Cheap, easily launched malicious bot are launching automated attacks on a vast scale across the internet, according to a recent report by cybersecurity software company Cequence, with a significant majority of business leaders (85%) believing that their public facing APIs and web applications have fallen victim to such attacks.
The study, published on May 5, provides new insights into the prevalence and scale of automated attacks on the internet, and lays out a set of mitigation strategies for organizations seeking to avoid falling victim to malicious bots in the future.
Key findings on automated attacks
According to the researchers at Cequence, who surveyed hundreds of IT security teams, malicious bots frequently carry out automated attacks against the public facing APIs and web applications belonging to companies across all major sectors.
This is done with the intention of hijacking user accounts, creating fake accounts, content web scraping, carrying out application distributed denial of service attacks. Aside from these methods, malicious bots are also reported to launch other types of bot attacks that include the exploitation of checkout functions, the denial of wallet service, user enumeration attacks.
Among the major findings revealed in the report state that 85% of all respondents believe themselves to have been the target of automated attacks.
While only 17% of the respondents believed that they had suffered from API abuse as a result of automated attacks, the researchers expect that this number is set to rise going forward, due to the larger number of APIs being built into modern web applications. By contrast, a much larger 60% of respondents affirmed their belief that their organization’s web-based applications were the primary target of automated attacks.
In addition, the report also found that 57% of respondents regularly witness attackers relaunch attacks from the same source in an effort to thwart the initial detection, which the researchers believe underscores the “sophistication and agility” of the malicious bots responsible.
Malicious bots are inescapable—but can be managed
Cequence’s report draws attention to the number of bots—both good and bad—that scour the internet, often successfully mimicking the behavior of legitimate users using simple Python or Perl scripts.
Naturally enough, according to the report, it is the ‘bad bots’ that cause the trouble. Hiding in plain sight, they are used to launch a host of attacks against ordinary internet users and large companies alike in an underground industry that has become markedly lucrative for cybercriminals.
“Bot attack campaigns have become big business for threat actors, and major organizations are now fighting to support legitimate users and prospects while keeping attackers out of online applications and services,” explained Paula Musich, Research Director at Enterprise Management Associates.
Musich goes on to point out that automated attacks of this nature frequently target the ecommerce industry, as well as a wide range of vertical industries. “Fortunately, using important new AI-based solutions, more organizations are successfully detecting and mitigating frequently used attack techniques, with bot defense solutions that limit the amount of damage automated bot attack campaigns cause,” she adds.
Musich’s position is affirmed by Ameya Talwalkar, Co-Founder and CPO at Cequence. He believes that the solution lies in integrating defense architecture in a manner that can both detect and mitigate automated attacks by malicious bots.
“This research confirms that the expanding threat surface is under a broad range of attacks,” Talwalkar explains. “It also underscores that innovative bot defense technology that discovers, defends and protects mobile, API and web applications against such attacks can yield important savings – both in fraud resolution and web infrastructure costs.”
As both Talwalkar and the report itself go to some length to point out, there is indeed room for optimism in the fight against malicious bots. Bot defense solutions are enabling their users to place firm boundaries on the maximum amount of havoc that malicious bots can wreak, meaning that the problem, while pesky, can be brought under control with the right software solutions.
One such solution—designed and promoted by Cequence—is called CQAI, which automates the detection and mitigation of malicious bot attacks that target API and web applications using an ML based behavioral analytics engine.
The approving sentiment in favour of the efficacy of such solutions was affirmed by the respondents in the survey themselves. Many indicated that their use of bot defense technology enabled them to save on both fraud resolution and web infrastructure costs—both in the context of mobile and API-based applications.
The key takeaway, therefore, is that while malicious bots are indeed unavoidable; the relative ease with which they can be controlled only serves to solidify the importance of sound bot defense solutions in the fight against malicious bots and their incessant barrage of attacks.