main

Security

Bot Managers Are a Cash-Back Program For Your Company

April 17, 2019 — by Ben Zilberman0

Bot_Cash_Back-960x640.jpg

In my previous blog, I briefly discussed what bot managers are and why they are needed. Today, we will conduct a short ROI exercise (perhaps the toughest task in information security!).

To recap: Bots generate a little over half of today’s internet traffic. Roughly half of that half (i.e. a quarter, for rusty ones like myself…) is generated by bad bots, a.k.a. automated programs targeting applications with the intent to steal information or disrupt service. Over the years, they have gotten so sophisticated, they can easily mimic human behavior, perform allegedly uncorrelated violation actions and essentially fool most of application security solutions out there.

Bot, bot management, traffic

These bots affect each and every arm of your business. If you are in the e-commerce or travel industries, no need to tell you that… if you aren’t, go to your next C-level executive meeting and look for those who scratch their heads the most. Why? Because they can’t understand where the money goes, and why the predicted performance didn’t materialize as expected.

Let’s go talk to these C-Suite executives, shall we?

Chief Revenue Officer

Imagine you are selling product online–whether that’s tickets, hotel rooms or even 30-pound dog food bags–and this is your principal channel for revenue generation. Now, imagine that bots act as faux buyers, and hold the inventory “hostage” so genuine customers can not access them.

[You may also like: Will We Ever See the End of Account Theft?]

Sure, you can elapse the process every 10 minutes, but as this is an automated program, it will re-initiate the process in a split second. And what about CAPTCHA? Don’t assume CAPTCHA will weed out all bots; some bots activate after a human has solved it. How would you know when you are communicating with a bot or a human? (Hint: you’d know if you had a bot management solution).

Wondering why the movie hall is empty half the time even though it’s a hot release? Does everybody go to the theater across the street? No. Bots are to blame. And they cause direct, immediate and painful revenue loss.

[You may also like: Bots 101: This is Why We Can’t Have Nice Things]

Chief Marketing Officer

Digital marketing tools, end-to-end automation of the customer journey, lead generation, and content syndication are great tools that help CMOs measure ROI and plan budgets. But what if the analysis they provide are false? What if half the clicks you are paying for are fictitious, and you were subject to a click-fraud campaign by bots? What if a competitor uses a bot to scrape data of registrants out of your landing pages? Unfortunately, bots often skew the analysis and can lead you to make wrong decisions that result in poor performance. Without bot management, you’re wasting money in vain.

Chief Operations Officer/Chief Information Officer

Does your team complain that your network resources are in the “red zone,” close to maximum performance, but your customer base isn’t growing at the same pace?

Blame bots.

[You may also like: Disaster Recovery: The Big, Bad Bot Problem]

Obviously some bots are “good,” like automated services that help accelerate and streamline your business, analyze data quickly and help you to make better decisions. However, bad bots (26% of the total traffic you are processing) put a load on your infrastructure and make your IT staff cry for more capacity. So you invest $200-500K in bigger firewalls, ADCs, and broader internet pipes, and upgrade your servers.

Next thing you know, a large DDoS attack from IoT botnets knocks everything down. If only you had invested $50k upfront to filter out the bad traffic from the get-go… That could’ve translated to $300k cash back!

Chief Information Security Officer

Every hour, a new security vendor knocks on your door with another solution for a 0.0001% probability what-if scenario… your budget is all over the place, spent on multiple protections and a complex architecture trying to take an actionable snapshot of what’s going on at every moment. At the end of the day, your task is to protect your company’s information assets. And there are so many ways to get a hold of those precious secrets!

[You may also like: CISOs, Know Your Enemy: An Industry-Wise Look At Major Bot Threats]

Bad bots are your enemy. They can scrape content, files, pricing, and intellectual property from your website. They can take over user accounts by cracking their passwords or launch a credential stuffing attack (and then retrieve their payment info). And they can take down service with DDoS attacks and hold up inventory, as I previously mentioned.

You can absolutely reduce these risks significantly if you could distinguish human versus bot traffic (remember, sophisticated bots today can mimic human behavior and bypass all sorts of challenges, not only CAPTCA), and more than that, which bot is legitimate and which is malicious.

