radware bot manager the big bad bot problem 2020 · 2020-03-31 · methodology and sources...

The Big Bad Bot Problem2020Trends in the Automated Attack Landscape and the Impact on Businesses Across Industries

Executive Summary

Automated Threat Landscape — 2019

DistributionofInternetTraffic

Four Types of Bad Bots

The Behavior of Bad Bots

ApplicationsMostExploitedbyBadBots

Origins of Bad Bots

Bad Bots from Public Clouds

TrafficDistributionbyIndustry

BadBotsTargetsbyVertical

E-commerce

Media and Publishing

OnlineMarketplacesandClassifieds

Travel and Hospitality

Case Studies

HowACreditUnionDealtWithDistributedAccountTakeoverAttacks

HowBotsSkewedtheConversionRateofaGlobalEducationSystemProvider

Predictions

Recommendations

03

06

07

09

11

13

15

17

17

19

20

23

24

25

27

27

31

35

37

Table of Contents

Executive Summary

THEBIGBADBOTPROBLEM2020| 03

Radwarestudiestheinternettrafficofourglobalclientbasetoanalyze the behavior of bots and identify trends in automated, bot-generatedthreatsfacedbybusinesses.Thefindings,basedonoriginalresearchandrealattackdata,arepublishedannuallyin The Big Bad Bot Problemreport.

Thereportprovidesadetailedexaminationoftheimpactofbadbotsacrossindustriesandshedslightonrecommendedpreventivemeasurestosafeguardbusinessoperations.

Organizationsrelyonroboticprocessautomation(RPA),essentiallytheuseofbots,tobemoreefficientandboostproductivity.Goodbots,likethoseusedtocrawlwebsitesforwebindexing,contentaggregationandmarketintelligence,freehumanresourcestofocusonotherresponsibilities.Ofconcernarethebadbotsdeployedbybadactorstodisruptnetworkservices,stealdata,performfraudulentactivitiesandevenspreadfakenews.

Thisyear’sreportrevealsincrementalgrowthinbothtypesofbottraffic.Acrossallindustriesandgeographies,companiesareexperiencinganincreaseinautomatedattacksontheirwebandmobileapplicationsaswellasontheirapplicationprogramminginterfaces(APIs).Ourresearchfoundthatin2019,badbottrafficroseto24.5%ofthetotalinternettraffic,a20%increaseyearoveryear.

Key Findings:

In2019,overallbottrafficgrewby10%yearoveryear.Badbottrafficgrewby26%duringthattimeperiod.

Sophisticatedbotsthatcanmimichumanbehavioranddeceiveconventionalsecuritymeasuresincreased18%andnowaccountfor45%ofthebadbottraffic.

AutomatedattacksonmobilephonesandAPIsarerising.Badbottrafficaccountedfor15.4%ofthetotaltrafficonmobiledevicesand16.6%ofthetotaltraffic.

Thee-commerceindustryistheindustrymosttargetedbybadbots,followedbytravel.

Theuseofbadbotstodisseminatemisinformationislikelytoincreasein2020inresponsetoeventssuchaselectionsandtheCOVID-19pandemic.

TheincreaseinautomatedattacksonAPIsisexpectedtointensifyasmoreAPIsaredeployedtofacilitatecommunicationbetweenwebapplications.

THEBIGBADBOTPROBLEM2020| 04

Theresearchalsofindsthatbadbotsareevolvingtobemoresophisticatedintheircapabilitiestomimichumanbehaviorandcircumventconventionalsecurityprotections.Thesedevelopmentsnotonlythreatenapplicationsecurityanduserdatabutalsodirectlyimpactrevenue-generatingtransactions.

Asaresult,organizations’brandreputations,customertrustandsensitivedataareatgreaterriskthaneverbefore.Goingforward,networksecuritysolutionsmustmatchthelevelofsophisticationfoundinbotstosecurecriticaldataandbusinessapplications.

Methodology and Sources

Radware’s Data Lake of Bots

Radware Bot Management Expert Team

The Big Bad Bot Problemreportcombinesstatisticalresearchandfrontlineexperiencetoidentifyautomatedthreatsthataremeaningfultoorganizationstohelpdeterminelong-termgrowthstrategies.

