The problem of bad bot attacks online is growing fast and it’s going to get worse before it gets better. Most organizations are unprepared to quickly identify and eliminate malicious bots attacks according to the latest study from Osterman Research.
The study, sponsored by Cequence Security, found the average large organization suffers more than 3700 bot attacks weekly or more than 530 attacks daily. Some large or strategic organizations can face several million malicious attempted incursions daily and several have reported more than a million attacks per hour.
What are hackers targeting?
The intent of malicious bot attacks ranges from serious to potentially deadly.
“The goal of cybercriminals using these bots is the same –take over accounts with the goal of stealing intellectual property, steal credit card information, transfer funds, steal unused gift card balances, disrupt normal business operations, and similar types of criminal activity,” the report says.
Most organizations have experienced a wide variety of attacks, but the most common are application distributed denial of service (DDoS) attacks (69%), click/ad fraud (54%), account takeovers (50%), fake account creation (46%), API attacks (41%), inventory denial of service (41%), content scraping (34%), and others.
Impact on Business
“Companies in our research have deployed an average of 482 different applications, on premises or in the cloud, and they are being targeted more than 500 times each day,” explained Michael Osterman, CEO of Osterman Research. “The top three attack types most disruptive to their businesses are account takeover, application denial of service, and API/business logic abuse.”
The businesses surveyed identified the most serious impact of bot attacks on their business as account takeover (50%), application DDoS (45%),API abuse (41%), content scraping (33%), inventory DDoS (31%), reputation bot abuse (26%), click/ad fraud (26%), aggregator abuse (24%), fake account creation (22%), and gift card theft (18%).
The largest proportion of applications (82%) are attacked on-premises, while 50% are attacked in the businesses private cloud, and 48% in the public cloud. 16% of businesses reported being attacked in all three venues while 42% were attacked in two locations and only 36% were attacked in just one location.
Detection & remediation are expensive and time-consuming
The average organization has 482 potential web, mobile and API application targets, all of them vulnerable to a bot attack.
The biggest challenges are initially detecting and then fixing the malicious bot attacks according to researchers.
“If you dig a little deeper, you discover that more than a third of these companies have also deployed first-generation bot management tools in addition to their WAF,” explained Franklyn Jones, CMO at Cequence Security. “That sounds like a smart move until you realize that 100% of those companies must continuously spend time modifying hundreds of Web and mobile apps in an attempt to detect bot traffic. That’s a poor use of skilled labor and likely a big contributor to their labor costs.”
First-generation bot management tools helped to reduce detection time to 600 minutes (10 hours) on average, but the time required for bot mitigation remained unchanged at 2,880 minutes.
83% of the organizations surveyed believe they have the internal expertise to detect bot activity, while 17% admitted they do not. Almost 60% of companies had only two or less members of their security team dedicated to detecting and solving bot attacks.
Malicious bots are also an expensive problem according to Osterman. “Nearly one-half of the organizations surveyed are paying these staff members between $100,000 and $150,000 per year, while nearly 40% are paying them more than $150,000 per year.”
The researchers calculate that means more than 2600 hours a year are being spent on bot management with a total labor cost of more than $177,000.
Is business ready to battle the bots?
Organizations use a variety of tools to manage bot attacks including web application firewalls (91%), IPS/IDS (49%), STEM (40%), special bought management tools (36%), and CDN (26%).
75% of companies use of these tools on-premise, 64% have used them in the cloud, and 26% are using bot security management services.
Researchers noted that bot management tools must be compliant with a variety of compliance regulations, the most important of which is the Payment Card Industry Data Security Standard (PCI DSS). Other important regulations include Health Insurance Portability and Accountability Act (HIPAA)compliance and the European Union’s General Data Protection Regulation (GDPR).
The consequences of not managing malicious bot threats and attacks are too substantial to ignore. They can completely close down a business, threaten a business’s financial liability, risk customer security, impact business reputation and credibility, and even lead to health and injury claims or worse disasters.
Key bot detection tool features
When it comes to the features needed to do the job:
- 55% of businesses surveyed said automation is a key factor in choosing a solution.
- 46% said automated learning and artificial intelligence were important
- 45% highlighted the need for solutions to automatically detect threats
- 43% wanted solutions that work on premise, in the cloud and on mobile assets.
- 36% look for easy API integration and customization
Business needs to understand the threats, technologies and the costs to managing or not managing malicious attacks. Vulnerability audits and risk management are critical.
“The Critical Need to Deal With Bot Attacks” report is a valuable look at management best practices and ways to approach malicious bot attacks strategically and thoughtfully. You can view the report here.
Charts courtesy of Osterman Research and Cequence Security