[You may also like: Bot or Not? Distinguishing Between the Good, the Bad & the Ugly]

Bot management equals less risk, better posture, stable business, no budget increases or unexpected expenses. Cash back!

Chief Financial Officer

Your management peers could have made better investments, but now you have to clean up their mess. This can include paying legal fees and compensation to customers whose data was compromised, paying regulatory fines for coming up short in compliance, shelling out for a crisis management consultant firm, and absorbing costs associated with inventory hold up and downed service.

If you only had a bot management solution in place… so much cash back.

The Bottom Line

Run–do not walk–to your CEO and request a much-needed bot management solution. Not only does s/he have nothing to lose, s/he has a lot to gain.

* This week, Radware integrates bot management service with its cloud WAF for a complete, fully managed, application security suite.


Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Attack Types & Vectors

Can You Crack the Hack?

April 11, 2019 — by Daniel Smith0

credential_stuffing-960x640.jpg

Let’s play a game. Below are clues describing a specific type of cyberattack; can you guess what it is?

  • This cyberattack is an automated bot-based attack
  • It uses automation tools such as cURL and PhantomJS
  • It leverages breached usernames and passwords
  • Its primary goal is to hijack accounts to access sensitive data, but denial of service is another consequence
  • The financial services industry has been the primary target

Struggling? We understand, it’s tricky! Here are two more clues:

  • Hackers will often route login requests through proxy servers to avoid blacklisting their IP addresses
  • It is a subset of Brute Force attacks, but different from credential cracking 

And the Answer Is….

Credential stuffing! If you didn’t guess correctly, don’t worry. You certainly aren’t alone. At this year’s RSA Conference, Radware invited attendees to participate in a #HackerChallenge. Participants were given clues and asked to diagnose threats. While most were able to surmise two other cyber threats, credential stuffing stumped the majority.

[You may also like: Credential Stuffing Campaign Targets Financial Services]

Understandably so. For one, events are happening at a breakneck pace. In the last few months alone, there have been several high-profile attacks leveraging different password attacks, from credential stuffing to credential spraying. It’s entirely possible that people are conflating the terms and thus the attack vectors. Likewise, they may also confuse credential stuffing with credential cracking.

Stuffing vs. Cracking vs. Spraying

As we’ve previously written, credential stuffing is a subset of brute force attacks but is different from credential cracking. Credential stuffing campaigns do not involve the process of brute forcing password combinations. Rather, they leverage leaked username and passwords in an automated fashion against numerous websites to take over users’ accounts due to credential reuse.

Conversely, credential cracking attacks are an automated web attack wherein criminals attempt to crack users’ passwords or PIN numbers by processing through all possible combines of characters in sequence. These attacks are only possible when applications do not have a lockout policy for failed login attempts. Software for this attack will attempt to crack the user’s password by mutating or brute forcing values until the attacker is successfully authenticated.

[You may also like: Bots 101: This is Why We Can’t Have Nice Things]

As for credential (or password) spraying, this technique involves using a limited set of company-specific passwords in attempted logins for known usernames. When conducting these types of attacks, advanced cybercriminals will typically scan your infrastructure for external facing apps and network services such as webmail, SSO and VPN gateways. Usually, these interfaces have strict timeout features. Actors will use password spraying vs. brute force attacks to avoid being timed out and possibly alerting admins.

So What Can You Do?

A dedicated bot management solution that is tightly integrated into your Web Application Firewall (WAF) is critical. Device fingerprinting, CAPTCHA, IP rate-based detection, in-session detection and terminations JavaScript challenge is also important.

In addition to these steps, network operators should apply two-factor authentication where eligible and monitor dump credentials for potential leaks or threats.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

SecurityService Provider

Out of the Shadows, Into the Network

April 9, 2019 — by Radware0

darkness-960x540.jpg

Network security is a priority for every carrier worldwide. Investments in human resources and technology solutions to combat attacks are a significant part of carriers’ network operating budgets.

The goal is to protect their networks by staying a few steps ahead of hackers. Currently, carriers may be confident that their network security solution is detecting and mitigating DDoS attacks.