ThequantitativedatasourceforthisreportwascollectedandaggregatedfromthetrafficofRadware’sglobalclientsin2019fromnearly200countriesandincludeshundredsofmillionsoflegitimateandmaliciousbotbehaviors,fingerprintsandsources.

TheRadwarebotmanagementteamiscomposedofdedicatedsecurityconsultants,dataanalystsandresearchersprovidingbotmanagementservices.Thisreportsharestheirinsightfromfrontlineexperiencestoprovideanin-depthforensicanalysis.

THEBIGBADBOTPROBLEM2020| 05

Organizationsacrosstheglobeseekmoreefficientwaystoconnectwithnewcustomersandretainexistingclients.Secureandeasy-to-useapplicationsarecriticaltoensuresuccessinrapidlychangingmarketconditions.

Automated Threat Landscape — 2019

THEBIGBADBOTPROBLEM2020| 06

Manyfirmsreportincreasingbadbotattacksontheirwebapplications,mobileappsandAPIs.Analysisofthedata for this report reveals:

THEBIGBADBOTPROBLEM2020| 07

Typesofautomatedattacks

Intentofautomatedattacks

Themostexploitedsurface

Newtechnologiesusedtoexploitvulnerabilities

Theimpactofautomatedattacksonspecificindustries

Figure1:Internettrafficdistribution—2018vs.2019

Distribution of Internet Traffic

In2019,overallbottrafficgrew24%incomparisonto2018.Badbottrafficaccountedforaquarter(24.5%)ofthetotaltraffic.InQ4whenmorepeopleshoponline,badbottrafficspikedto29.3%ofthetotalinternettraffic.

THEBIGBADBOTPROBLEM2020| 08

Figure2:Quarterlydistributionofinternettraffic—2019

THEBIGBADBOTPROBLEM2020| 09

Four Types of Bad Bots

Botshaveevolvedsignificantlysincetheiroriginsassimplescriptingtoolsthatusedcommand-lineinterfaces.BotdevelopersnowuseJavaScriptandHTML5webtechnologiestoenablebotstoleveragefull-fledgedbrowsers.Thebotsareprogrammedtomimichumanbehaviorwheninteractingwithawebsiteorapptomovethemouse,tapandswipeonmobiledevicesandgenerallytrytosimulaterealvisitorsinordertoevadesecuritysystems.

Radwarecreatedanindustry-standardclassificationsystemthatdividesbadbotsintofourcategoriesbasedontheirlevelofsophistication.

FIRST GENERATION

Script Bots

THIRD GENERATION

Single Interaction

SECOND GENERATION

Headless Browsers

FOURTH GENERATION

Distributed, Mutating Bots

Typicallyusejustoneor two IP addresses toexecutethousandsof webpage visits to scrapecontentorspam forms

Easytodetectandblacklistthankstorepetitiveattackpatterns and a small number of originating IP addresses

Leverageheadlessbrowsers—whicharewebsite development andtestingtools—totap their abilities to runJavaScriptandmaintaincookies

Mimichumanbehaviorsuchasmoving the mouse, scrollingandclickinglinkstonavigatewebsites

Exhibitsophisticatedbehaviors that may overcomecertainchallengesbutcannotfoolinteraction-baseddetection,suchasCAPTCHA or invisible challenges

Rotatethroughlargenumbers of user agentsanddeviceIDs—generatingjustafewhitsfromeachtoavoiddetection

Makerandommousemovements(notjustinastraightlinelikethird-generationbots)andexhibitotherhumanlikebrowsingcharacteristics

Recordrealuserinteractions,suchastaps and swipes on hijackedormalware-laden mobile apps, to beabletoreplicatethe movements and blend in with human trafficandcircumventsecuritymeasures

Figure3:Fourtypesofbadbotsbasedonlevelsoftechnologicalsophistication

TheIncreasingSophisticationofBadBots

In2018,thethirdandfourthgenerationsofbadbotsaccountedfor22.1%and16.6%ofinternettraffic,respectively.In2019,thenumberreached27.2%and18.3%,respectively.

