescannotblockalltrafficcomingthroughdatacenters,asgenuineuserscomingfromtheseorganizationsareofhighvalue.Badbotshidebehindlegitimateuserscomingfromthesepubliccloudsandmimichumanbehaviortolaunchautomatedattacks.
THEBIGBADBOTPROBLEM2020| 17
Traffic Distribution by Industry
Badbotsarepresentacrossnearlyallindustriesandverticals.Someindustriescollectdatathatismorecompellingtocybercriminalssonaturallyattractmorebadbotsthanothers.Themotivationofperpetratorsthoughisdifferentfromoneindustrytoanother.
INDUSTRY BOUNTYPRIMARY MOTIVATION BOT ATTACK
Financials,Healthcare
E-commerce,Travel
Media,Classifieds
SocialMedia
Financialgain,Competition
Competition, Disruption
Financial/Politicalgain
Data theft/ Financialgain
Bankaccounts,Patientrecords
Useraccounts,Loyaltyprograms,Pricinginformation
Cause losses and redirectusers/Improve offers & win business
Distribute spam/Propaganda
Accounttakeover(ATO)
Payment fraud, Web-scraping,ATO
Web-scraping,Denialofservice(DoS)
Accountcreation,Spam
Key Findings:
Theindustriesthatcybercriminalsaremostlikelytoattackforamonetaryrewardaree-commerce,travelandfinancialservices.Companiesintheseverticalsaremorecautiousandimplementstrictersecuritymeasures.Theresultsoftheanalysisforthisreportrecognizeacorrelatinghigheramountofsophisticated,humanlikebotattacksagainstthesesegments.
In2019,e-commercewastheindustrymosttargetedbybadbots,followedbytravelandsocialmedia.
Media,publishingandclassifiedswerethemostbot-reliantverticalswiththehighestportionofgoodbottraffic.Thistrafficismostlyusedforadvertising,SEO,analyticsandleadconversion.
Figure10:Trafficdistributionbyindustry—2018vs.2019
THEBIGBADBOTPROBLEM2020| 18
Bad Bots Targets by VerticalThe data sought by cybercriminals vary from one vertical to another, whether bankingcredentials,medicalrecords,pricinginformationorconfidentialresearchto name just a few.
In some cases, cybercriminals write and deploy very sophisticated bots to overcome security measures and take over user accounts, disrupt service availability and exploit vulnerabilities in applications and APIs. In other cases, businesses directly target their competitors, commonly deploying bad bots to scrape the content and aggregate data such as product names and pricing.
THEBIGBADBOTPROBLEM2020| 19
THEBIGBADBOTPROBLEM2020| 20
Figure11:Section-basedtrafficanalysisofe-commerce,2019
The e-commerce industry grew 15% in 2019.2 The vertical industry reports an increase in bad bot attacks on its web applications, mobile apps and APIs.
E-commerce
2Retrievedfromhttps://www.digitalcommerce360.com/article/us-ecommerce-sales/
Badbotattacksarecommonacrossallapplications,frompaymentfraudoncheckoutpagestocontentscraping(pricesorproductinfo)onproductpages,couponscraping,inventoryholdupsandcartabandonment,aswellasvariousformsofaccounttakeover,includingBruteForceandcredentialstuffingonthehomepageoruserloginpage.
Sinceeverydisruptionaffectsrevenue,moste-commercecompaniesinvestheavilyinprotectingtheirapplications.Therefore,weseeanextremelyhighamount(58%)ofdistributed,mutatingbotswithinthetotalbadbotactivityforthisvertical.Hackersusesophisticatedbotstoevadebotmanagementtechnologiesthatrelyondataandbehavioralprofilingthatarenotbigenoughtoproducecorrelationsbetweendifferentviolations.
THEBIGBADBOTPROBLEM2020| 21
Figure12:Typesofbadbotstargetingthee-commerceindustry
THEBIGBADBOTPROBLEM2020| 22
Dataaboutbadbotattacksone-commercesitesrevealamixofsophisticationlevels.Someattackssuchasscrapingcanbeperformedbysimplescriptsorheadlessbrowserbots.Denialofinventoryandaccounttakeoverattacksrequireadvancedcapabilitiestoimpersonatearealhumanuser.
Figure13:Levelsofbadbotsophisticationwhencommittingattacksone-commercesites
Media and Publishing
THEBIGBADBOTPROBLEM2020| 23
Figure14:Section-basedtrafficanalysisofthemediaandpublishingindustry
Mediaandpublishingoutletsusemanygoodbotsforadvertisingandaffiliateprograms.Theirmainchallengesaretofilteroutdirtybottrafficaswellastocorrectmarketinganalytictools.In this vertical, it is common for competitors and ad platforms to scrape data and content or attempt to skew the analytics of the media campaigns causing further harm by leading the targeted publisher to make thwarted decisions that are based on false data.