All the reports generated by the solution show the number and severity of attacks as well as how they were thwarted. Unfortunately, we know it’s a false sense of well-being because dirty traffic in the form of sophisticated application attacks is getting through security filters. No major outages or data breaches have been attributed to application attacks yet, so why should carriers care?

Maintaining a Sunny Reputation

The impact of application attacks on carriers and their customers takes many forms:

  • Service degradation
  • Network outages
  • Data exposure
  • Consumption of bandwidth resources
  • Consumption of system resources

[You may also like: How Cyberattacks Directly Impact Your Brand]

A large segment of carriers’ high-value customers have zero tolerance for service interruption. There is a direct correlation between service outages and user churn.

Application attacks put carriers’ reputations at risk. For customers, a small slowdown in services may not be a big deal initially. But as the number and severity of application attacks increase, clogged pipes and slow services are not going to be acceptable. Carriers sell services based on speed and reliability. Bad press about service outages and data compromises has long-lasting negative effects. Then add the compounding power of social networking to quickly spread the word about service issues, and you have a recipe for reputation disaster.

[You may also like: Securing the Customer Experience for 5G and IoT]

Always Under Attack

It’s safe for carriers to assume that their networks are always under attack. DDoS attack volume is escalating as hackers develop new and more technologically sophisticated ways to target carriers and their customers In 2018, attack campaigns were primarily composed of multiple attacks vectors, according to the Radware 2018–2019 Global Application & Network Security Report.

The report finds that “a bigger picture is likely to emerge about the need to deploy security solutions that not only adapt to changing attack vectors to mitigate evolving threats but also maintain service availability at the same time.”

[You may also like: Here’s How Carriers Can Differentiate Their 5G Offerings]

Attack vectors include:

  • SYN Flood
  • UDP Flood
  • DNS Flood
  • HTTP Application Flood
  • SSL Flood
  • Burst Attacks
  • Bot Attacks

Attackers prefer to keep a target busy by launching one or a few attacks at a time rather than firing the entire arsenal all at once. Carriers may be successful at blocking four or five attack vectors, but it only takes one failure for the damage to be done.

2018 Mobile Carrier Ebook

Read “Creating a Secure Climate for your Customers” today.

Download Now

Attack Types & VectorsSecurity

CISOs, Know Your Enemy: An Industry-Wise Look At Major Bot Threats

March 21, 2019 — by Abhinaw Kumar0

BADBOTS-960x305.jpg

According to a study by the Ponemon Institute in December 2018, bots comprised over 52% of all Internet traffic. While ‘good’ bots discreetly index websites, fetch information and content, and perform useful tasks for consumers and businesses, ‘bad’ bots have become a primary and growing concern to CISOs, webmasters, and security professionals today. They carry out a range of malicious activities, such as account takeover, content scraping, carding, form spam, and much more. The negative impacts resulting from these activities include loss of revenue and harm to brand reputation, theft of content and personal information, lowered search engine rankings, and distorted web analytics, to mention a few.

For these reasons, researchers at Forrester recommend that, “The first step in protecting your company from bad bots is to understand what kinds of bots are attacking your firm.” So let us briefly look at the main bad bot threats CISOs have to face, and then delve into their industry-wise prevalence.

Bad Bot Attacks That Worry CISOs The Most

The impact of bad bots results from the specific activities they’re programmed to execute. Many of them aim to defraud businesses and/or their customers for monetary gain, while others involve business competitors and nefarious parties who scrape content (including articles, reviews, and prices) to gain business intelligence.

[You may also like: The Big, Bad Bot Problem]

