What are Malicious Automated Attacks?
The nature of website attacks on the internet has changed dramatically over recent years. Today, when competitors and hackers think to bring down a business, the best and most efficient way is to launch an automated attack. As a matter of fact, automated attacks on websites and APIs, driven by online bots, can destroy your business.
What are Malicious Automated Attacks?
Malicious automated attacks are web, API and/or Mobile requests sent with malicious intent, that evade traditional bot detection techniques. As a matter of fact, there are multiple ways for bad actors to attack your site including:
- Scrape product prices or website content
- Validate a set of leaked user credentials
- Automated password reset
- Bulk fake account creation
- Account takeover attempt
- PII theft
- Theft of money, goods, and services
- Commit a combination of threats from OWASP Automated Threats
Malicious automated attacks on websites thrives on the foundation of recent advancements in cloud and mobile computing. Bad actors can easily build online bots that are highly scalable, extraordinarily efficient and difficult to detect or trace. This transition has fundamentally transformed the underlying dark-economy of automated attacks on web applications, causing malicious automated attacks to become ubiquitous across virtually any web-facing functionality in an enterprise.
Contrary to traditional viewpoints, malicious automation has morphed into a highly sophisticated and modern form of attack. Widely available attack tools and custom formatted attacks can learn and automate the entire flow of a given application. This allows bad actors to move skillfully towards a target while hiding behind real visitors.
Malicious automation has many forms such as scripts, sophisticated attack tools or real browser automation techniques. Such tools are commonly used to launch malicious automated attacks on online websites. Furthermore, a Web, API or a mobile request triggered by automated threats are syntactically correct. This means they do not trigger any vulnerability signal in the application stack. It also means they do not trip any alerts in traditional bot detection security solutions or web application firewalls.
Why is Malicious Automation Hard to Stop?
As stated above, the significant advancements in cloud computing power and mobile computing makes malicious automation a chronic problem for most enterprises. For example, here is a list of solutions that are incapable of effectively detecting or mitigating automated attacks:
- Captcha: Modern sophisticated bots can easily defeat captcha systems and Captcha’s introduce significant user friction and subsequent revenue reduction.
- Simple mitigation techniques (IP blocking & Rate limiting): Easily fooled by most tools and techniques, either by rotating IPs, attacking via “low & slow” method or using “trusted” cloud sources.
- Web Application Firewalls: WAFs won’t alert on syntactically correct actions. Since malicious automation is a syntactically correct attack, WAFs provide no detection ability as a result.
- IDS & IPS: These scan a variety of protocols and need to make decisions extremely fast. Because of this, they inevitably miss sophisticated malicious automated attacks. The lack of historical look-back capability prohibits behavioral analysis and machine learning, which are essential for advanced detection.
How and Why to Stop Malicious Automated Attacks
At InfiSecure, we believe that every online business needs protection from malicious automation today, and every company transacting online will need it tomorrow. Not to mention, there are further benefits to detecting and mitigating malicious automated attacks. Malicious automation can wind up constituting a significant percentage of traffic in certain application server pools, up to 80% in some cases. Therefore, web and application infrastructure can be significantly overprovisioned. Economically, recapturing this excess capacity can be a worthwhile investment. Your company could potentially reclaim millions of dollars worth of infrastructure for legitimate use.
Furthermore, eliminating malicious automation, without introducing revenue-reducing user friction points, prevents damage to brand reputation, user experience and the associated economic costs that come with a high user drop-off rate. The damage to brand reputation that results from a data breach is, in many ways, unquantifiable. For those companies whose core business depends on the confidentiality, integrity and availability of customer data, leaving any channel susceptible to attacks like account takeover, fake account creation, theft of value and PII is simply an unacceptable level of risk.
Most companies still have little to no control or even visibility over malicious bot website traffic. Fortunately, OWASP and the massive online community of online web security have kept pace and are now providing improved bot protection knowledge and solutions. At InfiSecure, we take pride in stopping all OWASP’s Top Automated Threats to Web and APIs, and you should too.
Photo courtesy of Pexels user Soumil Kumar