Abstract image of a woman sitting on books and studying on a laptop

2016 Bad Bot Report: Quantifying the Risk and Economic Impact of Bad Bots

Download as PPTX, PDF
Distil Networks, profile picture
Distil Networks

The 2016 Bad Bot Report by Distil Networks reveals that bad bots constitute 18.6% of web traffic and pose significant risks to various industries, particularly in e-commerce and digital publishing, by enabling tasks like price scraping and content theft. The report highlights that the U.S. and China are the primary origins of bad bot traffic, with advanced persistent bots becoming increasingly sophisticated in evading detection. It emphasizes the necessity for businesses to understand bot activity and implement effective strategies to mitigate these threats, with insights into quantifying risk and economic impact.

Internet
1 of 57
Downloaded 36 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
Quantifying the Risk and Economic Impact of Bad Bots Distil Networks 2016 Bad Bot Report
Our Speakers Rami Essaid CEO & Co-founder Distil Networks Derek Brink VP & Research Fellow Aberdeen Group
2015 Bad Bot Landscape Report Methodology Study is based on anonymized data from: 74 billion bot requests Real web traffic from hundreds of customers 17 global datacenters
Key Findings Key Findings
Bad Bot, Good Bot and Human Traffic, 2015 Good Bots Humans Bad Bots 19% of Web Traffic Causes The Following Problems
Humans take back the Web with 54.35% of all web traffic But why? 2013 vs. 2014 vs. 2015
Humans internet users grew 8% in 2105 Especially in countries such as China, India, Indonesia, etc. 2015 Saw Tremendous Growth in Human Users Source: http://www.statista.com/statistics/273018/number-of-internet-users-worldwide/ Number of internet users worldwide from 2000 to 2015 (in millions)
Meanwhile, Bot Operators Were Updating their Software Bot software used in 2015 was vastly more advanced than in previous years This was a shift in focus from quantity of bots to quality
Key Findings Bad Bot Targets
Traffic Distribution by Size of Site, 2014 and 2015
Traffic by Type of Site, 2014 vs 2015 In 2015 the most targeted verticals were digital publishing and real estate
Traffic by Size and Type of Site, 2014 vs 2015 More specifically, small digital publishers and large real estate sites were hardest hit in 2015
Defense Tactics - Know your Industry Understand how great of a risk bots pose to your industry Learn how bots attack sites similar to yours Industry Most Common Bot Problem Ecommerce Price scraping Digital Publishing Content theft Travel Aggregation and loss of up-sell / cross-sell opportunities Finance Brute force attacks Real Estate Scraping Listing Information
Bad Bot Origins
China and US Home to the Worst Bad Bot Originators Companies from China and the US dominate the list of organizations with the most bad bot traffic The US is always on top of this list, China is new Chin a Chin aChin a Chin a Chin a Chin a US US US US US US US
Worst Bad Bot Originators 2013 to 2015 Amazon makes the Top 5 for three years in a row Verizon Business and residential ISPs Comcast, Time Warner Cable clean up their acts
Mobile Carriers with the Most Bad Bots Dutch carriers emerge as a new hotbed for mobile client based bots The four largest mobile carriers in the US are all present on this year’s list ● Verizon Wireless ● AT&T ● T-Mobile ● Sprint PCS
Countries Originating the Most Bad Bots, 2014 vs 2015 The US still tops the list of countries with the most bad bots Israel, India, and the UK make the biggest gains Germany, Canada, Russia, and the Netherlands move down the list
Countries Most Often Blocked by Geofencing Rules 2014 saw customers blocking developing countries and stereotypical “bad guys” 2015 saw customers blocking more industrialized countries
Top “Bad Bot GDP’s” of 2014 and 2015 Maldives rules the roost with 526 bad bots per human online user The average number of bots per human user on this list increased from 26.1 bots/user to 99.2 bots/user
Defense Tactics - Know Their Origins Does your business model support all regions? Is it normal that your customer is originating from a commercial data center or cloud provider? Are there any reasons visitors to your site should go through a TOR network? Analyze your business. Then trim the fat.
Bad Bot Capabilities and Behavior
The Majority of Bots are Now APBs Advanced Persistent Bots (APBs) are becoming more commonplace APBs are defined as having one or more of the following abilities: ● Mimicking human behavior ● Loading JavaScript and external assets ● Cookie support ● Browser automation ● IP spoofing and rotation ● User agent spoofing and rotation ● Distributed attacks (using many IP addresses at once)
Loading Assets & Bots Mimicking Humans % of bots able to load external Assets (e.g. JavaScript) % of bots able to mimic human behavior These bots will skew marketing tools such as (Google Analytics, A/B testing, conversion tracking, etc.) These bots will fly under the radar of most security tools
That Majority of Bad Bots Now Use Multiple IP Addresses Bots which dynamically rotate IP addresses, or distribute attacks are significantly harder to detect and mitigate
Bad Bots Obtain New User Agents to Persistently Attack Websites Over 36% of bots use multiple user agents to evade detection and overcome blacklisting and custom blocking rules
Chrome Takes the Lead as Most Assumed User Agent
Defense Tactics - Defeat APBs with Fingerprinting Real-analysis and device fingerprinting allows security solutions to track bots even if they ● Assume new identities ● Mimic human behavior ● Rotate IP Addresses ● Distribute their attack over Many IP addresses
29 Quantifying the Risk of Bad Bots Derek E. Brink, CISSP Vice President and Research Fellow, Information Security and IT GRC Derek.Brink@aberdeen.com www.linkedin.com/in/derekbrink April 2016 Derek E. Brink, CISSP Vice President and Research Fellow, Information Security and IT GRC Derek.Brink@aberdeen.com www.linkedin.com/in/derekbrink April 2016 Quantifying the Risk of Bad Bots