  • Account Takeover attacks use credential stuffing and brute force techniques to gain unauthorized access to customer accounts.
  • Application DDoS attacks slow down web applications by exhausting system resources, 3rd-party APIs, inventory databases, and other critical resources.
  • API Abuse results from nefarious entities exploiting API vulnerabilities to steal sensitive data (such as personal information and business-critical data), take over user accounts, and execute denial-of-service attacks.
  • Ad Fraud is the generation of false impressions and illegitimate clicks on ads shown on publishing sites and their mobile apps. A related form of attack is affiliate marketing fraud (also known as affiliate ad fraud) which is the use of automated traffic by fraudsters to generate commissions from an affiliate marketing program.
  • Carding attacks use bad bots to make multiple payment authorization attempts to verify the validity of payment card data, expiry dates, and security codes for stolen payment card data (by trying different values). These attacks also target gift cards, coupons and voucher codes.
  • Scraping is a strategy often used by competitors who deploy bad bots on your website to steal business-critical content, product details, and pricing information.
  • Skewed Analytics is a result of bot traffic on your web property, which skews site and app metrics and misleads decision making.
  • Form Spam refers to the posting of spam leads and comments, as well as fake registrations on marketplaces and community forums.
  • Denial of Inventory is used by competitors/fraudsters to deplete goods or services in inventory without ever purchasing the goods or completing the transaction.

Industry-wise Impact of Bot Traffic

To illustrate the impact of bad bots, we aggregated all the bad bot traffic that was blocked by our Bot Manager during Q2 and Q3 of 2018 across four industries selected from our diverse customer base: E-commerce, Real Estate, Classifieds & Online Marketplaces, and Media & Publishing. While the prevalence of bad bots can vary considerably over time and even within the same industry, our data shows that specific types of bot attacks tend to target certain industries more than others.

[You may also like: Adapting Application Security to the New World of Bots]

E-Commerce

Intent-wise distribution of bad bot traffic on E-commerce sites (in %)

Bad bots target e-commerce sites to carry out a range of attacks — such as scraping, account takeovers, carding, scalping, and denial of inventory. However, the most prevalent bad bot threat encountered by our e-commerce customers during our study were attempts at affiliate fraud. Bad bot traffic made up roughly 55% of the overall traffic on pages that contain links to affiliates. Content scraping and carding were the most prevalent bad bot threats to e-commerce portals two to five years ago, but the latest data indicates that attempts at affiliate fraud and account takeover are rapidly growing when compared to earlier years.

Real Estate

Intent-wise distribution of bad bot traffic on Real Estate sites (in %)

Bad bots often target real estate portals to scrape listings and the contact details of realtors and property owners. However, we are seeing growing volumes of form spam and fake registrations, which have historically been the biggest problems caused by bots on these portals. Bad bots comprised 42% of total traffic on pages with forms in the real estate sector. These malicious activities anger advertisers, reduce marketing ROI and conversions, and produce skewed analytics that hinder decision making. Bad bot traffic also strains web infrastructure, affects the user experience, and increases operational expenses.

Classifieds & Online Marketplaces

Intent-wise distribution of bad bot traffic on Classifieds sites (in %)

Along with real estate businesses, classifieds sites and online marketplaces are among the biggest targets for content and price scrapers. Their competitors use bad bots not only to scrape their exclusive ads and product prices to illegally gain a competitive advantage, but also to post fake ads and spam web forms to access advertisers’ contact details. In addition, bad bot traffic strains servers, third-party APIs, inventory databases and other critical resources, creates application DDoS-like situations, and distorts web analytics. Bad bot traffic accounted for over 27% of all traffic on product pages from where prices could be scraped, and nearly 23% on pages with valuable content such as product reviews, descriptions, and images.

Media & Publishing

Intent-wise distribution of bad bot traffic on Media & Publishing sites (in %)

More than ever, digital media and publishing houses are scrambling to deal with bad bot attacks that perform automated attacks such as scraping of proprietary content, and ad fraud. The industry is beset with high levels of ad fraud, which hurts advertisers and publishers alike. Comment spam often derails discussions and results in negative user experiences. Bot traffic also inflates traffic metrics and prevents marketers from gaining accurate insights. Over the six-month period that we analyzed, bad bots accounted for 18% of overall traffic on pages with high-value content, 10% on ads, and nearly 13% on pages with forms.

As we can see, security chiefs across a range of industries are facing increasing volumes and types of bad bot attacks. What can they do to mitigate malicious bots that are rapidly evolving in ways that make them significantly harder to detect? Conventional security systems that rely on rate-limiting and signature-matching approaches were never designed to detect human-like bad bots that rapidly mutate and operate in widely-distributed botnets using ‘low and slow’ attack strategies and a multitude of (often hijacked) IP addresses.

