THE TOP AUTOMATED BOT THREATS TO APPLICATIONS AND HOW TO STOP THEM
“Bad” bots, which masquerade as humans and attack online businesses, now comprise 26% of total internet traffic. They evade conventional security technologies, threatening websites, mobile applications and even APIs. Often, these highly sophisticated and automated threats set their sights on web applications, using an array of tactics to pillage personal data, tie down online inventory and degrade application/website performance.
These attacks often go undetected by conventional mitigation strategies because bots have evolved from basic scripts to large-scale distributed bots with humanlike interaction capabilities to evade discovery. Staying ahead of this threat requires two things: a firm understanding of these malevolent robots and more sophisticated, advanced security capabilities to actively detect and mitigate them.
To address the former, the Open Web Application Project (OWASP) seeks to remedy these threats by maintaining a list of automated attacks that target web applications.1 It serves as a starting point for security professionals seeking to ensure protection of web applications from the most virulent threats currently available to cybercriminals.
These threats can be grouped into six categories:
- Account Takeover
- Denial of Inventory
- Payment Data Abuse
- Skewed Marketing Analytics
- Web Scraping
- Denial of Service
Bot management solutions address the latter and now serve as a cornerstone of any application security strategy. The escalating intensity of bot traffic and the increasing severity of its overall impact mean that dedicated bot management solutions are crucial to ensuring business continuity and success.
This document provides an overview of these categories, symptoms by which to identify them and key technical capabilities that security professionals should consider when evaluating bot management solutions.
This category encompasses ways that bots are programmed to use false identities to obtain access to data or goods. Their methods for account takeover can vary. They can hijack existing accounts by cracking a password via Brute Force attacks or using known credentials that have been leaked via credential stuffing. Lastly, they can be programmed to create new accounts to carry out their nefarious intentions.
As its name suggests, this category encompasses an array of attacks focused on cracking credentials, tokens or verification codes/numbers with the goal of creating or cracking account access to data or products. Examples include account creation, token cracking and credential cracking/stuffing. Common symptoms of these include higher than average account creation rates or high numbers of failed token/account login attempts from the same user and/or IP address.
MITIGATION BEST PRACTICES:
Intent-based deep behavioral analysis (IDBA) is a critical next-generation capability to mitigate account takeovers executed by more advanced generation 3 and 4 bots. IDBA leverages the latest developments in deep learning and behavioral analysis to decode the true intention of bots. IDBA goes beyond analyzing mouse movements and keystrokes to detect humanlike bots, so “bad” bots can be parsed from legitimate traffic to ensure a seamless online experience for consumers.
IDBA is a major step forward in bot detection technology because it performs behavioral analysis at a higher level — abstraction of intent — unlike the commonly used, shallow interaction-based behavioral analysis. Account takeovers are an example of intent, while a “mouse pointer moving in a straight line” is an example of interaction. Capturing intent enables IDBA to provide significantly higher levels of accuracy to detect more advanced bots. Read IDBA: A Proprietary Bot Detection Technology to learn more. In addition, device and browser fingerprinting capabilities are equally critical to discern the identity of end-user devices for bots that leverage evasion techniques such as changing IP addresses or operating behind anonymous proxies. Credential cracking (also known as a Brute Force attack) represents a simpler form of account takeover typically executed by legacy script-based bots. It can be mitigated by applying rate limiting on various collected parameters for login pages, authentication pages and API call authentication pages.
AVAILABILITY OF INVENTORY
This category of threats specializes in holding hostage the inventory of e-commerce sites, ticketing systems, airlines, etc. It accomplishes this by beginning the purchasing process without checking out and timely restarting the process whenever the time for closing elapses. Additional bots clear inventory instantaneously, so cybercriminals can resell goods. The result is direct financial loss.
Denial of inventory and scalping are two perfect examples. Denial of inventory means depleting goods or services without completing the purchase or committing to the transaction. Scalping, on the other hand, is focused on obtaining limited-availability items/services via “unfair” tactics. Scalping is typically characterized by peaks of traffic for certain goods while denial-of-inventory attempts usually result in increased stock held in baskets or reservations, elevated basket abandonment rates and a dramatic reduction in the payment step process.
MITIGATION BEST PRACTICES:
Mitigating denial of inventory is based on the type of bot performing the attack. Legacy generation 1 and 2 bots can be mitigated by applying custom rules to cart pages/APIs to block attempts to programmatically add products to carts. Stopping more advanced generation 3 and 4 bots will require the aforementioned IDBA. Workflow and visitor journey validation are critical for mitigating both of these threats while also ensuring minimal false positives.