THEBIGBADBOTPROBLEM2020| 10

Figure4:Badbotsophisticationlevels—2018vs.2019

The Behavior of Bad Bots

THEBIGBADBOTPROBLEM2020| 11

ThebehaviorofbadBotsiscontinuouslychanging.Cybercriminalsnowleveragecutting-edgetechnologiestoadvancethesophisticationoftheattackcapabilitiesofbadbots.(SeeFigure5).In2019,cyberattackersfavoredfourth-generationbadbotsthatmimichumanbehaviorwhenexecutingautomatedattacks.Forexample,37.9%ofbadbotsusedtoexecuteaccounttakeoverattacksareclassifiedasfourthgeneration.

Figure 5: Behavior of bad bots by generation

THEBIGBADBOTPROBLEM2020| 12

Atatimewhentransparencyandfactsareessential,aninfodemicunderminesthepublic’strustininformation.Disinformationandfakenews,whichdrivesfearanddoubtamongpeople,caneasilybecomeaweaponofinfluenceandpoliticalbias—withfar-reachingsocial,economicandgeopoliticalimplications.

Inthisdigitalera,weconsumeinformationfrommultiplechannelsandarelessdependentonthemainstreammedia.Thepenetrationofsocialmediainourdailylivesmeansthatinformation,goodandbad,trueandfake,spreadsfasterandfurtherthanever.

Botscanservemultiplepurposesinthiscontext.Accordingtomostcurrentreports,humanbotsarecreatingfakenews,butbadbotsareusedtospreadspaminanefforttoinfluencesearchenginerankings,sofake“facts”getmoreexposure.WeneedonlylookatrecentelectioncampaignsinanumberofcountriesandincorrectinformationcirculatingabouttheCOVID-19virusoutbreak.

Themostpopulartechniqueiscommentspamming.Botsinjectpopularandoftensearchedkeywordsintocommentsonspamanddrug-sellingsitestoincreasethevisibilityandrankingofthesiteinsearchresults.“Coronavirus”isahighlytrendingGooglesearchterm.Usingthattermonapagecanboostitspagerank,apracticethatisgenerallyreferredtoassearchengineoptimization(SEO).Inelectionswe’vealsowitnessedtheuseofbadbotstocreatefakeaccountsanddistributepropaganda.

1Retrievedfromhttps://www.who.int/dg/speeches/detail/munich-security-conference

“…we’renotjustfightinganepidemic;we’refightinganinfodemic,”saidWorldHealthOrganization(WHO)Director-General Tedros Adhanom Ghebreyesus.1

Fake News and Bad Bots:TheNextInfodemicWeapon

Applications Most Exploited by Bad Bots

THEBIGBADBOTPROBLEM2020| 13

Cybercriminalsuseacombinationoftoolstoexploitvulnerabilitiesintheinfrastructureofbusinesseswithanonlinepresence.businesses.AttackersdeployexploitkitsthatconsistofacombinationoftoolssuchasproxyIPs,multipleuseragents(UAs)andprogrammatic/sequentialrequeststodisguisetheidentityofbots,evadedetection,andperformsophisticatedautomatedattacks.BotsmasqueradeasgenuinetrafficbyusingpopularbrowsersanddevicesincombinationwiththeirexploitkitstotargetdifferentchannelsofcommunicationsuchaswebAPIs.

Webapplicationsarethemostexploitedattacksurfaceacrossindustries.In2019,35%ofthetotaltrafficwerebadbotsonwebapplications,anincreaseof10%from2018.

Automatedattacksonmobiledeviceshavealsoincreasedexponentiallyinrecentyears.Thewidespreadadoptionofmobiledevicesandthepersonaldatathatthesedevicesstorearetwoofthecriticalreasonsbehindtheriseinattacks.In2019,15.4%ofthetotaltrafficwerebadbotsonmobileapps,risingfrom13.4%in2018.

Thewidespreadadoptionofinternetofthings(IoT)devices,emergingserverlessarchitectureshostedinpubliccloudsandthegrowingdependencyonmachine-to-machinecommunicationarethereasonsforchangesinthemodernapplicationarchitecture.