The core challenge for any bot management solution, then, is to detect every visitor’s intent to help differentiate between human and malicious non-human traffic. As more bad bot developers incorporate artificial intelligence (AI) to make human-like bots that can sneak past security systems, any effective countermeasures must also leverage AI and machine learning (ML) techniques to accurately detect the most advanced bad bots.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Application SecurityAttack Types & VectorsSecurity

Bots 101: This is Why We Can’t Have Nice Things

March 19, 2019 — by Daniel Smith0

AdobeStock_137861940-960x576.jpeg

In our industry, the term bot applies to software applications designed to perform an automated task at a high rate of speed. Typically, I use bots at Radware to aggregate data for intelligence feeds or to automate a repetitive task. I also spend a vast majority of time researching and tracking emerging bots that were designed and deployed in the wild with bad intentions.

As I’ve previously discussed, there are generally two different types of bots, good and bad. Some of the good bots include Search Bots, Crawlers and Feed Fetchers that are designed to locate and index your website appropriately so it can become visible online. Without the aid of these bots, most small and medium-sized businesses wouldn’t be able to establish an authority online and attract visitors to their site.

[You may also like: The Big, Bad Bot Problem]

On the dark side, criminals use the same technology to create bots for illicit and profitable activates such as scraping content from one website and selling it to another. These malicious bots can also be leveraged to take over accounts and generate fake reviews as well as commit Ad Fraud and stress your web applications. Malicious bots have even been used to create fake social media accounts and influence elections.

With close to half of all internet traffic today being non-human, bad bots represent a significant risk for businesses, regardless of industry or channel.

As the saying goes, this is why we can’t have nice things.

Targeted Industries

If a malicious bot targets an online business, it will be impacted in one way or another when it comes to website performance, sales conversions, competitive advantages, analytics or users experience. The good news is organizations can take actions against bot activity in real-time, but first, they need to understand their own risk before considering a solution.

[You may also like: Credential Stuffing Campaign Targets Financial Services]

  • E-Commerce – The e-commerce industry faces bot attacks that include account takeovers, scraping, inventory exhaustion, scalping, carding, skewed analytics, application DoS, Ad fraud, and account creation.
  • Media – Digital publishers are vulnerable to automated attacks such as Ad fraud, scraping, skewed analytics, and form spam.
  • Travel – The travel industries mainly deal with scraping attacks but can suffer from inventory exhaustion, carding and application DoS as well.
  • Social Networks – Social platforms deal with automated bots attacks such as account takeovers, account creation, and application DoS.
  • Ad Networks – Bots that create Sophisticated Invalid Traffic (SIVT) target ad networks for Ad fraud activity such as fraudulent clicks and impression performance.
  • Financial Institutions – Banking, financial and insurance industries are all high-value target for bots that leverage account takeovers, application DoS or content scraping.

Types of Application Attacks

It’s becoming increasingly difficult for conventional security solutions to track and report on sophisticated bots that are continuously changing their behavior, obfuscating their identity and utilizing different attack vectors for various industries. Once you begin to understand the risk posed by malicious automated bot you can then start to focus on the attack vectors you may face as a result of activity.

[You may also like: Adapting Application Security to the New World of Bots]

  • Account takeover – Account takeovers include credential stuffing, password spraying, and brute force attacks that are used to gain unauthorized access to a targeted account. Credential stuffing and password spraying are two popular techniques used today. Once hackers gain access to an account, they can begin additional stages of infection, data exfiltration or fraud.
  • Scraping – Scraping is the process of extracting data or information from a website and publishing it elsewhere. Content price and inventory scraping is also used to gain a competitive advantage. These scrape bots crawl your web pages for specific information about your products. Typically, scrapers steal the entire content from websites or mobile applications and publish it to gain traffic.
  • Inventory exhaustion – Inventory exhaustion is when a bot is used to add hundreds of items to a cart and later, abandon them to prevent real shoppers from buying the products.
  • Inventory scalping – Hackers deploy retail bots to gain an advantage to buy goods and tickets during a flash sale, and then resell them later at a much higher price.
  • Carding – Carders deploy bots on checkout pages to validate stolen-card-details, and to crack gift cards.
  • Skewed analytics – Automated invalid traffic directed at your e-commerce portal can skews metrics and misleads decision making when applied to advertisement budgets and other business decisions. Bots pollute metrics, disrupt funnel analysis, and inhibit KPI tracking.
  • Application DoS – Application DoS attacks slow down e-commerce portals by exhausting web servers resources, 3rd party APIs, inventory database and other critical resources to the point that they are unavailable for legitimate users.
  • Ad fraud – Bad bots are used to generate Invalid traffic designed to create false impressions and generate illegitimate clicks on websites and mobile apps.
  • Account creation – Bots are used to create fake accounts on a massive scale for content spamming, SEO and skewing analytics.