30 Context: The Dual Roles of Modern Information Security Professionals Subject Matter Experts Trusted Advisors
31 Two Questions Modern Information Security Professionals Must Answer What is the risk of [x]? How does an investment in [y] quantifiably reduce that risk?
32 Three Challenges Modern Information Security Professionals Must Overcome What is the risk of [x]? • A language challenge • A measurement challenge How does an investment in [y] quantifiably reduce that risk? • A communications challenge
33 The Threat of Bad Bots: A Material Percentage of Web Site Traffic Bad Bots Good Bots Humans 18.6% 27.0% 54.4% Source: Distil Networks, 2016 Bad Bot Landscape Report
34 Web Site Vulnerabilities and Exploits Related to Bad Bots Bad Bot Vulnerabilities and Exploits (illustrative) Web Security Brute force login; account takeover; fraudulent account creation Man-in-the-browser attacks Reconnaissance attacks; application coding exploits Application denial of service Spam Web Scraping Content theft Price scraping API scraping Competitive data mining Waste and Abuse Web site performance Negative SEO Skewed web site analytics Fraud Fraudulent transactions Digital ad fraud Source: adapted from Distil Networks, 2016 Bad Bot Landscape Report; Aberdeen Group, April 2016
35 The Risk of Bad Bots: How Likely? What Business Impact? Bad Bot Vulnerabilities and Exploits (illustrative) Likelihood Impact Web Security Brute force login; account takeover; fraudulent account creation How Likely is it that these Vulnerabilities are Successfully Exploited? What is the Business Impact, when Successful Exploits Do Occur? Man-in-the-browser attacks Reconnaissance attacks; application coding exploits Application denial of service Spam Web Scraping Content theft Price scraping API scraping Competitive data mining Waste and Abuse Web site performance Negative SEO Skewed web site analytics Fraud Fraudulent transactions Digital ad fraud Source: adapted from Distil Networks, 2016 Bad Bot Landscape Report; Aberdeen Group, April 2016
36 Qualitatively, Four Categories for the Business Impact of Bad Bots • Additional cost • Data breaches • Loss of current revenue • Loss of future revenue
37 At a Qualitative Level, the Business Impact of Bad Bots Bad Bot Vulnerabilities and Exploits (illustrative) Likelihood Incr. Cost Data Loss Curr .Rev . Fut. Rev. Web Security Brute force login; account takeover; fraudulent account creation How Likely is it that these Vulnerabilities are Successfully Exploited? X X X X Man-in-the-browser attacks X X X X Reconnaissance attacks; application coding exploits X X X X Application denial of service X X X Spam X X Web Scraping Content theft X X X X Price scraping X X X X API scraping X X X X Competitive data mining X X X X Waste and Abuse Web site performance X X X Negative SEO X X X Skewed web site analytics X X X Fraud Fraudulent transactions X X X Digital ad fraud X X Source: adapted from Distil Networks, 2016 Bad Bot Landscape Report; Aberdeen Group, April 2016
38 There are Many Approaches to Measuring and Communicating Risk that We’re All Familiar With … But These Don’t Really Work! Techno-babble about threats, vulnerabilities, and exploits Headlines of recent breach disclosures ALE-style calculations Averages, based on surveys Crackpot rigor Qualitative “heat maps” “$201 / record”
39 With These Approaches, Most Decisions About Security-Related Risks are Still Made by the Intuition and Gut Instinct of the HiPPO … (The Highest-Paid Person in the Organization)
40 Let’s Try to Raise the Bar for Making Important Decisions About Security-Related Risks, Beyond Mere Intuition and Gut Instinct! Source: http://dilbert.com/strip/2016-03-24
41 Modeling the Risk of Bad Bots • Let’s estimate the risk (both likelihood, and impact) of bad bots, using these four high-level categories: • Additional cost • Data breaches • Loss of current revenue • Loss of future revenue • Remember that risk is inherently about making decisions in the face of uncertainties • Models are not about precision … • … they are about making better-informed decisions about risk … • … most of which are based primarily on intuition
42 Monte Carlo Modeling is a Proven, Widely Used Solution for our Measurement Problem • In a nutshell: we can carry out the same familiar estimates and computations we have traditionally made • Except that we do this for many (say, ten thousand) scenarios, each of which uses a random value from our estimated ranges and distributions • The results of these computations are likewise not a single, static number – which says nothing about risk • The output is also a range and distribution, from which we can readily describe both probabilities and business impact • I.e., the results can be expressed in terms of risk – which is exactly what we are looking for!
43 We’re All Familiar with This Approach, Too – Note the Inclusion of Both Likelihood and Impact in This Illustrative Example!
44 Just So Long As We Don’t Do This … Remember, All Models Are Wrong – But Some Can Be Useful! Source: http://dilbert.com/strip/2016-04-01
45 Risk of Bad Bots Additional Cost Overprovisioning of web site infrastructure Web site contribution to annual revenue Data breaches Loss of Current Revenue Loss of Future Revenue Factoring the Risk of Bad Bots – Conceptual $ $ $ $ Source: Aberdeen Group, April 2016 % of annual revenue spent on web site infrastructure % of web traffic represented by bad bots Web site contribution to annual revenue % of annual revenue spent of website marketing % of web traffic represented by bad bots # of “incidents” represented by bad bots (i.e., an attempt) Likelihood of a “breach” (i.e., a success) Business impact of a breach Web site contribution to annual revenue Web site contribution to annual revenue Time that web site is negatively affected (e.g., downtime or slowdown) % of revenue lost during the period of downtime or slowdown % of web traffic represented by bad bots % of website revenue lost as a result of fraud Wasted web site marketing Cost of data breaching Downtime and slowdown Fraudulent transactions $