APIshaveemergedasthebridgetofacilitateinteractionbetweendifferentapplicationarchitectures.APIsassistinquickerintegrationandfasterdeploymentofnewservices.Despitetheirrapidandwidespreadimplementation,APIsremainpoorlyprotectedandareavulnerablesurfaceforautomatedthreats.

Personallyidentifiableinformation(PII),paymentcarddetailsandbusiness-criticalservicesareatriskduetobotattacksonAPIs.AttacksonAPIshaverampedupinthelastfewyears.In2019,16.6%ofthetrafficonAPIswerebadbots,risingfrom14.3%in2018.

THEBIGBADBOTPROBLEM2020| 14

Figure6:Mostexploitedattacksurfaces—2018vs.2019

Origins of Bad Bots

Badbotsleverageproxyserverstodisguiseidentityandmisrepresenttheirlocationorigins.In2019,42.1%ofbadbotsoriginatedfromtheU.S.,risingfrom30.3%in2018.

THEBIGBADBOTPROBLEM2020| 15

Figure7:Originofbadbots—2018vs.2019

THEBIGBADBOTPROBLEM2020| 16

CountrieswithhighbottrafficandaconsiderablylownumberofgenuineuserscanbeblockedwithasimplerulebasedonIP.ButwhatshouldorganizationsdowithtrafficgeneratedinothercountriesthathaveahighpercentageofbottrafficsuchastheNetherlands,JapanorColombia?Thisiswheresophisticatedsecurityprotectionsthatcanaccuratelydifferentiatebetweenhuman,goodandbadbottrafficcomeintoplay.

Figure8:Percentageofbottrafficasapercentageofthetotaloutboundtrafficfromacountry

Whencomparingcountrieswiththehighestpercentageofbottrafficaspartofthetotaloutboundtraffic,manyofthenationsareverysmall.Forexample,AndorraisatinyprincipalityinEurope,knownasataxshelter.BecauseAndorraisn’tpartoftheEuropeanUnion(EU),ithasnoobligationtosharethedataitstores.Thus,attackersutilizeserverslocatedinAndorratolaunchbotattacksbecausedataissheltered.

Figure9:Overviewofindustriesthatarefrequenttargetsofcybercriminals

BadBotsfromPublicClouds

Asignificantpercentageofautomatedtrafficcomesfrompublicclouds.Inrecentyears,manyorganizationshavestartedtousesecurewebgateways(SWG)hostedinpubliccloudstofilteruser-initiatedtraffic.

Consequently,trafficfromtheseorganizationsisroutedthroughIPslocatedindatacenters.Cybercriminalsknowthatbusinessescannotblockalltrafficcomingthroughdatacenters,asgenuineuserscomingfromtheseorganizationsareofhighvalue.Badbotshidebehindlegitimateuserscomingfromthesepubliccloudsandmimichumanbehaviortolaunchautomatedattacks.

THEBIGBADBOTPROBLEM2020| 17

Traffic Distribution by Industry

Badbotsarepresentacrossnearlyallindustriesandverticals.Someindustriescollectdatathatismorecompellingtocybercriminalssonaturallyattractmorebadbotsthanothers.Themotivationofperpetratorsthoughisdifferentfromoneindustrytoanother.

INDUSTRY BOUNTYPRIMARY MOTIVATION BOT ATTACK

Financials,Healthcare

E-commerce,Travel

Media,Classifieds

SocialMedia

Financialgain,Competition

Competition, Disruption

Financial/Politicalgain

Data theft/ Financialgain

Bankaccounts,Patientrecords

Useraccounts,Loyaltyprograms,Pricinginformation

Cause losses and redirectusers/Improve offers & win business

Distribute spam/Propaganda

Accounttakeover(ATO)

Payment fraud, Web-scraping,ATO

Web-scraping,Denialofservice(DoS)

Accountcreation,Spam

Key Findings:

Theindustriesthatcybercriminalsaremostlikelytoattackforamonetaryrewardaree-commerce,travelandfinancialservices.Companiesintheseverticalsaremorecautiousandimplementstrictersecuritymeasures.Theresultsoftheanalysisforthisreportrecognizeacorrelatinghigheramountofsophisticated,humanlikebotattacksagainstthesesegments.

In2019,e-commercewastheindustrymosttargetedbybadbots,followedbytravelandsocialmedia.