Online Marketplaces and Classifieds
Figure15:Section-basedtrafficanalysisofonlinemarketplacesandclassifieds
Marketplacesandclassifiedsrelyonthecredibilityandtrustofconsumerstogrowtheirbusinesses.Astheyattractmoretraffic,thesecompaniesbenefitfromperformingashubsforadvertisements.Theirobjectiveistokeepadssecurefromscraping—especiallyfromcompetitors—whichmayalsorunscriptstocollectusers’sign-upinformation.Thiseffortiswhyweseemorebadbottrafficagainstthehomepage.
THEBIGBADBOTPROBLEM2020| 24
Travel and Hospitality
Figure 16: Types of bad bots targeting the travel industry
Travelandhospitalityorganizationssuchasairlines,transportationandhotelchainsrelyheavilyononlinepurchases.Cybercriminalstargettheirsiteswithattacksthatmainlyusehumanlikeanddistributedmutatingbotstobypasssecuritytools.Nearlytwo-thirdsofbadbotsaccessingtheirwebpropertiesareconsideredsophisticatedbots.
THEBIGBADBOTPROBLEM2020| 25
Themostcommonbotattacktypeidentifiedisdenialofinventory.Twenty-ninepercentofthetraffictobookingsectionsisgeneratedbybadbots.Thesebotscanholdinventoryforaslongasthebotherderchoosesmakingitunavailabletorealusers,thuscausinganimmediatefinancialimpactonthevictim.Emptyhotelroomsarelockedup,andairlineseatsgounsold.
Thebotsruninaloopandholdtheroomsorticketsaftertimeoutsaregeneratedandtheinventoryissupposedtogobacktothepool.ThelossisevengreaterastheairlinemustpayasmallamounttoaGlobalDistributionSystem(GDS)pereveryrequest.Anothercommonissueisbotactivitythattakesadvantageofloyaltyprogramsrewards.
Figure17:Section-basedtrafficanalysisofthetravelindustry
THEBIGBADBOTPROBLEM2020| 26
Case StudiesHow a Credit Union Dealt With Distributed AccountTakeoverAttacks
Business ProblemSevereaccounttakeoverattackswerenever-endingforthisorganization.Millionsofbadbotsbombardedtheloginpageofthiscreditunionwithlarge-scale,sophisticatedcredentialstuffingattacks.
Industry: BFSIFunction: AcreditunionDuration of Study: 30 days Problem: Large-scale,distributedaccounttakeoverattacksAttack Surface: Loginpageofwebapplications,mobileappsandauthenticationAPI
THEBIGBADBOTPROBLEM2020| 27
The Intensity of Attacks – Example AAvarietyofbotswithdifferentsignaturesattackedtheloginpageandauthenticationAPIofthecreditunionduringthestudyperiod.Primarily,attackersmadethreetypesofhit:1. Attacksonconstantintervals2. Lowandslow3.Continuous
Lowandslowattacksarethemostsophisticatedattacks,whichcanbypasssecuritydefensesifdedicatedmeasuresarenotinplace.
Figure 18: Different types of bot signatures
THEBIGBADBOTPROBLEM2020| 28
The Intensity of Attacks — Example BInthisinstance,thesubnetofIPs(markedinblue)originatingfromthesameinternetserviceprovider(ISP)withrotatingUAs(labeledinred)isbeingusedtotargettheloginpage(authenticationAPI).Itisacaseoflarge-scaledistributedattackswhereattackersuseonlyoneISPtohidebehindgenuineuserstoavoidbeingblocked,basedontheirISPaddress.
Figure 19: Distributed bad bot pattern
THEBIGBADBOTPROBLEM2020| 29
Classification of Bad BotsCybercriminalsleveragedhumanlikeanddistributedhumanlikebadbots.Ontheloginpageofthecreditunion’splatform,63.9%ofbadbotscouldmimichumanbehavior.
Figure20:Typesofbadbotsthattargetthecreditunion
THEBIGBADBOTPROBLEM2020| 30
HowBotsSkewedtheConversionRateofaGlobalEducationSystemProvider
Industry: EducationSegment: Computer-basedtesting(CBT)forcertificationandlicensureDuration of Study: 30 days Type of Attack: Large-scale,distributedattackstoscrapetestsandsellintheblackmarket.Attack Description: CybercriminalsfirstcreatedfakeuserIDsfordifferenttestsandthenmovedthroughvariousstepstofinallycheckoutafterscrapingexamdetails,testpapersandothervaluableinformation.