46 Factoring the Risk of Bad Bots – Computational Source: Aberdeen Group, April 2016
47 Run the Numbers – The Results Provide Invaluable Insights into the Risk of Bad Bots Histogra m Probability Curve Source: Aberdeen Group, April 2016
48 Quantifying the Risk of Bad Bots Source: Aberdeen Group, April 2016
49 Quantifying the Risk of Bad Bots … and Addressing the Two Fundamental Questions • For a web site contributing $100M / year in revenue (% of web site annual revenue) • Median annual reduction in risk: about 18 times • Median annual return on investment: about 22 times • Note: the risk owner still needs to decide … Source: Aberdeen Group, April 2016
50 Additional Resources www.aberdeen.com Derek.Brink@aberdeen.com www.linkedin.com/in/derekbrink
Distil Networks 2016 Bad Bot Report: Quantifying the Risk and Economic Impact of Bad Bots Distil Networks has produced their third annual Bad Bot Report. It's the IT Security Industry's most in-depth analysis on the sources, types, and sophistication levels of last year's bot attacks -- and there are serious implications for anyone responsible for securing websites and APIs. Join Derek Brink, Vice President of Research at Aberdeen Group and Rami Essaid, CEO of Distil Networks as they dive into the data to reveal: ● 6 high-risk lessons every IT security pro must know ● How to quantify the risk and economic impact of bad bots for your organization ● How bot activity varies across websites based on industry and popularity ● The worst offending countries, ISPs, mobile operators, and hosting providers Bad bots are the key culprits behind web scraping, brute force attacks, competitive data mining, online fraud, account hijacking, unauthorized vulnerability scans, spam, man-in-the-middle attacks, digital ad fraud, and downtime. Register today to gain actionable insights on how to defend your websites and APIs for the coming year of threats. Abstract
52 Modeling the Risk of Bad Bots: Additional Cost (1) 1. Web site contribution to annual revenue ($ / year) • For the purposes of this analysis, let’s model based on $100,000,000 2. % of annual revenue spent on web site infrastructure • “Infrastructure” = all related people, process, technologies • Model as 4% - 6%; uniform distribution (analyst estimates) 3. % of web traffic represented by bad bots • Model as 0% - 50%; most likely 18.6%; beta distribution (Distil Networks) 4. Annual cost of overprovisioning web site infrastructure • (1) x (2) x (3) Source: Aberdeen Group, April 2016
53 Modeling the Risk of Bad Bots: Additional Cost (2) 1. Web site contribution to annual revenue ($ / year) • For the purposes of this analysis, let’s model based on $100,000,000 2. % of annual revenue spent on web site marketing • “Marketing” = all costs related to driving web traffic • Model as 5% - 15%; normal distribution (analyst estimates) 3. % of web traffic represented by bad bots • Model as 0% - 50%; most likely 18.6%; beta distribution (Distil Networks) 4. Annual cost of wasted web site marketing (e.g., negative SEO, skewed web site analytics, etc.) resulting from bad bots • (1) x (2) x (3) Source: Aberdeen Group, April 2016
54 Modeling the Risk of Bad Bots: Data Breaches 1. # of “incidents” represented by bad bots (i.e., an attempt) • One extreme: all bad bots = 1 incident • The other extreme: every bad bot = 1 incident • My modeling choice: 1 (one incident per year) to 12 (one incident per month); beta distribution 2. Likelihood of a “breach” (i.e., a success) • 0% - 100%; mostly likely 30%; beta distribution (Verizon DBIR) 3. Business impact of a data breach • Expressed as a function of the number of records (Verizon DBIR) • Use 100,000 – 1,000,000 records as the range (Privacy Rights Clearinghouse) 4. Annual cost of data breaches resulting from bad bots • (1) x (2) x (3) Source: Aberdeen Group, April 2016
55 Modeling the Risk of Bad Bots: Loss of Current Revenue (1) • Bad bots → negative impact on web site availability and performance • Combination of downtime and slowdown results in web site customers abandoning what they were trying to do … which leads to lost revenue during this time of disruption 1. Web site contribution to annual revenue ($ / year) • For the purposes of this analysis, let’s model based on $100,000,000 2. Time that web site is negatively affected (e.g., downtime or slowdown) (hours / year) • For simplicity, assume 24x7x365 operation • Model as 0 – 720 hours; most likely 200 hours; beta distribution (Arbor Networks) 3. % of revenue lost during the period of downtime or slowdown • Model as 1% to 30%; most likely 3%; beta distribution (analyst estimates) 4. Loss of current revenue as a result of bad bots • (1) x (2) x (3) Source: Aberdeen Group, April 2016
56 Modeling the Risk of Bad Bots: Loss of Current Revenue (2) • Bad bots → fraudulent transactions 1. Web site contribution to annual revenue ($ / year) • For the purposes of this analysis, let’s model based on $100,000,000 2. % of web site traffic represented by bad bots • 0% - 50%; most likely 18.6%; beta distribution (Distil Networks) 3. % of web site revenue lost as a result of fraud from bad bot traffic • Model as 0% – 10%; most likely 1.4%; beta distribution (Kroll, Global Fraud Survey) 4. Loss of current revenue as a result of bad bots • (1) x (2) x (3) Source: Aberdeen Group, April 2016
57 Final Important Detail: Effectiveness of Countermeasures for Bad Bots • Status quo = manual blocking • 0% - 50%; most likely 12%; beta distribution • Assume that the annual cost of manual blocking is already baked in to the cost of overprovisioned web site infrastructure • Future state = use the Distil Networks solution • 90% - 100%; mostly likely 99.9%; beta distribution • The model for the future state must also incorporate the annual cost of the Distil Networks solution Source: adapted from Distil Networks, 2016 Bad Bot Landscape Report; Aberdeen Group, April 2016

