You may think from the title we’re about to say how we oppose automation or think IT spend should be directed somewhere else. We are not. We love automation and consider it a strategic imperative for most organsiations. But there is a problem: the benefits of automation apply to criminals just as much as they do to legitimate organisations.
Why criminals love automation
Success in cybercrime generally rests on two things. Having a more advanced capability than those who are defending and having the ability to scale your operation. Automation helps both of these. Cybercriminals use automated bots (we term these ‘bad bots’) to attack their victims, meaning a small number of human criminals can deliver a large return. For the criminals, fewer people means fewer people to share in the rewards and a lower risk of someone revealing the operation to the authorities or its secrets to rival criminals. Coupled with machine learning and criminals can rapidly adapt how their bots attack victims based on the experiences of attacking their other victims. As victims improve their security, so the bots are able to learn from other cases how resume their attacks.
What attacks are typically automated?
Attacks take many forms but two stand out: financial fraud and form filling. For financial fraud, bad bots will exploit organisations’ payment gateways to wash through transactions using stolen credit card details. For major retailers, the transactions will typically be small (often $10.00) to test which card details are valid and working versus others. The criminals then use successful details to commit larger frauds until the card details no longer work. For form filling, bad bots will exploit websites that have forms for users to provide information. Depending on the site and the attack vector of the bot, the form filling attacks could be used for a number of outcomes such as filling a CRM system with dummy ‘new customer’ data, content scraping and advanced DDoS attacks that, due to automation, can be configured to reverse engineer WAF rules to work out how to get through undetected.
Real business impact
The reason we at elevenM feel strongly about this is that we are seeing real business impact from these attacks. Simple metrics like OPEX costs for web infrastructure. We have seen businesses who are dealing with such automated traffic have their infrastructure cost increase by 35%. There are clear productivity impacts from managing customer complaints from password lockouts. This can be crippling to high volume low workforce businesses. And then there is fraud, something that not only impacts the business but the market and society as a whole.
How can we defend against them?
Traditional methods of blocking attack traffic such as IP based blocking, traffic rate controls, signatures and domain-based reputation are no longer effective. The bots are learning and adapting too quickly. Instead, anti-automation products work by sitting between the public internet and the organisation’s digital assets. These products have their own algorithms to detect non-human traffic. The algorithms look at a variety of characteristics of the traffic such as what browser and devices the traffic is coming from and they can even assess the movement of the device to determine if it looks human. And if it is not sure, it can send issue challenges (such as a reCaptcha-style request) to confirm. Once the traffic has been evaluated; human traffic is allowed through and automated traffic is blocked.
How can we deploy these defences?
elevenM has worked with our clients to deploy anti-automation tools. The market is still new and as such the tools have a spectrum of effectiveness as well as architectural impacts that require time and effort to work through. In an environment where time is short, this poses a significant transformation challenge. Having done this before and being familiar with the products out there, we can work with you to identify and deploy anti-automation protection tools with the supporting processes. The key first step, as always with Cybersecurity, is to look at your attack surface and the vectors that are most vulnerable to automated attacks, subject to risk and cost assessment of what happens if attacks are successful. From there we work with you to design a protection approach that we can work with you to implement.
Conclusion
Everyone is rightly focussing on automation and machine learning, but so are the criminals. It is crucial to look at your attack surface and identify where automated attacks are happening. There are now tools available to help significantly reduce the risks associated with automated cybercrime.
If you would like to discuss this further, please contact us using the details below.