THEBIGBADBOTPROBLEM2020| 31
Business ProblemCybercriminalstargetedadifferentsectionofthisCBTfirminascheduledway.Thecalendarsectionwastargetedthemostwith60%ofitstrafficasbadbots.Morethan1,100botuniqueidentifiers(UIDs)weredeployedtolaunchcontinuousbotattacksonthecalendarsection.SeeFigure21foranexplanationoftotalhitsversusbadbotsonthisplatformduringtheanalysisperiod.
THEBIGBADBOTPROBLEM2020| 32
Figure21:Section-basedtrafficanalysisoftheattackonatestingcompany
Inthiscase,attackersshiftedthroughmanyUIDs using only one IP address to target
differentsectionsofthewebsite.
Inthiscase,attackersconnectedthrougha series of IPs using only one UID to target
differentsectionsofthewebsite.
The Intensity of the Attack
Example A Example B
Figure22:Sophisticationlevelsofbadbots,ExampleA Figure23:Sophisticationlevelsofbadbots,ExampleB
THEBIGBADBOTPROBLEM2020| 33
Classification of Bad Bots on the PlatformMostofthebotsonthisplatformwerefourthgenerationandcouldmimichumanbehavior.
Figure24:Typesofbadbotstargetingthetestingcompany’splatform
THEBIGBADBOTPROBLEM2020| 34
PredictionsThe use of bad bots to disseminate misinformation will ramp up in 2020.Forexample,theuseofbotstospreadmisinformationandconspiraciestheoriesabouttheCOVID-19pandemicshowshowdeadlymisinformationcanbe. AutomatedattacksonAPIsaregrowing.TherateofAPIadoptionwillcontinuetogrowbecausetheyfacilitatecommunicationbetweenwebapplications.AutomatedattacksonAPIsareexpectedtobeintensiveinthecomingmonths.
1.
2.
THEBIGBADBOTPROBLEM2020| 35
Ourdatashowsthatmobileapplicationsareincreasinglybeingusedbybotmasterstolaunchattacks.TheseattackscanbehardertodetectbecausemobiledeviceIPaddresseschangeoftendependingonnetworkconditionsandusers’locations.Weexpectbottrafficoriginatingfrommobileapplicationchannelstogrowmorethangeneralwebtrafficthisyear.
Massivedatabreachesoccurwithalarmingfrequency,fuelingaccounttakeoverattacksatascaleneverseenbefore.Cybercriminalscanbuybreacheddatabasescontainingthousandsorevenmillionsoflogincredentialsfromundergroundsellersonthedarkweb.Wepredictthataccounttakeoverattackswillincreaseinnumberandseverity,renderingpersonal,corporateandgovernmentdatasourcesmorevulnerabletobreachesthanever.
Botswilldrivetheinfodemicmuchfurther,continuingtobeanefficienttoolforpowerslikeintelligenceagencies,organizedcrimeandconspiracytheorists.Theimpactofinformation—trueorfalse—especiallyintimesoffear,uncertaintyandconfusionisgreater.Becausecommunicationchannelsarediverse,authoritieshaveverylittlecontroloverbotactivity.In2020,weexpecttheuseofbotstoaccelerateforthispurposeinrelationtotheCOVID-19pandemicandtheU.S.presidentialelection.
3.
4.
5.
THEBIGBADBOTPROBLEM2020| 36
RecommendationsAssess the Real Impact of Bad Bots on Your OrganizationsUnderstandthatthereisagoodchancethatbadbotsimpactyourbusinessnegatively,whetherbystealingsensitivedata,compromisinguseraccounts,degradingcustomerexperienceorfoolingthemarketingdepartment.Thereisonlysomuchprotectionconventionalsecuritysolutions,suchafirewalloraWAF,canprovideagainstsophisticatedbots.Botmanagementiscomplexandrequiresadedicatedtechnologywithexpertsbehinditwhohaveadeepknowledgeofgoodandbadbotbehaviors.
Build Capabilities to Identify Automated Activity in Seemingly Legitimate User BehaviorsSophisticatedbotssimulatemousemovements,performrandomclicksandnavigatepagesinahumanlikemanner.Preventingthesetypesofattacksrequiresdeepbehavioralmodels,device/browserfingerprintingandclosed-loopfeedbacksystemstoensurethatyouarenotblockinggenuineusers.Purpose-builtbotmitigationsolutionscandetectsophisticatedautomatedactivitiesandhelpyoutotakepreemptiveactions.Traditionalsolutionsarelimitedtotrackingspoofedcookies,UAsandIPreputation.