More Related Content

PDF
Distil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website Defenders
Distil Networks
 
PPTX
Field Guide To Preventing Competitor Price Scraping, Unwanted Transactions, B...
Distil Networks
 
PPTX
Field Guide for Validating Premium Ad Inventory
Distil Networks
 
PPTX
Better Metrics, Less Hacks: Online Travel and The Future of Web Security
Distil Networks
 
PDF
ComplianceBrief
Daryl McNutt
 
PPTX
Digital ad fraud superheroes the good guys by augustine fou
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
PPTX
17 00 distil rami
Property Portal Watch
 
PDF
Ias guide ad fraud essentials_2017 (1)
Wossname
 
Distil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website Defenders
Distil Networks
 
Field Guide To Preventing Competitor Price Scraping, Unwanted Transactions, B...
Distil Networks
 
Field Guide for Validating Premium Ad Inventory
Distil Networks
 
Better Metrics, Less Hacks: Online Travel and The Future of Web Security
Distil Networks
 
ComplianceBrief
Daryl McNutt
 
Digital ad fraud superheroes the good guys by augustine fou
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
17 00 distil rami
Property Portal Watch
 
Ias guide ad fraud essentials_2017 (1)
Wossname
 

What's hot (20)

PDF
Distil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website Defenders
Enterprise Management Associates
 
PDF
White Ops & Videology Whitepaper
White Ops
 
PPTX
The Many Faces of Ad Fraud
White Ops
 
PDF
IAB Best Practices Traffic Fraud Final
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
PPTX
Bot Benchmark study - White Ops & DCN
White Ops
 
PPTX
Case Study on Property Portal Data Security
Property Portal Watch
 
PPTX
2015 Bot Baseline Report - White Ops & ANA
White Ops
 
PPTX
4As Digital Ad Fraud Webinar October 2014
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
PDF
Botnets used for ad fraud spam ddos attacks
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
PDF
StubHub's Field Guide To Preventing Competitor Price Scraping, Unwanted Trans...
G3 Communications
 
PDF
The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats
- Mark - Fullbright
 
PDF
Integral Ad Science Digital Ad Fraud Presentation
Integral Ad Science
 
PDF
Ground Truth real safari vs fake safari
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
PPT
Chapter 12: Computer Mediated Communicationcmc
Ray Brannon
 
PDF
Ways To Think About Solving Digital Ad Fraud Augustine Fou Mike Moran Ted McC...
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
PDF
Ad fraud is cash out for hacking
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
PPTX
Presentation - How to do Fraud like Vietnamese
Kevin Nguyen
 
PPTX
Display Ad Fraud Explainer by Augustine Fou
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
PDF
IC3 2019 Internet Crime Report
- Mark - Fullbright
 
PDF
Kaspersky lab financial_cyberthreats_in_2017
malvvv
 
Distil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website Defenders
Enterprise Management Associates
 
White Ops & Videology Whitepaper
White Ops
 
The Many Faces of Ad Fraud
White Ops
 
IAB Best Practices Traffic Fraud Final
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
Bot Benchmark study - White Ops & DCN
White Ops
 
Case Study on Property Portal Data Security
Property Portal Watch
 
2015 Bot Baseline Report - White Ops & ANA
White Ops
 
4As Digital Ad Fraud Webinar October 2014
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
Botnets used for ad fraud spam ddos attacks
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
StubHub's Field Guide To Preventing Competitor Price Scraping, Unwanted Trans...
G3 Communications
 
The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats
- Mark - Fullbright
 
Integral Ad Science Digital Ad Fraud Presentation
Integral Ad Science
 
Ground Truth real safari vs fake safari
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
Chapter 12: Computer Mediated Communicationcmc
Ray Brannon
 
Ways To Think About Solving Digital Ad Fraud Augustine Fou Mike Moran Ted McC...
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
Ad fraud is cash out for hacking
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
Presentation - How to do Fraud like Vietnamese
Kevin Nguyen
 
Display Ad Fraud Explainer by Augustine Fou
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
IC3 2019 Internet Crime Report
- Mark - Fullbright
 
Kaspersky lab financial_cyberthreats_in_2017
malvvv
 
Ad

Similar to 2016 Bad Bot Report: Quantifying the Risk and Economic Impact of Bad Bots (20)

PPTX
Are Bot Operators Eating Your Lunch?
Distil Networks
 
PDF
Rtp rsp16-distil networks-final-deck
G3 Communications
 
PPTX
Ensuring Property Portal Listing Data Security
Distil Networks
 
PDF
Ana White OPS - the bot baseline - fraud in digital advertising - 2015
Romain Fonnier
 
PDF
The Bot Baseline - Fraud in Digital Advertising
yann le gigan
 
PDF
Fraud in Digital Advertising (ANA study)
Margarita Zlatkova
 
PDF
Distil Network Sponsor Presentation at the Property Portal Watch Conference -...
Property Portal Watch
 
