Most of today’s organizations rely on e-commerce capabilities and customer-facing web applications to keep their businesses running. While new innovations related to web applications are being introduced daily, attackers are still lurking in the background looking to make a profit.
According to Verizon’s 2019 Data Breach Investigation Report, web application attacks are the second-leading cause of data breaches for businesses. Enterprises have long focused on vulnerability detection and remediation for web application security, but a new focus on sophisticated bots is emerging: how can we spot real users from imposters who would wreak havoc?
To get an appreciation for how to best secure web apps from sophisticated bots, security professionals need to understand how and why bots carry out their attacks. Application security solutions have struggled to detect sophisticated bot activity because bots are more human-like than ever before – so what can organizations do to protect websites and applications from account takeovers and scraper bots?
How bots attack web applications
The same open APIs, e-commerce capabilities, and web apps that many enterprises rely on are susceptible to abuse by sophisticated bots. These attacks represent an often-overlooked threat vector because existing defenses are unable to detect bots mimicking human activity and compromising web applications through legitimate functions. What’s more, bots have several attack options in their cybercrime toolbox. Here are three common attacks:
- Account Takeover attacks represent one of the biggest challenges for businesses today across verticals and industries. Through credential stuffing and cracking, bots are able to take over real users’ accounts, allowing cyber-criminals to exploit them en masse.
- Automated Account Creation enables cyber-criminals to abuse the sign-up process, using bots to abuse incentive programs, spread malware, generate spam and disinformation, or even launder money.
- Web Scraping occurs when scraping bots are used to steal intellectual data and content and spoof websites – slowing down a business’s legitimate site or application in the process.
Although these types of attacks seem to primarily affect the businesses that own the web applications, the aftereffects are widespread. On an individual level, application users can lose accounts, risk personal data theft, or even financial loss if their banking or credit card information is stored on the account.
Bots evolved, so our solutions need to as well
Even though businesses, consumers and governments are more aware of the dangers sophisticated bots pose, the security solutions currently in place for web applications are not enough to stop them. This is mainly due to the increasing sophistication of bots.
Originally, simple bots were focused on things like web scraping and would occasionally launch a high volume of fraudulent login attempts or account-based attacks. These attacks were straightforward to detect and mitigate with traditional application security tools because of the noticeable volume or source IP addresses used.
Simple bots would typically originate from a data center, which is much easier to detect than if the bot is coming from inside the proverbial house - a residential IP. Because of this, the majority of solutions used now focus on halting non-human-like behavior or identifying threatening IP addresses.
The criminals that deploy the bots have solved their previous shortcomings, so it is time for security solutions to evolve as well. Detection methods need to look beyond the actions a bot takes within the application, and focus on the surrounding context in order to find and stop bot-based activity. This suggests a multi-pronged approach:
- Identifying indicators that serve as warning signs of bot activity, such as automation and remote control. This needs to go beyond standard monitoring for IP addresses and click activity and take into account the user device making the request, the device’s software and applications, and the network it originated from.
- Adaptation to evolving bot tactics by developing new tests and markers, enabling solutions to stay ahead of bots. This means continuous analysis and leveraging machine learning and analytics to draw connections among seemingly disparate pieces of information.
- Global threat intelligence to monitor and collect real-time information on cyber-criminals’ bot-focused techniques and tactics, enabling security solutions to be proactive in identifying threats.
Awareness needs to grow
Bot activity and attacks have consistently flown under the radar compared to other attack methods—like malware, insider threats, and ransomware— they can cause just as much, if not more, damage. With web application attacks still a prime target for fraudsters, enterprises must consider implementing bot detection and mitigation solutions.
Fortunately, as awareness of bot-based attacks grows, more businesses are understanding their existing solutions are not enough and are taking extra steps to defend against sophisticated bots.
To round out application security capabilities, security leaders should consider not just testing and runtime protection, but anti-fraud solutions as well. As the tech industry continues to innovate and ingratiate within the daily lives of consumers around the world, active protection will become a necessity.