Malicious Bot Attacks: Why They're More Dangerous than Ever

Bad bots are the Internet threat that just won’t go away. They steal data, infect enterprises with malware, launch Denial of Service (DDoS) attacks, commit fraud, bring down vital network infrastructure, are used by nation states to influence elections, and more. And all that keeps happening even though the technology has been around for decades — so long, you would have thought we would have figured out how to beat it by now.

But the threat appears to be getting worse. Malicious bots account for an astonishing 20 percent of all Internet traffic, one study says. Why is the menace so bad, and what can you do about it? We talked to the experts, and here’s what they have to say.

Agile Development, Bad Bots and Cyber Criminals

Malicious bots remain a dangerous and persistent threat because they’re cheap to use, and easy to rent, modify and deploy — and they work. So says Bruce Beam, CIO of the (ISC)² IT security professional non-profit group.

“Malicious attacks are a business for criminals, and so it’s all about economics for them,” he explains. “Malicious bots offer a very good return on investment — and they’re effective. Cyber criminals can rent bots cheaply, if they want. And we talk a lot about agile development in enterprises, but the truth is, cyber criminals are the epitome of agile development. They can modify botnets very quickly for different malicious purposes and deploy them fast. They are a very agile group using a very good tool, unfortunately.”

Beyond that, he says, the dramatic growth in the use of IoT devices makes it easy to create giant botnets that can be used for nefarious purposes, because many of those devices can be easily hijacked. The IoT-based botnet called Mirai was used to bring down vast portions of the Internet with DDos attacks, and variants of it continue to evolve for malicious use.

Malicious bots are more difficult to detect than they have in the past, and are harder to protect against, says Kenneth Wilder, a cyber security expert working for the healthcare industry, and vice president of ISACA's Austin chapter.

“They’re able to impersonate legitimate traffic, because there are so many legal, useful bots used by businesses to do things like scrape data and create indexes for search engines,” he says. “That makes it difficult to tell the difference between a good bot and a malicious one.”

Beyond that, “Because of mobile devices and cloud computing, there are more attack surfaces now than ever, with data being transferred to various endpoints, making it easier for malicious bots to disguise themselves.”

Malicious bots are increasingly deployed for more than just traditional money-making activities. They’ve been used in attempts to influence elections, including the 2016 and 2018 ones in the United States. Symantec’s 2019 Internet Security Threat Report notes that in November, 2018, for example, “Twitter removed over 10,000 bots posting messages encouraging people not to vote.” Beam says malicious bots are also used for industrial espionage, and to steal insider financial information from companies and use that purloined data to make money on the stock market.

How to Protect Against Malicious Bots

Given the constantly evolving threat, what can enterprises do to protect themselves? Both Beam and Wilder say it requires constant vigilance and paying attention to the rapidly evolving bot landscape.

“Start with the basics,” Beam says. “That means making sure you’re always up to date on patches, because botnets explode when they hit unpatched networks. You also need to have defense in depth, which starts with training your workforce about what to look for. And you should have rules-based access with firewalls inside your environment both east and west so that if bots get in, they can’t spread throughout your entire network.”

Wilder adds, “Enterprises need to look where they’ve most vulnerable, including in automation, mobility and cloud computing. API security is also extremely important for closing out bots. With APIs, you have applications talking to other applications directly, so you have to make sure you have the proper authentication and security monitoring controls.”

He says that the DevOps continuous delivery model of constant updates and application development, if done improperly, can lead to an increase in security holes through which bots can crawl. He says that security needs to be built directly into the DevOps process, rather than being handled separately after development is done.

Finally, he says, “Ensure you have a strong security training and awareness program. Human interaction with software is not going away any time soon, and humans are the weakest link in the chain. So, we have to do better in making sure that employees are aware about bot threats and know how to protect themselves and the enterprise.”