PPT
New fraud protection solutions
Laurent Pacalin
 
PDF
Security troubles in e commerce website
Dr. Raghavendra GS
 
PPTX
Lakeworth chamber 06.15.11 rv take 2
Raul Vielma
 
PDF
The Imitation Game: Detecting and Thwarting Automated Bot Attacks
Enterprise Management Associates
 
PPTX
Top 5 digital trends of 2016
Anderson Ortolane
 
PDF
Adjusting Your Security Controls: It’s the New Normal
Priyanka Aash
 
PPTX
The Dangers of Lapto
Infosec Europe
 
PDF
Tackling ad fraud in 2016
9Media Online
 
PPTX
Most notable apt_ attacks_of_2015_and_2016 predictions
Cyphort
 
PDF
ThreatMetrix ARRC 2016 presentation by Ted Egan
Ken Lam
 
PDF
easyjet’s journey to protect its booking engine - the slides for the Tnooz / ...
tnooz
 
PPTX
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
SurfWatch Labs
 
PPTX
Low-Cost, No-Tech Ways to Fight Fraud vMiMA
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
Are Bot Operators Eating Your Lunch?
Distil Networks
 
Rtp rsp16-distil networks-final-deck
G3 Communications
 
Ensuring Property Portal Listing Data Security
Distil Networks
 
Ana White OPS - the bot baseline - fraud in digital advertising - 2015
Romain Fonnier
 
The Bot Baseline - Fraud in Digital Advertising
yann le gigan
 
Fraud in Digital Advertising (ANA study)
Margarita Zlatkova
 
Distil Network Sponsor Presentation at the Property Portal Watch Conference -...
Property Portal Watch
 
New fraud protection solutions
Laurent Pacalin
 
Security troubles in e commerce website
Dr. Raghavendra GS
 
Lakeworth chamber 06.15.11 rv take 2
Raul Vielma
 
The Imitation Game: Detecting and Thwarting Automated Bot Attacks
Enterprise Management Associates
 
Top 5 digital trends of 2016
Anderson Ortolane
 
Adjusting Your Security Controls: It’s the New Normal
Priyanka Aash
 
The Dangers of Lapto
Infosec Europe
 
Tackling ad fraud in 2016
9Media Online
 
Most notable apt_ attacks_of_2015_and_2016 predictions
Cyphort
 
ThreatMetrix ARRC 2016 presentation by Ted Egan
Ken Lam
 
easyjet’s journey to protect its booking engine - the slides for the Tnooz / ...
tnooz
 
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
SurfWatch Labs
 
Low-Cost, No-Tech Ways to Fight Fraud vMiMA
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
Ad

More from Distil Networks (8)

PPTX
The Website Resiliency Imperative
Distil Networks
 
PPTX
Are Bad Bots Destroying Your Conversion Rate and Costing You Money?
Distil Networks
 
PPTX
How the BOTS Act Impacts Premium Onsales and the Ticketing Industry Ecosystem
Distil Networks
 
PPTX
The Inconvenient Truth About API Security
Distil Networks
 
PPTX
Using Permaculture to Cultivate a Sustainable Security Program
Distil Networks
 
PPTX
Keeping up with the Revolution in IT Security
Distil Networks
 
PPTX
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Distil Networks
 
PPTX
Cleaning up website traffic from bots & spammers
Distil Networks
 
The Website Resiliency Imperative
Distil Networks
 
Are Bad Bots Destroying Your Conversion Rate and Costing You Money?
Distil Networks
 
How the BOTS Act Impacts Premium Onsales and the Ticketing Industry Ecosystem
Distil Networks
 
The Inconvenient Truth About API Security
Distil Networks
 
Using Permaculture to Cultivate a Sustainable Security Program
Distil Networks
 
Keeping up with the Revolution in IT Security
Distil Networks
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Distil Networks
 
Cleaning up website traffic from bots & spammers
Distil Networks
 

Recently uploaded (20)

PPTX
Artificial_Intelligence_Basics use in our daily life
ANUBHABPANIGRAHI3
 
PPTX
购买林肯大学毕业证|i20Lincoln成绩单GPA修改本科毕业证书购买学历认证
南昆士兰大学毕业证学历文凭如可办理【Q微号:1954 292 140】USQ成绩单
 
PPTX
IT-Human Computer Interaction Report.pptx
RooorrrroooR
 
PDF
healthwealthtech4all-blogspot-com-2025-08-top-5-tech-innovations-that-will-ht...
nareshkumargovindan2
 
PPTX
北安普顿大学毕业证UoN成绩单GPA修改北安普顿大学i20学历认证文凭
伦敦政治经济学院毕业证【Q微号:1954 292 140】购买法国成绩单LSE学位证
 
PDF
How Technology Shapes Our Information Age
samarthyaarathod
 
PPTX
Basic_of_Computer_System.pptx class-8 com
skaur23305
 
PDF
JuanConnect E-Wallet Guide for new users.pdf
reggiepongasi2
 
PDF
Virtual Guard Technology Provider_ Remote Security Service Solutions.pdf
duggempudi414
 
PPTX
Basic understanding of cloud computing one need
subhosvims
 
PDF
Paper: World Game (s) Great Redesign.pdf
Steven McGee
 
PPTX
Introduction to networking local area networking
sagar490070
 
PDF
KEY COB2 UNIT 1: The Business of businessĐH KInh tế TP.HCM
vannhieu190219
 
PPTX
Concepts of Object Oriented Programming.
educationonlyukiyo
 
DOCX
MLS 113 Medical Parasitology (LECTURE).docx
aldrinpineda1996
 
PPTX
Partner to Customer - Sales Presentation_V23.01.pptx
ssusera1629e
 
PPSX
AI AppSec Threats and Defenses 20250822.ppsx
Robert Grupe, CSSLP CISSP PE PMP
 