[You may also like: Bot or Not? Distinguishing Between the Good, the Bad & the Ugly]

Symptoms of a Bot Attack

  • A high number of failed login attempts
  • Increased chargebacks and transaction disputes
  • Consecutive login attempts with different credentials from the same HTTP client
  • Unusual request activity for selected application content and data
  • Unexpected changes in website performance and metrics
  • A sudden increase in account creation rate
  • Elevated traffic for certain limited-availability goods or services

Intelligence is the Solution

Finding a solution that arms partners and service providers with the latest information related to potential attacks are critical. In my opinion, a Bot Intelligence Feed is one of the best ways to gain insight into the threats you face while identifying malicious bots in real-time.

A Bot Intelligence Feed will provide you with information about the latest data on newly detected IPs for various bot categories like data center bots, bad user-agent, advanced persistent bots, backlink checker, monitoring bots, aggregators, social network bots, spam bots, as well as 3rd party fraud intelligence directories and services used to keep track of externally flagged IPs, ultimately giving organizations the best chance to proactively block security holes and take actions against emerging threat vectors.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Application SecurityAttack Types & VectorsSecurity

Adapting Application Security to the New World of Bots

March 7, 2019 — by Radware0

web-app-bots-960x709.jpg

In 2018, organizations reported a 10% increase in malware and bot attacks. Considering the pervasiveness (70%) of these types of attacks reported in 2017, this uptick is likely having a big impact on organizations globally. Compounding the issue is the fact that the majority of bots are actually leveraged for good intentions, not malicious ones. As a result, it is becoming increasingly difficult for organizations to identify the difference between the two, according to Radware’s Web Application Security
in a Digitally Connected World report.

Bots are automated programs that run independently to perform a series of specific tasks, for example, collecting data. Sophisticated bots can handle complicated interactive situations. More advanced programs feature self-learning capabilities that can address automated threats against traditional security models.

Positive Impact: Business Acceleration

Automated software applications can streamline processes and positively impact overall business performance. They replace tedious human tasks and speed up processes that depend on large volumes of information, thus contributing to overall business efficiency and agility.

Good bots include:

  • Crawlers — are used by search engines and contribute to SEO and SEM efforts
  • Chatbots — automate and extend customer service and first response
  • Fetchers — collect data from multiple locations (for instance, live sporting events)
  • Pricers — compare pricing information from different services
  • Traders — are used in commercial systems to find the best quote or rate for a transaction

[You may also like: Bot or Not? Distinguishing Between the Good, the Bad & the Ugly]

Negative Impact: Security Risks

The Open Web Application Security Project (OWASP) lists 21 automated threats to applications that can be grouped together by business impacts:

  • Scraping and Data Theft — Bots try to access restricted areas in web applications to get a hold of sensitive data such as access credentials, payment information and intellectual property. One method of collecting such information is called web scraping. A common example for a web-scraping attack is against e-commerce sites where bots quickly hold or even fully clear the inventory.
  • Performance — Bots can impact the availability of a website, bringing it to a complete or partial denial-of-service state. The consumption of resources such as bandwidth or server CPU immediately leads to a deterioration in the customer experience, lower conversions and a bad image. Attacks can be large and volumetric (DDoS) or not (low and slow, buffer overflow).
  • Poisoning Analytics — When a significant portion of a website’s visitors are fictitious, expect biased figures such as fraudulent links. Compounding this issue is the fact that third-party tools designed to monitor website traffic often have difficulty filtering bot traffic.
  • Fraud and Account Takeover — With access to leaked databases such as Yahoo and LinkedIn, hackers use bots to run through usernames and passwords to gain access to accounts. Then they can access restricted files, inject scripts or make unauthorized transactions.
  • Spammers and Malware Downloaders — Malicious bots constantly target mobile and web applications. Using sophisticated techniques like spoofing their IPs, mimicking user behavior (keystrokes, mouse movements), abusing open-source tools (PhantomJS) and headless browsers, bots bypass CAPTCHA, challenges and other security heuristics.