1.
2.
THEBIGBADBOTPROBLEM2020| 37
Enforce Authentication via MFA and Challenge-Response MethodsMultifactorauthentication(MFA)systems,suchastemporaryaccesscodesviaSMS,inadditiontologinformsorotherin-appauthenticationmechanisms,arevulnerabletoattackers.TherearemultiplewaystobypassMFAprotection,includingusingtransparentproxieslikeMuraenandNecroBrowser.InSeptember2019,theU.S.FederalBureauofInvestigation(FBI)warnedorganizationsaboutthepossibilityofcybercriminalscircumventingmultifactorauthentication.3 CAPTCHA has proven to be relativelyineffectiveinblockingsophisticatedbotsthatmimichumanbehaviorandcanbesolvedinbulkbyoutsourcedCAPTCHA-solvingteams.PresentingCAPTCHAscanbeanirritanttousersandadverselyimpacttheuserexperience.
Block Origins of Bad Bot TrafficPubliccloudservicescansafeharborbadbots.Organizationscanblocksuspectedpubliccloudservicesandinternetserviceproviders(ISPs).However,blockingallthetrafficcomingfromdatacentersorISPswithoutconsideringtheuserbehaviorcancausefalsepositives.Forexample,manyusersondigitalpublishingsitescomefromcommercialorganizationsthatusesecurewebgateways(SWGs)locatedindatacenterstofilteruser-initiatedtraffic.Blockingdatacentertrafficwithoutconsideringdomain-specificuserbehaviorcancausefalsepositivesfordigitalpublishingsites.
Adopt Strict Authentication Mechanism on APIsAPIsarethekeychannelsthatenableseamlessintercommunicationbetweenwebsites,applicationsandsmartdevices.Theyhavebecomecrucialinfacilitatingtheflowofdatafromwhereitisstoredtowhereitisneeded.Withthegrowinguseofmicroservicearchitecturesinorganizations,poorlysecuredAPIgatewaysarevulnerabletomaliciousbotattacks.UseAPIrequeststoensurethattrafficiscomingfromagenuinesourceandnotfromamaliciousbot.APIgatewaystypicallyonlyverifytheauthenticationstatus,butnotiftherequestiscomingfromalegitimateuser.Attackersexploittheseflawsinvariousways,includingsessionhijackingandaccountaggregationtoimitategenuineAPIcalls.
Monitor Anomalous User Behavior and Key Performance Indicators (KPIs)Cyberattackersdeploybadbotstoperformcredentialstuffingandcredentialcrackingattacksonloginpages.SincesuchapproachesinvolvetryingdifferentcredentialsoradifferentcombinationofuserIDsandpasswords,theyincreasethenumberoffailedloginattempts.Badbotsthatvisityourwebsitetoperformscraping,accounttakeoveroranytypeofautomatedactivitywillresultinsharpspikesintraffic.Monitoringfailedloginattemptsandspikesintrafficcanhelpwebmastersandsecurityteamstakepreemptivemitigativemeasures.
3.
4.
5.
6.
THEBIGBADBOTPROBLEM2020| 38
3Retrievedfrom https://www.zdnet.com/article/fbi-warns-about-attacks-that-bypass-multi-factor-authentication-mfa
Radware® (NASDAQ:RDWR)isagloballeaderofcybersecurityandapplicationdeliverysolutionsforphysical,cloudandsoftware-defineddatacenters.Itsaward-winningsolutionsportfoliosecuresthedigitalexperiencebyprovidinginfrastructure,applicationandcorporateITprotectionandavailabilityservicestoenterprisesglobally.Radware’ssolutionsempowermorethan12,500enterpriseandcarriercustomersworldwidetoadaptquicklytomarketchallenges,maintainbusinesscontinuityandachievemaximumproductivitywhilekeepingcostsdown.For more information, please visit www.radware.com.
Radwareencouragesyoutojoinourcommunityandfollowuson: Facebook, LinkedIn, RadwareBlog, Twitter, YouTube,RadwareMobilefor iOS and Android,andoursecuritycenter DDoSWarriors.com that provides a comprehensiveanalysisofDDoSattacktools,trendsandthreats.
About Radware
© 2020 Radware Ltd. All rights reserved. Any Radware products and solutions mentioned in this document are protected by trademarks, patents and pending patent applications of Radware in the U.S. and other countries.
For more details, please see: https://www.radware.com/LegalNotice/. All other trademarks and names are the property of their respective owners.