Media,publishingandclassifiedswerethemostbot-reliantverticalswiththehighestportionofgoodbottraffic.Thistrafficismostlyusedforadvertising,SEO,analyticsandleadconversion.

Figure10:Trafficdistributionbyindustry—2018vs.2019

THEBIGBADBOTPROBLEM2020| 18

Bad Bots Targets by VerticalThe data sought by cybercriminals vary from one vertical to another, whether bankingcredentials,medicalrecords,pricinginformationorconfidentialresearchto name just a few.

In some cases, cybercriminals write and deploy very sophisticated bots to overcome security measures and take over user accounts, disrupt service availability and exploit vulnerabilities in applications and APIs. In other cases, businesses directly target their competitors, commonly deploying bad bots to scrape the content and aggregate data such as product names and pricing.

THEBIGBADBOTPROBLEM2020| 19

THEBIGBADBOTPROBLEM2020| 20

Figure11:Section-basedtrafficanalysisofe-commerce,2019

The e-commerce industry grew 15% in 2019.2 The vertical industry reports an increase in bad bot attacks on its web applications, mobile apps and APIs.

E-commerce

2Retrievedfromhttps://www.digitalcommerce360.com/article/us-ecommerce-sales/

Badbotattacksarecommonacrossallapplications,frompaymentfraudoncheckoutpagestocontentscraping(pricesorproductinfo)onproductpages,couponscraping,inventoryholdupsandcartabandonment,aswellasvariousformsofaccounttakeover,includingBruteForceandcredentialstuffingonthehomepageoruserloginpage.

Sinceeverydisruptionaffectsrevenue,moste-commercecompaniesinvestheavilyinprotectingtheirapplications.Therefore,weseeanextremelyhighamount(58%)ofdistributed,mutatingbotswithinthetotalbadbotactivityforthisvertical.Hackersusesophisticatedbotstoevadebotmanagementtechnologiesthatrelyondataandbehavioralprofilingthatarenotbigenoughtoproducecorrelationsbetweendifferentviolations.

THEBIGBADBOTPROBLEM2020| 21

Figure12:Typesofbadbotstargetingthee-commerceindustry

THEBIGBADBOTPROBLEM2020| 22

Dataaboutbadbotattacksone-commercesitesrevealamixofsophisticationlevels.Someattackssuchasscrapingcanbeperformedbysimplescriptsorheadlessbrowserbots.Denialofinventoryandaccounttakeoverattacksrequireadvancedcapabilitiestoimpersonatearealhumanuser.

Figure13:Levelsofbadbotsophisticationwhencommittingattacksone-commercesites

Media and Publishing

THEBIGBADBOTPROBLEM2020| 23

Figure14:Section-basedtrafficanalysisofthemediaandpublishingindustry

Mediaandpublishingoutletsusemanygoodbotsforadvertisingandaffiliateprograms.Theirmainchallengesaretofilteroutdirtybottrafficaswellastocorrectmarketinganalytictools.In this vertical, it is common for competitors and ad platforms to scrape data and content or attempt to skew the analytics of the media campaigns causing further harm by leading the targeted publisher to make thwarted decisions that are based on false data.

Online Marketplaces and Classifieds

Figure15:Section-basedtrafficanalysisofonlinemarketplacesandclassifieds

Marketplacesandclassifiedsrelyonthecredibilityandtrustofconsumerstogrowtheirbusinesses.Astheyattractmoretraffic,thesecompaniesbenefitfromperformingashubsforadvertisements.Theirobjectiveistokeepadssecurefromscraping—especiallyfromcompetitors—whichmayalsorunscriptstocollectusers’sign-upinformation.Thiseffortiswhyweseemorebadbottrafficagainstthehomepage.

THEBIGBADBOTPROBLEM2020| 24

Travel and Hospitality

Figure 16: Types of bad bots targeting the travel industry

Travelandhospitalityorganizationssuchasairlines,transportationandhotelchainsrelyheavilyononlinepurchases.Cybercriminalstargettheirsiteswithattacksthatmainlyusehumanlikeanddistributedmutatingbotstobypasssecuritytools.Nearlytwo-thirdsofbadbotsaccessingtheirwebpropertiesareconsideredsophisticatedbots.

