Netacea, BT & Cranfield University Experts Weigh In on Cumulative Cost of Bots

A panel of cybersecurity experts from BT, Cranfield University and Netacea recently came together to discuss the accumulating cost businesses face due to malicious automation.

The webinar is now available to watch on demand (scroll to the bottom of this page or click here to watch it in full). You’ll hear our specialist panel analyze results from this year’s extensive survey into what bot attacks cost enterprise businesses.

In that survey, 440 enterprise businesses across the US and UK quantified the financial and reputational impact bot attacks have had on their businesses over the last year – this follows on from surveys in the two previous years to uncover trends and patterns over time.

Get the full details in the full report “Death By a Billion Bots” here.

Who was on the panel?

Webinar host and Head of Media at Netacea, Danielle Middleton-Wren, welcomed a panel representing business, academic and threat research perspectives.

Tom Parker is a Cybersecurity Manager at telecommunications giant BT. He has 14 years’ industry experience and specializes in identity security, delivering a secure authentication framework by design.

Rob Black is a Lecturer in Information Activities at Cranfield University, where he teaches the British military about cyber defense. He’s has worked in the field of Influence and Information Operations since 2003.

Finally, Cyril Noel-Tagoe is Principal Security Researcher at Netacea. He leads many important research projects centered around helping Netacea clients understand automated threats targeting their business operations, and those perpetrating the attacks.

How is malicious automation defined?

The webinar began with Cyril Noel-Tagoe describing the difference between automated bot attacks and traditional cyber threats such as hacking and ransomware. Cyril noted that instead of exploiting technical vulnerabilities, bots instead exploit business logic.

Cyril explained this using the example of credential stuffing, describing how the attack goes through different stages compromising various tactics and techniques to take advantage of the expected user login functionality of web services. He demonstrated this using the BLADE Framework – which stands for “Business Logic Attack Definition Framework” – an open-source resource adjacent to MITRE ATT&CK.

Tom Parker from BT weighed in on the differences in defending against business logic attacks versus attacks like ransomware, noting “the challenge with bot attacks on business is due to the level of availability, unknowingly, that a business gives to a bot… any business that has a digital presence is at risk from bot attacks, irrespective of their product and service that they offer.”

Tom expanded on this point later when talking about the increase in bot attacks on API and mobile app endpoints, with the latter now being more prevalent than website attacks. He pointed out the correlation between this rise, and the increase in focus for product teams to push for more functionality in mobile apps and APIs. Just as this makes services more accessible for customers and internal users, it also expands the attack surface for bots.

To tackle this issue, Tom suggested a multifaceted, multilayered approach. This view was supported by Rob Black of Cranfield University, who pointed out that security leaders such as CISOs are under pressure from increasing ransomware and data exfiltration attacks that catch both headlines and board room attention, allowing automated attacks to slip under the radar.

How much do bot attacks cost businesses?

This is despite the fact that automated attacks are costing the average enterprise 4.3% of their online revenue – a typical annual loss of $85.6 million.

Rob continued by pointing out that the slow bleed of automated attacks, when compared with one-off, high-impact zero-day attacks that might take websites down for several days, contributes to the lack of urgency and interest at board level. He drew a comparison with revenue losses due to shoplifting – most shops expect a certain level of small-scale theft and individual instances don’t do much harm to the bottom line, but recent headlines concerning shoplifting have shown that once the cumulative cost is highlighted, businesses start to take notice – and action.

Tom made the point that combatting bot attacks hinges on a business’s ability to report on the impact over time. Traditional attacks are straightforward to quantify at a board level, whereas many businesses may not be measuring certain impacts that indicate bot activity in a way that lines up with a cost or security concern. To do this effectively requires cross-departmental collaboration and understanding of these threats – which is often lacking.

Where do bot attacks originate?

The “Death By a Billion Bots” report revealed that 66% of bot attacks on UK & US businesses originate in Russia, and 72% from China. Rob Black, who has extensive experience coaching the UK’s Ministry of Defence about cyber warfare tactics, suspected geopolitical influence at play.

Whilst it’s hard to say for certain that criminal operations in Russia and China are under the direct control of governments or the secret service, such cyber attacks form a powerful part of the “hybrid warfare” mix, and capabilities in these areas is now as vital to nation states as traditional military might.