[You may also like: The Big, Bad Bot Problem]

Blocking Automated Threats

Gawky bot attacks against websites are easy to block by IP and reputation-based signatures and rules. However, because of the increase in sophistication and frequency of attacks, it is important to be able to uniquely identify the attacking machine. This process is referred to as device fingerprinting. The process should be IP agnostic and yet unique enough to be confident to act upon. At times, resourceful attacking sources may actively try to manipulate the fingerprint extracted from the web tool, so it should also be client-side manipulation proof.

 

Web client fingerprint technology introduces significant value in the context of automated attacks, such as web scraping; Brute Force and advanced availability threats, such as HTTP Dynamic Flood; and low and slow attacks, where the correlation across multiple sessions is essential for proper detection and mitigation.

For each fingerprint-based, uniquely identified source, a historical track record is stored with all security violations, activity records and application session flows. Each abnormal behavior is registered and scored. Violation examples include SQL injection, suspicious session flow and high page access rate. Once a threshold is reached, the source with the marked fingerprint will not be allowed to access the secured application.

[You may also like: IoT Expands the Botnet Universe]

Taking the Good with the Bad

Ultimately, understanding and managing bots isn’t about crafting a strategy driven by a perceived negative attitude toward bots because, as we’ve explained, bots serve many useful purposes for propelling the business forward. Rather, it’s about equipping your organization to act as a digital detective to mitigate malicious traffic without adversely impacting legitimate traffic.

Organizations need to embrace technological advancements that yield better business performance while integrating the necessary security measures to guard their customer data and experience.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Attack MitigationSecurity

The Big, Bad Bot Problem

March 5, 2019 — by Ben Zilberman0

AdobeStock_103497099-960x559.jpeg

Roughly half of today’s internet traffic is non-human (i.e., generated by bots). While some are good—like those that crawl websites for web indexing, content aggregation, and market or pricing intelligence—others are “bad.” These bad bots (roughly 26% of internet traffic) disrupt service, steal data and perform fraudulent activities. And they target all channels, including websites APIs and mobile applications.

Bad Bots = Bad Business

Bots represent a problem for businesses, regardless of industry (though travel and e-commerce have the highest percentage of “bad” bot traffic). Nonetheless, many organizations, especially large enterprises, are focused on conventional cyber threats and solutions, and do not fully estimate the impact bots can have on their business, which is quite broad and goes beyond just security.

[You may also like: Bot or Not? Distinguishing Between the Good, the Bad & the Ugly]

Indeed, the far-ranging business impacts of bots means “bad” bot attacks aren’t just a problem for IT managers, but for C-level executives as well. For example, consider the following scenarios:

  • Your CISO is exposed to account takeover, Web scraping, DoS, fraud and inventory hold-ups;
  • Your CRO is concerned when bots act as faux buyers, holding inventory for hours or days, representing a direct loss of revenue;
  • Your COO invests more in capacity to accommodate this growing demand of faux traffic;
  • Your CFO must compensate customers who were victims of fraud via account takeovers and/or stolen payment information, as well as any data privacy regulatory fines and/or legal fees, depending on scale;
  • Your CMO is dazzled by analytic tools and affiliate services skewed by malicious bot activity, leading to biased decisions.

The Evolution of Bots

For those organizations that do focus on bots, the overwhelming majority (79%, according to Radware’s research) can’t definitively distinguish between good and bad bots, and sophisticated, large-scale attacks often go undetected by conventional mitigation systems and strategies.

[You may also like: Are Your Applications Secure?]

To complicate matters, bots evolve rapidly. They are now in their 4th generation of sophistication, with evasion techniques so advanced they require the most powerful technology to combat them.

