In ancient times, mice were a nuisance. Their presence could have a very negative impact at many levels, from material damages to millions of deaths caused by plague. In the modern times of an internet economy, we are plagued by a new type of nuisance.
Cyber-attacks are the equivalent of mice and they, too, can have a wide range of negative impacts on businesses.
There are myriad attacks organizations must fend off. Some are merely a nuisance, degrading network performance or disrupting availability. Some others may be relatively rare but have far more serious impacts in the form of data breaches. Like the plagues spread by mice that wiped out cities, attacks today wipe out brand reputations and business value.
But there is another flourishing category of attacks that camouflage themselves so well that they create an entirely new parallel class of professional opportunity that thrives off other businesses.
These are ‘automated attacks,’ also known as ‘bots.’ The OWASP group has excellent documentation of a wide variety of these automated and difficult to detect attacks that abuse business use cases.
A classic example of this type of attack are ‘sneaker bots’—these bots automatically purchase all shoes, a.k.a. sneakers, on sale or new styles as they are introduced and then sell them on secondary markets, precluding legitimate customers from benefitting from these promotions. Web scraping is another popular variant that gathers pricing data from the competition for most online services like ticketing, hotel booking, rental cars and so on. Apart from gathering business intel, these automated attempts significantly increase traffic to the applications themselves. In one such instance, an airline customer found themselves struggling to service requests, only to later find out that 70% of the traffic was bot-driven instead of from legit customers. Not only do these attacks impact the top line, but they also add overhead in terms of capacity planning and the total cost of running the business. In subsequent posts, we will explore these types of attacks in details. For now, it’s enough to recognize that these attacks are unique but share the same goal: to create a parallel business model that thrives on their targets. The goal of the attacker here is to not disrupt the business but to siphon financial gains.
What sets these attacks apart from traditional attacks is they are almost indistinguishable from legitimate user traffic and perceived as ‘good’ traffic by firewalls, IPS, sandbox threat detectors, and other inline security devices. Traditional attack vectors focus on exploiting application vulnerabilities resulting from insecure coding practices. This new class of automated attacks do not rely on vulnerabilities. Instead, they attack the fact that the application is typically optimized for the best digital customer experience and thus are easily exploited through automated methods. As organizations progress through the three phases of digital transformation, adopting business models that align more closely with the digital economy, the potential for this type of threats is exacerbated.
So, what’s the answer to protect against these very sophisticated and focused set of attacks? Given that every single transaction appears legitimate and similar to other traffic, the only way to detect discrepancies is by looking into metadata analysis to find patterns that can indicate malicious intent. This is where technological advancements in machine learning and analytics provide a solution. Businesses need a smarter digital mousetrap, and we'll dive further into these topics in a future post...