The use of bots is on the increase. Bots are capable of automating repetitive tasks and speeding up the way organisations work. They are equally useful for attacking businesses and stealing data. In a recent survey, it appears that organisations believe they can tell the difference between the two. The research, from Netacea, says otherwise.
Netacea has released its latest report The bot management review: The challenge of high awareness and limited understanding (registration required). It commissioned Coleman Parkes to survey 200 companies across the travel, entertainment, e-commerce and financial services sectors. The results show that despite awareness of the problem, too many businesses don’t understand it. They actively look for some bot activity on their site but are unaware of how much there is.
Andy Still, CTO, Netacea said: “Current circumstances mean that businesses are relying on their online presence more than ever before. This also means more opportunities for online criminal enterprises looking to increase their profits. And while the majority of businesses are not oblivious to the problem of bot attacks, the inevitable conclusion of this research is that this awareness is not leading to action.”
Bad bots are getting much harder to spot because they are increasingly mimicking human behaviour patterns. It makes them extremely hard for behavioural analytics to identify them. Bot developers are also deploying their own security countermeasures. One way is to use machine learning to spot bot mitigation techniques and find workarounds. It means that security teams need to monitor and update their defences to spot bot-related attacks regularly.
What bot related issues does the research reveal?
Awareness of the challenges bots bring is high, and companies are deploying tools to deal with bots. Around 33% have been using a complete bot management solution for some time. A further 57% have deployed a partial bot management solution. Only 1% are holding back on deploying a solution on their website.
The most common types of attacks are card fraud (83%) and credential stuffing (81%). These are hotly followed by account compromise (74%) and website scraping (71%). The latter is commonly done by price comparison websites and, in some industries, competitors. It is also done by cybercriminals who create duplicate websites.
Given the numbers above, it is strange that 24% of respondents claim not to have experienced an attack in the last two years. Importantly, this is not about detection and protection but no attacks at all. It raises the question of how effective security tools are. Responses differed by industry sector. 58% of those in the online gaming/streaming/entertainment sector believed they had not been attacked in the last two years. Travel (95%) and Financial Services (95%) admitted to attacks.
Who is responsible for protecting against bot attacks?
Protecting web applications is a significant challenge. Work from home has substantially increased the number of web applications organisations use. It has created opportunities for attacks. However, ownership of bot management seems to be more of a scatter-gun approach with too many bosses and lots of opportunity for errors as can be seen from the graphic below.
There also seems to be a significant gap in understanding what is at risk of an attack. Most industries seem to understand the risk of bot attacks against websites and mobile apps. However, all rank bot attacks against APIs as being low on their list. The problem here is that bot attacks against APIs are a machine to machine attack. They execute at high-speed and can quickly impact a business before it can react.
Digital transformation projects use APIs to integrate suppliers and customers. The goal is to remove human error and speed up business. Attackers increasingly compromise small businesses to gain access to the supply chain. Those smaller partners will have the API keys to connect to the larger organisations. Attackers will deploy bots to exploit those keys and gain access to other companies on the supply chain.
To emphasis the risk, Netacea says that it is seeing an increase in the targeting of APIs.
Enterprise Times: What does this mean?
The awareness of the threat from bots in some areas is good news. It means that security teams are getting access to tools to spot highly adaptable attacks. However, the confused ownership position shows that there is still room to improve. The more people who “own” a technology, the harder it is to get things done. Businesses need to deliver clearer management structures and empower security teams to get on with the job.
The use of bots, machine learning and AI are all part of digital transformation projects. The benefits are well documented, but what is a positive can also be a negative. It comes as no surprise, therefore, that attackers are using those technologies to enhance and speed up attacks.
As the report states: “A little knowledge can be a dangerous thing, are businesses falling into this trap when it comes to bot management? It’s not entirely clear, but they are showing many of the signs.”
Those businesses who don’t deploy comprehensive solutions and make sure they are fit for purpose will find themselves easy victims of cybercriminals and their bots.