Rob also noted that extradition of cyber criminals is unlikely from East to West. If Russian or Chinese criminal groups wish to make a profit at the expense of businesses, they are far less likely to face legal repercussions targeting countries their own government has agendas against.

Cyril balanced these views by pointing out that it’s trivial for bots to mask their origin location, and the boom in residential proxy use makes it difficult to infer too much about a web request’s intent in isolation. Cyril agreed, though, that the geopolitical landscape made Russia and China popular locations for attacking infrastructure.

The panel also discussed the increasing professionalization of bot operators, as developers now routinely sell or rent access to bots commercially, even offering support to their customers. This has lowered the barrier to entry for people wishing to launch business logic attacks, so that very little technical knowledge or infrastructure is needed by each adversary.

Bots prey on APIs to extract data

Host Danielle Middleton-Wren asked the panel why API attacks – once predominantly a concern of financial services institutions due to the mandate of PSD2 and the Open Banking API – is now recognized more broadly across almost every industry.

Rob Black asserted that “data is the new oil, and APIs are the new pipeline”. Businesses need to be aware that the machine-to-machine nature of APIs presents an easy inroad for malicious automation. Cyril highlighted that scraper bots can minimize the effort needed to extract data by targeting APIs rather than web pages, if the data is made accessible – in most cases they can pull the data they need in an instantly usable format rather than having to configure scripts and parse information.

Four months to detect bot attacks

Organizations take on average four months to detect that a bot attack has occurred. Once again comparing bot attacks to traditional cyber-attacks, Cyril observed that informing the victim business of a data breach to extract a ransom is key for attackers to make a profit. For bots, the opposite is true – the longer the attack goes unnoticed, the less time the bot operator needs to spend working out ways to evade detection or looking for fresh targets.

In fact, it’s often a business’s customers who are the first to be impacted by bot attacks. They may notice items they want to buy selling out impossibly fast, or website performance degrading well before the organization itself does. If their account is stolen or gift card balance wiped out, it’s often customer services, not cybersecurity teams, that first hear about it. This makes it imperative that responsibility for defending against bot attacks spans multiple departments, even if the security team is ultimately accountable.

Tom Parker speculated that this long dwell time could be related to operational maturity and the breadth of reporting visibility across different areas of the business. For example, a bot attack such as fake account creations might be most visible to business units concerned with reporting on new user uptake. If these teams notice an unexpected increase that can’t be attributed to specific events or initiatives, they may need to flag this with security or fraud teams for further investigation – which would cut down on long dwell times seen by many businesses facing bot attacks.

A need for action

The panel broadly agreed that the financial and reputational impact of malicious automation justifies businesses taking more deliberate steps to address this class of threat. However, the survey data showed that concern over bot attacks has been falling or staying stagnant over the last few years.

Rob questioned whether businesses are facing “bot fatigue” – do security teams perceive the problem as being under control if they have a basic bot management functionality in place? Or are they pulled too strongly in the direction of defending against threats with more immediate and visible impacts, like ransomware, to the detriment of their bot defenses?

Cyril reiterated that, while bot attacks impact a wide swathe of business units, all of whom must play their part in reporting anomalies to cut down on time to detect attacks, it should still be the responsibility of security teams to facilitate this and drive awareness.

To do this, Cyril recommended utilizing the freely available BLADE Framework to better understand the tactics and stages of attacks, and how they impact each area of the organization. He reminded the panel that APIs, mobile apps and websites are equally important to monitor and protect, as bots will seek the easiest path to exploit.

Cyril then suggested focusing on the impact of such attacks. 4.3% is a substantial loss of online revenue, equal to a GDPR fine, which businesses have spent significant time and resource to ensure they don’t fall foul of.

With these factors understood, businesses will be in a better place to consider the appropriate processes and technologies, such as advanced bot management tools, to deal with the threats. Crucially, Cyril iterated the importance of robust feedback loops so everyone involved can see the impact of these defenses and continually stay ahead of bad actors.

Take the next step

Does your business have a comprehensive strategy to measure the impact of bot attacks, and the means to detect and mitigate them before they eat into your revenues and harm customer satisfaction?

Talk to Netacea about your approach and technologies – Our real time bot detection solution monitors every attack surface in one, responding instantly to automated attacks and delivering valuable insights to key stakeholders. Book a demo of Netacea Bot Management.

Watch the full webinar below and download your copy of Netacea’s “Death By a Billion Bots” report.