PDF
Lesson.-Reporting-and-Sharing-of-Findings.pdf
LorainePasiona
 
PPTX
using the citation of Research to create a research
MikeeMallo
 
DOCX
Memecoinist Update: Best Meme Coins 2025, Trump Meme Coin Predictions, and th...
memecoinist83
 
Artificial_Intelligence_Basics use in our daily life
ANUBHABPANIGRAHI3
 
购买林肯大学毕业证|i20Lincoln成绩单GPA修改本科毕业证书购买学历认证
南昆士兰大学毕业证学历文凭如可办理【Q微号:1954 292 140】USQ成绩单
 
IT-Human Computer Interaction Report.pptx
RooorrrroooR
 
healthwealthtech4all-blogspot-com-2025-08-top-5-tech-innovations-that-will-ht...
nareshkumargovindan2
 
北安普顿大学毕业证UoN成绩单GPA修改北安普顿大学i20学历认证文凭
伦敦政治经济学院毕业证【Q微号:1954 292 140】购买法国成绩单LSE学位证
 
How Technology Shapes Our Information Age
samarthyaarathod
 
Basic_of_Computer_System.pptx class-8 com
skaur23305
 
JuanConnect E-Wallet Guide for new users.pdf
reggiepongasi2
 
Virtual Guard Technology Provider_ Remote Security Service Solutions.pdf
duggempudi414
 
Basic understanding of cloud computing one need
subhosvims
 
Paper: World Game (s) Great Redesign.pdf
Steven McGee
 
Introduction to networking local area networking
sagar490070
 
KEY COB2 UNIT 1: The Business of businessĐH KInh tế TP.HCM
vannhieu190219
 
Concepts of Object Oriented Programming.
educationonlyukiyo
 
MLS 113 Medical Parasitology (LECTURE).docx
aldrinpineda1996
 
Partner to Customer - Sales Presentation_V23.01.pptx
ssusera1629e
 
AI AppSec Threats and Defenses 20250822.ppsx
Robert Grupe, CSSLP CISSP PE PMP
 
Lesson.-Reporting-and-Sharing-of-Findings.pdf
LorainePasiona
 
using the citation of Research to create a research
MikeeMallo
 
Memecoinist Update: Best Meme Coins 2025, Trump Meme Coin Predictions, and th...
memecoinist83
 

