Understanding bot threats and operations
According to Security Today
The following table categorizes the different types of bot activity and the business
impact each one can have. This is not meant to be an extensive list; it is a summary of the
most common bot activities. It highlight the importance of monitoring and mitigation
controls. For an extensive list of bot threats, visit the OWASP
Automated threats to applications handbook
| Bot activity type | Description | Potential impact |
|---|---|---|
| Content scraping | Copying of proprietary content for use by third-party sites | Impact to your SEO due to content duplication, brand impact, and performance problems caused by aggressive scrapers |
| Credential stuffing | Testing of stolen credential databases in your website to obtain access or validate information | Problems for users, such as fraud and account lockouts, which increase support queries and decrease brand trust |
| Card cracking | Testing databases of stolen credit card data to validate or complement missing information | Problems for users, such as identity theft and fraud, and damage to your fraud score |
| Denial of service | Increasing traffic to a specific website to slow down response or make it unavailable for legitimate traffic | Loss of revenue and damage to reputation |
| Account creation | Creation of multiple accounts with the purpose of misuse or financial gain | Hindered growth and skewed marketing analytics |
| Scalping | Obtaining limited availability goods, frequently tickets, over genuine consumers | Loss of revenue and problems for users, such as lack of access to goods being sold |
How botnets operate
The tactics, techniques, and procedures (TTP) of botnet operators have evolved substantially over time. They have had to keep up with the detection and mitigation technologies developed by companies. The following figure shows this evolution. Botnets started simply by using IP addresses as a means of operation, and they eventually evolved to use sophisticated, human biometric emulation. This sophistication is expensive, and not all botnets use the most advanced tools. There are a mix of operators in the internet, and they likely evaluate the best tool for the job to provide a good return on investment. One goal in bot defense is to make the botnet activity expensive so that the target is no longer viable.
Generally, bots are categorized as common or targeted:
-
Common bots – These bots self-identify and won't attempt to emulate browsers. Many of these bots perform useful tasks, such as content crawling, search engine optimization (SEO), or aggregation. It's important to identify and understand which of these common bots come to your site and the effect they have on your traffic and performance.
-
Targeted bots – These bots try to evade detection by emulating browsers. They use browser technology, such as headless browsers, or they fake browser fingerprints. They have the ability to execute JavaScript and support cookies. Their intent is not always clear, and the traffic they generate can look like normal user traffic.
The most advanced and persistent targeted bots emulate human behavior by generating human-like mouse movements and clicks on a website. They are the most sophisticated and difficult to detect, but they are also the most expensive to operate.
Often, an operator combines these techniques. This creates a game of constant pursuit,
where you have to frequently change the protection and mitigation approach in order to
adapt to the operator's latest techniques. These bots are considered to be an
advanced persistent threat (APT). For more information, see
Advanced
persistent threat