THEBIGBADBOTPROBLEM2020| 25

Themostcommonbotattacktypeidentifiedisdenialofinventory.Twenty-ninepercentofthetraffictobookingsectionsisgeneratedbybadbots.Thesebotscanholdinventoryforaslongasthebotherderchoosesmakingitunavailabletorealusers,thuscausinganimmediatefinancialimpactonthevictim.Emptyhotelroomsarelockedup,andairlineseatsgounsold.

Thebotsruninaloopandholdtheroomsorticketsaftertimeoutsaregeneratedandtheinventoryissupposedtogobacktothepool.ThelossisevengreaterastheairlinemustpayasmallamounttoaGlobalDistributionSystem(GDS)pereveryrequest.Anothercommonissueisbotactivitythattakesadvantageofloyaltyprogramsrewards.

Figure17:Section-basedtrafficanalysisofthetravelindustry

THEBIGBADBOTPROBLEM2020| 26

Case StudiesHow a Credit Union Dealt With Distributed AccountTakeoverAttacks

Business ProblemSevereaccounttakeoverattackswerenever-endingforthisorganization.Millionsofbadbotsbombardedtheloginpageofthiscreditunionwithlarge-scale,sophisticatedcredentialstuffingattacks.

Industry: BFSIFunction: AcreditunionDuration of Study: 30 days Problem: Large-scale,distributedaccounttakeoverattacksAttack Surface: Loginpageofwebapplications,mobileappsandauthenticationAPI

THEBIGBADBOTPROBLEM2020| 27

The Intensity of Attacks – Example AAvarietyofbotswithdifferentsignaturesattackedtheloginpageandauthenticationAPIofthecreditunionduringthestudyperiod.Primarily,attackersmadethreetypesofhit:1. Attacksonconstantintervals2. Lowandslow3.Continuous

Lowandslowattacksarethemostsophisticatedattacks,whichcanbypasssecuritydefensesifdedicatedmeasuresarenotinplace.

Figure 18: Different types of bot signatures

THEBIGBADBOTPROBLEM2020| 28

The Intensity of Attacks — Example BInthisinstance,thesubnetofIPs(markedinblue)originatingfromthesameinternetserviceprovider(ISP)withrotatingUAs(labeledinred)isbeingusedtotargettheloginpage(authenticationAPI).Itisacaseoflarge-scaledistributedattackswhereattackersuseonlyoneISPtohidebehindgenuineuserstoavoidbeingblocked,basedontheirISPaddress.

Figure 19: Distributed bad bot pattern

THEBIGBADBOTPROBLEM2020| 29

Classification of Bad BotsCybercriminalsleveragedhumanlikeanddistributedhumanlikebadbots.Ontheloginpageofthecreditunion’splatform,63.9%ofbadbotscouldmimichumanbehavior.

Figure20:Typesofbadbotsthattargetthecreditunion

THEBIGBADBOTPROBLEM2020| 30

HowBotsSkewedtheConversionRateofaGlobalEducationSystemProvider

Industry: EducationSegment: Computer-basedtesting(CBT)forcertificationandlicensureDuration of Study: 30 days Type of Attack: Large-scale,distributedattackstoscrapetestsandsellintheblackmarket.Attack Description: CybercriminalsfirstcreatedfakeuserIDsfordifferenttestsandthenmovedthroughvariousstepstofinallycheckoutafterscrapingexamdetails,testpapersandothervaluableinformation.

THEBIGBADBOTPROBLEM2020| 31

Business ProblemCybercriminalstargetedadifferentsectionofthisCBTfirminascheduledway.Thecalendarsectionwastargetedthemostwith60%ofitstrafficasbadbots.Morethan1,100botuniqueidentifiers(UIDs)weredeployedtolaunchcontinuousbotattacksonthecalendarsection.SeeFigure21foranexplanationoftotalhitsversusbadbotsonthisplatformduringtheanalysisperiod.

THEBIGBADBOTPROBLEM2020| 32

Figure21:Section-basedtrafficanalysisoftheattackonatestingcompany

Inthiscase,attackersshiftedthroughmanyUIDs using only one IP address to target

differentsectionsofthewebsite.