2016 Bad Bot Report: Quantifying the Risk and Economic Impact of Bad Bots

  • 1. Quantifying the Risk and Economic Impact of Bad Bots Distil Networks 2016 Bad Bot Report
  • 2. Our Speakers Rami Essaid CEO & Co-founder Distil Networks Derek Brink VP & Research Fellow Aberdeen Group
  • 3. 2015 Bad Bot Landscape Report Methodology Study is based on anonymized data from: 74 billion bot requests Real web traffic from hundreds of customers 17 global datacenters
  • 5. Bad Bot, Good Bot and Human Traffic, 2015 Good Bots Humans Bad Bots 19% of Web Traffic Causes The Following Problems
  • 6. Humans take back the Web with 54.35% of all web traffic But why? 2013 vs. 2014 vs. 2015
  • 7. Humans internet users grew 8% in 2105 Especially in countries such as China, India, Indonesia, etc. 2015 Saw Tremendous Growth in Human Users Source: http://www.statista.com/statistics/273018/number-of-internet-users-worldwide/ Number of internet users worldwide from 2000 to 2015 (in millions)
  • 8. Meanwhile, Bot Operators Were Updating their Software Bot software used in 2015 was vastly more advanced than in previous years This was a shift in focus from quantity of bots to quality
  • 10. Traffic Distribution by Size of Site, 2014 and 2015
  • 11. Traffic by Type of Site, 2014 vs 2015 In 2015 the most targeted verticals were digital publishing and real estate
  • 12. Traffic by Size and Type of Site, 2014 vs 2015 More specifically, small digital publishers and large real estate sites were hardest hit in 2015
  • 13. Defense Tactics - Know your Industry Understand how great of a risk bots pose to your industry Learn how bots attack sites similar to yours Industry Most Common Bot Problem Ecommerce Price scraping Digital Publishing Content theft Travel Aggregation and loss of up-sell / cross-sell opportunities Finance Brute force attacks Real Estate Scraping Listing Information
  • 15. China and US Home to the Worst Bad Bot Originators Companies from China and the US dominate the list of organizations with the most bad bot traffic The US is always on top of this list, China is new Chin a Chin aChin a Chin a Chin a Chin a US US US US US US US
  • 16. Worst Bad Bot Originators 2013 to 2015 Amazon makes the Top 5 for three years in a row Verizon Business and residential ISPs Comcast, Time Warner Cable clean up their acts
  • 17. Mobile Carriers with the Most Bad Bots Dutch carriers emerge as a new hotbed for mobile client based bots The four largest mobile carriers in the US are all present on this year’s list ● Verizon Wireless ● AT&T ● T-Mobile ● Sprint PCS
  • 18. Countries Originating the Most Bad Bots, 2014 vs 2015 The US still tops the list of countries with the most bad bots Israel, India, and the UK make the biggest gains Germany, Canada, Russia, and the Netherlands move down the list
  • 19. Countries Most Often Blocked by Geofencing Rules 2014 saw customers blocking developing countries and stereotypical “bad guys” 2015 saw customers blocking more industrialized countries
  • 20. Top “Bad Bot GDP’s” of 2014 and 2015 Maldives rules the roost with 526 bad bots per human online user The average number of bots per human user on this list increased from 26.1 bots/user to 99.2 bots/user
  • 21. Defense Tactics - Know Their Origins Does your business model support all regions? Is it normal that your customer is originating from a commercial data center or cloud provider? Are there any reasons visitors to your site should go through a TOR network? Analyze your business. Then trim the fat.
  • 22. Bad Bot Capabilities and Behavior
  • 23. The Majority of Bots are Now APBs Advanced Persistent Bots (APBs) are becoming more commonplace APBs are defined as having one or more of the following abilities: ● Mimicking human behavior ● Loading JavaScript and external assets ● Cookie support ● Browser automation ● IP spoofing and rotation ● User agent spoofing and rotation ● Distributed attacks (using many IP addresses at once)
  • 24. Loading Assets & Bots Mimicking Humans % of bots able to load external Assets (e.g. JavaScript) % of bots able to mimic human behavior These bots will skew marketing tools such as (Google Analytics, A/B testing, conversion tracking, etc.) These bots will fly under the radar of most security tools
  • 25. That Majority of Bad Bots Now Use Multiple IP Addresses Bots which dynamically rotate IP addresses, or distribute attacks are significantly harder to detect and mitigate
  • 26. Bad Bots Obtain New User Agents to Persistently Attack Websites Over 36% of bots use multiple user agents to evade detection and overcome blacklisting and custom blocking rules
  • 27. Chrome Takes the Lead as Most Assumed User Agent
  • 28. Defense Tactics - Defeat APBs with Fingerprinting Real-analysis and device fingerprinting allows security solutions to track bots even if they ● Assume new identities ● Mimic human behavior ● Rotate IP Addresses ● Distribute their attack over Many IP addresses
  • 29. 29 Quantifying the Risk of Bad Bots Derek E. Brink, CISSP Vice President and Research Fellow, Information Security and IT GRC [email protected] www.linkedin.com/in/derekbrink April 2016 Derek E. Brink, CISSP Vice President and Research Fellow, Information Security and IT GRC [email protected] www.linkedin.com/in/derekbrink April 2016 Quantifying the Risk of Bad Bots
  • 30. 30 Context: The Dual Roles of Modern Information Security Professionals Subject Matter Experts Trusted Advisors
  • 31. 31 Two Questions Modern Information Security Professionals Must Answer What is the risk of [x]? How does an investment in [y] quantifiably reduce that risk?
  • 32. 32 Three Challenges Modern Information Security Professionals Must Overcome What is the risk of [x]? • A language challenge • A measurement challenge How does an investment in [y] quantifiably reduce that risk? • A communications challenge
  • 33. 33 The Threat of Bad Bots: A Material Percentage of Web Site Traffic Bad Bots Good Bots Humans 18.6% 27.0% 54.4% Source: Distil Networks, 2016 Bad Bot Landscape Report
  • 34. 34 Web Site Vulnerabilities and Exploits Related to Bad Bots Bad Bot Vulnerabilities and Exploits (illustrative) Web Security Brute force login; account takeover; fraudulent account creation Man-in-the-browser attacks Reconnaissance attacks; application coding exploits Application denial of service Spam Web Scraping Content theft Price scraping API scraping Competitive data mining Waste and Abuse Web site performance Negative SEO Skewed web site analytics Fraud Fraudulent transactions Digital ad fraud Source: adapted from Distil Networks, 2016 Bad Bot Landscape Report; Aberdeen Group, April 2016
  • 35. 35 The Risk of Bad Bots: How Likely? What Business Impact? Bad Bot Vulnerabilities and Exploits (illustrative) Likelihood Impact Web Security Brute force login; account takeover; fraudulent account creation How Likely is it that these Vulnerabilities are Successfully Exploited? What is the Business Impact, when Successful Exploits Do Occur? Man-in-the-browser attacks Reconnaissance attacks; application coding exploits Application denial of service Spam Web Scraping Content theft Price scraping API scraping Competitive data mining Waste and Abuse Web site performance Negative SEO Skewed web site analytics Fraud Fraudulent transactions Digital ad fraud Source: adapted from Distil Networks, 2016 Bad Bot Landscape Report; Aberdeen Group, April 2016
