Bot mitigation is a means to an end. The real problem is actually human versus human. Bots (scripts) are just the tool of choice. A physical bank robber relies on a weapon, a bag, a mask and a getaway car. A fraudster uses data, scripts and/or pre-built ecosystems.
Organizations and analysts struggle to differentiate between the good/bad bot protection solutions. And there is a significant difference between vendors. Everyone claims to help with web scraping and account fraud, but very few do it well enough to disrupt serious sophisticated fraudsters.
The ability of a bot mitigation solution to sustain its defense, under motivated resistance, is the true differentiating aspect in this market. Motivated fraudsters will persist in their attempts to evade detection.
Assessing the market
When assessing bot mitigation solutions, we have to understand a few things:
- The sophistication of the malicious automation tools and fraud ecosystems available on the market
- How sustainable each defensive model is.
- How challenging is it for a fraudster to reverse engineer the solution?
- How does the solution respond in the battle?
Top five things to consider in a bot mitigation solution:
To truly understand the differences between the various solutions in the market, these are the five areas that I would focus on:
- Understand the client-side inspection process. What is it? How does it function? Is it static or dynamic? How does it respond to retooling?
- Understand the defensive obfuscation methods used at each layer of the solution.
- What is the data collection and processing strategy, how is it leveraged and how is it useful?
- What happens when you identify a bot? What are y0ur mitigating options?
- Ask yourself: If I was a fraudster, how would I get around this solution? If you don't know how to do this, find someone that does.
Focusing on these five areas will help you determine how "fit for purpose" a bot protection solution is for your organization and security needs.
To dive a bit deeper, let's describe an automated attack:
The bot fight club: This is a highly adversarial game. As with all games, there are rules.
These are the rules of the club in fighting bad bots:
- This is a battle of intelligence, strategy and endurance.
- A game of evasion versus detection.
- The winner is one that can stay in the game the longest.
- The defender's toolkit includes sensor detection and data analysis
- The defender is only limited by its agility, ability and creativity.
- The defender's actions cannot adversely impact any innocent bystanders
- The attacker can use any toolkit they like however, they must operate in the same context as the innocent by stander
- The attacker must allow access to and respond to all the defender's challenges
- The attackers can do anything to blend into the crowd.
A fraudsters strategy is centered around automating for efficiency, impersonation /invisibility and tactical evasion.
Automated attack tactics include:
- Hiding in plain sight: automatically adapting, randomizing, distributing and rotating the attack process
- Offensive actions: Reverse engineering and evading the end-to-end defensive model - a classic example of the OODA loop
- Spreading the attack - Simultaneously attacking multiple customers
An organization's defense strategy is centered around being difficult and expensive to attack.
To defend against automated attacks, tactics include:
- Expose automation toolsets via intelligent sensor collection
- Resist adversarial reverse engineering efforts
- Develop sophisticated data processing techniques
- Remove the feedback loops provided to the attacker
The concept seems simple but too often it is complex to understand. Without giving the secret sauce away, we hope this article has shed some light on the anatomy of automated attacks, best practices in protecting against bots and things to look for when looking for the right bot mitigation solution.
It should come as no surprise that we, at Kasada, know a fair bit about bot mitigation. Our mission is to defend web applications from malicious automation. To do this we have built a solution that helps organizations detect and disrupt bots and the bot operators' resources. We've been living and breathing R&D in space for several years. Throughout this time we've also been battling bots - learning and developing our model as we go.
To learn more about automated attacks, we cover this in more detail on our recent post on content scraping, you can read the full article here. If you're ready to see Kasada in action contact us for a demo.