  • Generation 1 – Basic scripts making cURL-like requests from a small number of IP addresses. These bots can’t store cookies or execute JavaScript and can be easily detected and mitigated through blacklisting its IP address and User-Agent combination.
  • Generation 2 – Leverage headless browsers such as PhantomJS and can store cookies and execute JavaScript. They require a more sophisticated, IP-agnostic approach such as device-fingerprinting, by collecting their unique combination of browser and device characteristics — such as the OS, JavaScript variables, sessions and cookies info, etc.
  • Generation 3 – These bots use full-fledged browsers and can simulate basic human-like patterns during interactions, like simple mouse movements and keystrokes. This behavior makes it difficult to detect; these bots normally bypass traditional security solutions, requiring a more sophisticated approach than blacklisting or fingerprinting.
  • Generation 4 – These bots are the most sophisticated. They use more advanced human-like interaction characteristics (so shallow-interaction based detection yields False Positives) and are distributed across tens of thousands of IP addresses. And they can carry out various violations from various sources at various (random) times, requiring a high level of intelligence, correlation and contextual analysis.

[You may also like: Attackers Are Leveraging Automation]

It’s All About Intent

Organizations must make an accurate distinction between human and bot-based traffic, and even further, distinguish between “good” and “bad” bots. Why? Because sophisticated bots that mimic human behavior bypass CAPTCHA and other challenges, dynamic IP attacks render IP-based protection ineffective, and third and fourth generation bots force behavioral analysis capabilities. The challenge is detection, but at a high precision, so that genuine users aren’t affected.

To ensure precision in detecting and classifying bots, the solution must identify the intent of the attack. Yesterday, Radware announced its Bot Manager solution, the result of its January 2019 acquisition of ShieldSquare, which does just that. By leveraging patented Intent-based Deep Behavior Analysis, Radware Bot Manager detects the intent behind attacks and provides accurate classifications of genuine users, good bots and bad bots—including those pesky fourth generation bots. Learn more about it here.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Attack Types & VectorsSecurity

Micropsia Malware

July 25, 2018 — by Yair Tsarfaty56

micropsia-malware-960x641.jpg

Since June 2018, the Radware Threat Research team has monitored an ongoing APT against the Palestinian authority, featuring an updated version of the Micropsia malware with an advanced surveillance toolkit. This advanced persistent threat began in March 2017 and was reported by Cisco Talos and Check Point Software Technologies, infecting hundreds of machines thus far.

SecurityWAF

WAFs Should Do A Lot More Against Current Threats Than Covering OWASP Top 10

July 12, 2018 — by Ben Zilberman0

owasp-top-10-960x640.jpg

Looking in the rearview mirror

The application threat landscape has rapidly evolved. For years, users consumed applications over the internet using the common tool – web browsers. At every point in time, there were 2-5 web browsers to support, and the variety of application development and testing frameworks was relatively limited. For instance, almost all databases were built using the SQL language. Unfortunately, not long before hackers began to abuse applications in order to steal, delete and modify data. They could take advantage of applications in different ways, primarily by tricking the application user, injecting or remotely executing code. Shortly after, commercialized solutions named Web Application Firewalls (WAF) emerged, and the community responded by creating the Open Web Application Security Project (OWASP) to set and maintain standards and methodologies for secure applications.

Security

CAPTCHA Limitations of Bot Mitigation

March 15, 2018 — by Ben Zilberman1

captcha-960x633.jpg

An essential part of the technological evolution is creating systems, machines and applications that autonomously and independently create, collect and communicate data. This automation frees information technology folk to focus on other tasks. Currently, such bots generate more than half of the internet traffic, but unfortunately every evolution brings with it some form of abuse. Various ‘bad’ bots aim to achieve different goals, among which are web scraping, web application DDoS and clickjacking. While simple script-based bots are not much of a challenge to detect and block, advanced bots dramatically complicate the mitigation process using techniques such as mimicking user behavior, using dynamic IP addresses, operating behind anonymous proxies and CDNs, etc.

Captcha means “Completely Automated Public Turing Test to tell Computers and Humans Apart”.