If there is one thing we’ve learned from 2020, it’s that threats can wreak havoc on the unsuspecting. That’s true not just in everyday life, but also online, where automated cyber threats – such as malicious bots – are morphing and blindsiding companies. For example, financial services organizations saw a 38% increase in bots this year compared to last year, and e-commerce companies experienced a 32% leap, according to a recent article on Help Net Security.
A cursory glance at the news tells us everything we need to know about the growth in bot volume. In July, the Meow bot launched thousands of attacks on unsecured Elasticsearch and MongoDB databases, deleting their data. And recently IPStorm, a peer-to-peer (P2P) bot that operates in memory, has surfaced on new platforms, along with other P2P bots. The news will keep coming and in the meantime, organizations need to prepare for even greater volumes of bot attacks. So what can you do to improve bot security and implement better bot detection? Here are six tips and best practices to keep your online channels safe from bad bots in 2021:
1) Monitor Login Attempts
Unfortunately, the majority of login attempts across industries is from automated bots. In fact, research shows that nearly 43% of all login attempts are bot-driven, with the hospitality sector suffering from the highest percentage — an astounding 82%! So what does that look like, exactly?
- An increase in the number of failed login attempts, especially after a data breach, which might signal a volumetric credential stuffing attack
- An unexplained spike in the number of login attempts or amount of traffic to your login page(s)
Kasada encourages all of its customers to implement multi-factor authentication to improve bot security. But don’t stop there — also monitor where traffic is originating as well as on-site behavior, such as shopping cart abandonment rates, gift card redemption failure rates, and irregular page viewing. Anything out of the ordinary should be examined as potential evidence of malicious automation in order to detect bot activity.
2) Stop Bad Bots from the First Request
One of the best ways to keep your online channels safe from bots is being able to protect them from the very first request, which massively decreases your risk and provides a managed service to outsource dealing with attackers that retool. This is important because it only takes seconds for bots to hack into an organization and steal data.
3) Make Bot Attacks Financially Unviable
Because a monetary payoff is usually the goal of bot attacks, making an attack financially unviable can be an especially satisfying approach to stopping bot attacks. One way to do this is through a cryptographic challenge that increases the level of difficulty with the number of abusive bot requests over time, eventually exhausting bot resources which causes the attack to collapse, eliminating the attackers’ ROI. What is the point of an attack if there is nothing to be gained from it? This strategy beats bots at their own game.
4) Protect All Online Channels, Not Just the Website
While many companies focus their bot detection and bot security on their web properties, mobile apps are just as important. Moreover, APIs are becoming targets for bot attacks as their sheer number and volume of traffic continues to increase. In fact, 60 percent of companies report having more than 400 APIs, and APIs now represent 83 percent of all web traffic. What can companies do to better protect their APIs from automated attacks? Any security strategy for protecting APIs must begin with a complete inventory and understanding of all the APIs developed by the company.
Once you have an inventory of APIs, you can begin evaluating your risk by looking for common API security weaknesses, such as authorization flaws, excessive data exposure, lack of rate limiting, security misconfigurations, insufficient logging, and others. Then follow three important best practices:
- Lock down access: Make sure that you’re authenticating both end users and applications, and make sure that access policies and authentication mechanisms are set up correctly.
- Monitor and log everything: As we discussed above, log all authentication attempts, denied access, validation errors, and response codes so you can track ratios to detect when something suspicious, such as a credential stuffing attack, is happening. For example, normal users typically have an authentication success rate greater than 50 percent and most likely closer to 70 to 80 percent—as opposed to attackers, who have a much lower success rate, often in the range of 1 to 5 percent. Monitoring the success/fail ratio per hour gives you a good signal for suspicious activity that could indicate an attack.
- Implement rate limiting: Impose rate limits such as the number of requests per user and number of requests per user within a defined timeframe, number of records per page return, request payload size, memory, and CPU usage to protect against brute-force bot attacks.
5) Fight Automation with Automation
It’s nearly impossible for humans to manage bot detection and mitigation. That’s because you’ve got to keep training personnel on new attack vectors and solutions that need hands-on attention as well as continuing to tweak rules, blacklists, and other manual administrative tasks. No one has time to do all that and keep up with automated attacks.
6) Invisibly Protect to Prevent Reverse Engineering
Successfully preventing bad bot attacks is not just about excellent bot detection, it is also about cleverly obfuscating your defenses, such as behind a CDN, which prevents attackers from reverse engineering and retooling for additional attacks. This approach ensures long-term efficacy of your bot defense, with fast time-to-value and the immediate neutralization of automated attacks on web, mobile, and API channels.
Would you like to see for yourself how Kasada detects and stops malicious automation and bots from the first page request so they never get to do their dirty work? For better bot security, request a demo today.