Inthiscase,attackersconnectedthrougha series of IPs using only one UID to target

differentsectionsofthewebsite.

The Intensity of the Attack

Example A Example B

Figure22:Sophisticationlevelsofbadbots,ExampleA Figure23:Sophisticationlevelsofbadbots,ExampleB

THEBIGBADBOTPROBLEM2020| 33

Classification of Bad Bots on the PlatformMostofthebotsonthisplatformwerefourthgenerationandcouldmimichumanbehavior.

Figure24:Typesofbadbotstargetingthetestingcompany’splatform

THEBIGBADBOTPROBLEM2020| 34

PredictionsThe use of bad bots to disseminate misinformation will ramp up in 2020.Forexample,theuseofbotstospreadmisinformationandconspiraciestheoriesabouttheCOVID-19pandemicshowshowdeadlymisinformationcanbe. AutomatedattacksonAPIsaregrowing.TherateofAPIadoptionwillcontinuetogrowbecausetheyfacilitatecommunicationbetweenwebapplications.AutomatedattacksonAPIsareexpectedtobeintensiveinthecomingmonths.

1.

2.

THEBIGBADBOTPROBLEM2020| 35

Ourdatashowsthatmobileapplicationsareincreasinglybeingusedbybotmasterstolaunchattacks.TheseattackscanbehardertodetectbecausemobiledeviceIPaddresseschangeoftendependingonnetworkconditionsandusers’locations.Weexpectbottrafficoriginatingfrommobileapplicationchannelstogrowmorethangeneralwebtrafficthisyear.

Massivedatabreachesoccurwithalarmingfrequency,fuelingaccounttakeoverattacksatascaleneverseenbefore.Cybercriminalscanbuybreacheddatabasescontainingthousandsorevenmillionsoflogincredentialsfromundergroundsellersonthedarkweb.Wepredictthataccounttakeoverattackswillincreaseinnumberandseverity,renderingpersonal,corporateandgovernmentdatasourcesmorevulnerabletobreachesthanever.

Botswilldrivetheinfodemicmuchfurther,continuingtobeanefficienttoolforpowerslikeintelligenceagencies,organizedcrimeandconspiracytheorists.Theimpactofinformation—trueorfalse—especiallyintimesoffear,uncertaintyandconfusionisgreater.Becausecommunicationchannelsarediverse,authoritieshaveverylittlecontroloverbotactivity.In2020,weexpecttheuseofbotstoaccelerateforthispurposeinrelationtotheCOVID-19pandemicandtheU.S.presidentialelection.

3.

4.

5.

THEBIGBADBOTPROBLEM2020| 36

RecommendationsAssess the Real Impact of Bad Bots on Your OrganizationsUnderstandthatthereisagoodchancethatbadbotsimpactyourbusinessnegatively,whetherbystealingsensitivedata,compromisinguseraccounts,degradingcustomerexperienceorfoolingthemarketingdepartment.Thereisonlysomuchprotectionconventionalsecuritysolutions,suchafirewalloraWAF,canprovideagainstsophisticatedbots.Botmanagementiscomplexandrequiresadedicatedtechnologywithexpertsbehinditwhohaveadeepknowledgeofgoodandbadbotbehaviors.

Build Capabilities to Identify Automated Activity in Seemingly Legitimate User BehaviorsSophisticatedbotssimulatemousemovements,performrandomclicksandnavigatepagesinahumanlikemanner.Preventingthesetypesofattacksrequiresdeepbehavioralmodels,device/browserfingerprintingandclosed-loopfeedbacksystemstoensurethatyouarenotblockinggenuineusers.Purpose-builtbotmitigationsolutionscandetectsophisticatedautomatedactivitiesandhelpyoutotakepreemptiveactions.Traditionalsolutionsarelimitedtotrackingspoofedcookies,UAsandIPreputation.

1.

2.

