Business security in the age of malicious bots
As most technologies, bots can be used for good and bad purposes, and the information security industry is doing its best to minimize the adverse effects of the latter activities.
“At its core, automation enables a bad actor to scale their business model, which significantly enhances the economics of their attacks,” says Sam Crowther, founder and CEO of Kasada, a global cybersecurity company that has been fighting against bots since 2015.
“As more and more people transact online, the number and potency of bot attacks has escalated. Malicious automated bots exploit legitimate application functionality, and they’re delivered at a scale to make them economically viable. Account takeover attacks, for example, perform automated logins with the goal of compromising user accounts. They do this by stuffing millions of cheaply-sourced stolen credentials into bots.”
The company has seen bots impact large organizations’ security infrastructure in multiple ways and these attack often result in negative financial implications, both concrete and less tangible ones.
“Bots are at the heart of large credit card washing and gift card fraud campaigns, and steal inventory worth millions of dollars. At the same time, they also typically generate large volumes of alerts to a SOC, which a highly-skilled and well-paid engineer will have to sift through. Repeat that multiple times a day, and the time and effort impact SOC engineers mounts quickly,” Crowther explains.
Then there’s also the bots that scrape content from different websites in order for it to be reproduced on others, i.e. effectively stealing intellectual property en masse and bringing attackers undeserved financial gains.
Finally, there’s the bots who DoS, allowing attackers (including competitors) to disrupt or take down a business’s website.
“When it comes to DDoS, unfortunately, L7 DDoS attacks can only be stopped by analyzing the connecting client. This means that legacy CDN solutions that perform analysis on the HTTP request are ineffective at preventing these attacks. This lends itself to creating an anti-automation strategy, in order to make your organization an uneconomical target,” he notes.
Changing defenders’ mindset
Automation is the nucleus of the bad bot business model, and it’s going to remain so because automation drives down the cost of attacks and increases potency, Crowther says. This means security professionals must understand how attackers can abuse legitimate, online functionality for financial gains.
“Our business is determined to shift the balance in favor of defenders. We know the key to winning is making attacks uneconomical. Disrupt the time, effort, cost and reward of attacks, and you’ll defeat assailants,” he explains.
He also believes that defenders must change their mindset.
“Baseball coaches are known to say: ‘Play the ball before it plays you!’ That’s sage advice for those on the security pitch,” he opines. “The key reason many are caught in a ‘cat and mouse’ cycle is defenders are stuck believing adversaries attack and defenders respond.”
At the same time, getting ahead of the curve on security threats doesn’t happen by chance – especially for infosec businesses.
“If you’re not fostering an environment of creativity and thinking differently, then you’re giving attackers and competitors an edge,” he notes.
Finally, he points out another thing these companies should be aware of: most buyers of security products and services are overwhelmed, as they are often left staring at a sushi train of choice, not knowing what exactly they are looking at.
“If you want people to listen, you must speak their language. That’s a language grounded in their needs and concerns. You must also demonstrate that you and your team are solving real world problems,” he advises.