THEBIGBADBOTPROBLEM2020| 37

Enforce Authentication via MFA and Challenge-Response MethodsMultifactorauthentication(MFA)systems,suchastemporaryaccesscodesviaSMS,inadditiontologinformsorotherin-appauthenticationmechanisms,arevulnerabletoattackers.TherearemultiplewaystobypassMFAprotection,includingusingtransparentproxieslikeMuraenandNecroBrowser.InSeptember2019,theU.S.FederalBureauofInvestigation(FBI)warnedorganizationsaboutthepossibilityofcybercriminalscircumventingmultifactorauthentication.3 CAPTCHA has proven to be relativelyineffectiveinblockingsophisticatedbotsthatmimichumanbehaviorandcanbesolvedinbulkbyoutsourcedCAPTCHA-solvingteams.PresentingCAPTCHAscanbeanirritanttousersandadverselyimpacttheuserexperience.

Block Origins of Bad Bot TrafficPubliccloudservicescansafeharborbadbots.Organizationscanblocksuspectedpubliccloudservicesandinternetserviceproviders(ISPs).However,blockingallthetrafficcomingfromdatacentersorISPswithoutconsideringtheuserbehaviorcancausefalsepositives.Forexample,manyusersondigitalpublishingsitescomefromcommercialorganizationsthatusesecurewebgateways(SWGs)locatedindatacenterstofilteruser-initiatedtraffic.Blockingdatacentertrafficwithoutconsideringdomain-specificuserbehaviorcancausefalsepositivesfordigitalpublishingsites.

Adopt Strict Authentication Mechanism on APIsAPIsarethekeychannelsthatenableseamlessintercommunicationbetweenwebsites,applicationsandsmartdevices.Theyhavebecomecrucialinfacilitatingtheflowofdatafromwhereitisstoredtowhereitisneeded.Withthegrowinguseofmicroservicearchitecturesinorganizations,poorlysecuredAPIgatewaysarevulnerabletomaliciousbotattacks.UseAPIrequeststoensurethattrafficiscomingfromagenuinesourceandnotfromamaliciousbot.APIgatewaystypicallyonlyverifytheauthenticationstatus,butnotiftherequestiscomingfromalegitimateuser.Attackersexploittheseflawsinvariousways,includingsessionhijackingandaccountaggregationtoimitategenuineAPIcalls.

Monitor Anomalous User Behavior and Key Performance Indicators (KPIs)Cyberattackersdeploybadbotstoperformcredentialstuffingandcredentialcrackingattacksonloginpages.SincesuchapproachesinvolvetryingdifferentcredentialsoradifferentcombinationofuserIDsandpasswords,theyincreasethenumberoffailedloginattempts.Badbotsthatvisityourwebsitetoperformscraping,accounttakeoveroranytypeofautomatedactivitywillresultinsharpspikesintraffic.Monitoringfailedloginattemptsandspikesintrafficcanhelpwebmastersandsecurityteamstakepreemptivemitigativemeasures.

3.

4.

5.

6.

THEBIGBADBOTPROBLEM2020| 38

3Retrievedfrom https://www.zdnet.com/article/fbi-warns-about-attacks-that-bypass-multi-factor-authentication-mfa

Radware® (NASDAQ:RDWR)isagloballeaderofcybersecurityandapplicationdeliverysolutionsforphysical,cloudandsoftware-defineddatacenters.Itsaward-winningsolutionsportfoliosecuresthedigitalexperiencebyprovidinginfrastructure,applicationandcorporateITprotectionandavailabilityservicestoenterprisesglobally.Radware’ssolutionsempowermorethan12,500enterpriseandcarriercustomersworldwidetoadaptquicklytomarketchallenges,maintainbusinesscontinuityandachievemaximumproductivitywhilekeepingcostsdown.For more information, please visit www.radware.com.

Radwareencouragesyoutojoinourcommunityandfollowuson: Facebook, LinkedIn, RadwareBlog, Twitter, YouTube,RadwareMobilefor iOS and Android,andoursecuritycenter DDoSWarriors.com that provides a comprehensiveanalysisofDDoSattacktools,trendsandthreats.

About Radware

© 2020 Radware Ltd. All rights reserved. Any Radware products and solutions mentioned in this document are protected by trademarks, patents and pending patent applications of Radware in the U.S. and other countries.

For more details, please see: https://www.radware.com/LegalNotice/. All other trademarks and names are the property of their respective owners.