  • 36. 36 Qualitatively, Four Categories for the Business Impact of Bad Bots • Additional cost • Data breaches • Loss of current revenue • Loss of future revenue
  • 37. 37 At a Qualitative Level, the Business Impact of Bad Bots Bad Bot Vulnerabilities and Exploits (illustrative) Likelihood Incr. Cost Data Loss Curr .Rev . Fut. Rev. Web Security Brute force login; account takeover; fraudulent account creation How Likely is it that these Vulnerabilities are Successfully Exploited? X X X X Man-in-the-browser attacks X X X X Reconnaissance attacks; application coding exploits X X X X Application denial of service X X X Spam X X Web Scraping Content theft X X X X Price scraping X X X X API scraping X X X X Competitive data mining X X X X Waste and Abuse Web site performance X X X Negative SEO X X X Skewed web site analytics X X X Fraud Fraudulent transactions X X X Digital ad fraud X X Source: adapted from Distil Networks, 2016 Bad Bot Landscape Report; Aberdeen Group, April 2016
  • 38. 38 There are Many Approaches to Measuring and Communicating Risk that We’re All Familiar With … But These Don’t Really Work! Techno-babble about threats, vulnerabilities, and exploits Headlines of recent breach disclosures ALE-style calculations Averages, based on surveys Crackpot rigor Qualitative “heat maps” “$201 / record”
  • 39. 39 With These Approaches, Most Decisions About Security-Related Risks are Still Made by the Intuition and Gut Instinct of the HiPPO … (The Highest-Paid Person in the Organization)
  • 40. 40 Let’s Try to Raise the Bar for Making Important Decisions About Security-Related Risks, Beyond Mere Intuition and Gut Instinct! Source: http://dilbert.com/strip/2016-03-24
  • 41. 41 Modeling the Risk of Bad Bots • Let’s estimate the risk (both likelihood, and impact) of bad bots, using these four high-level categories: • Additional cost • Data breaches • Loss of current revenue • Loss of future revenue • Remember that risk is inherently about making decisions in the face of uncertainties • Models are not about precision … • … they are about making better-informed decisions about risk … • … most of which are based primarily on intuition
  • 42. 42 Monte Carlo Modeling is a Proven, Widely Used Solution for our Measurement Problem • In a nutshell: we can carry out the same familiar estimates and computations we have traditionally made • Except that we do this for many (say, ten thousand) scenarios, each of which uses a random value from our estimated ranges and distributions • The results of these computations are likewise not a single, static number – which says nothing about risk • The output is also a range and distribution, from which we can readily describe both probabilities and business impact • I.e., the results can be expressed in terms of risk – which is exactly what we are looking for!
  • 43. 43 We’re All Familiar with This Approach, Too – Note the Inclusion of Both Likelihood and Impact in This Illustrative Example!
  • 44. 44 Just So Long As We Don’t Do This … Remember, All Models Are Wrong – But Some Can Be Useful! Source: http://dilbert.com/strip/2016-04-01
  • 45. 45 Risk of Bad Bots Additional Cost Overprovisioning of web site infrastructure Web site contribution to annual revenue Data breaches Loss of Current Revenue Loss of Future Revenue Factoring the Risk of Bad Bots – Conceptual $ $ $ $ Source: Aberdeen Group, April 2016 % of annual revenue spent on web site infrastructure % of web traffic represented by bad bots Web site contribution to annual revenue % of annual revenue spent of website marketing % of web traffic represented by bad bots # of “incidents” represented by bad bots (i.e., an attempt) Likelihood of a “breach” (i.e., a success) Business impact of a breach Web site contribution to annual revenue Web site contribution to annual revenue Time that web site is negatively affected (e.g., downtime or slowdown) % of revenue lost during the period of downtime or slowdown % of web traffic represented by bad bots % of website revenue lost as a result of fraud Wasted web site marketing Cost of data breaching Downtime and slowdown Fraudulent transactions $
  • 46. 46 Factoring the Risk of Bad Bots – Computational Source: Aberdeen Group, April 2016
  • 47. 47 Run the Numbers – The Results Provide Invaluable Insights into the Risk of Bad Bots Histogra m Probability Curve Source: Aberdeen Group, April 2016
  • 48. 48 Quantifying the Risk of Bad Bots Source: Aberdeen Group, April 2016
  • 49. 49 Quantifying the Risk of Bad Bots … and Addressing the Two Fundamental Questions • For a web site contributing $100M / year in revenue (% of web site annual revenue) • Median annual reduction in risk: about 18 times • Median annual return on investment: about 22 times • Note: the risk owner still needs to decide … Source: Aberdeen Group, April 2016
  • 51. Distil Networks 2016 Bad Bot Report: Quantifying the Risk and Economic Impact of Bad Bots Distil Networks has produced their third annual Bad Bot Report. It's the IT Security Industry's most in-depth analysis on the sources, types, and sophistication levels of last year's bot attacks -- and there are serious implications for anyone responsible for securing websites and APIs. Join Derek Brink, Vice President of Research at Aberdeen Group and Rami Essaid, CEO of Distil Networks as they dive into the data to reveal: ● 6 high-risk lessons every IT security pro must know ● How to quantify the risk and economic impact of bad bots for your organization ● How bot activity varies across websites based on industry and popularity ● The worst offending countries, ISPs, mobile operators, and hosting providers Bad bots are the key culprits behind web scraping, brute force attacks, competitive data mining, online fraud, account hijacking, unauthorized vulnerability scans, spam, man-in-the-middle attacks, digital ad fraud, and downtime. Register today to gain actionable insights on how to defend your websites and APIs for the coming year of threats. Abstract
  • 52. 52 Modeling the Risk of Bad Bots: Additional Cost (1) 1. Web site contribution to annual revenue ($ / year) • For the purposes of this analysis, let’s model based on $100,000,000 2. % of annual revenue spent on web site infrastructure • “Infrastructure” = all related people, process, technologies • Model as 4% - 6%; uniform distribution (analyst estimates) 3. % of web traffic represented by bad bots • Model as 0% - 50%; most likely 18.6%; beta distribution (Distil Networks) 4. Annual cost of overprovisioning web site infrastructure • (1) x (2) x (3) Source: Aberdeen Group, April 2016
  • 53. 53 Modeling the Risk of Bad Bots: Additional Cost (2) 1. Web site contribution to annual revenue ($ / year) • For the purposes of this analysis, let’s model based on $100,000,000 2. % of annual revenue spent on web site marketing • “Marketing” = all costs related to driving web traffic • Model as 5% - 15%; normal distribution (analyst estimates) 3. % of web traffic represented by bad bots • Model as 0% - 50%; most likely 18.6%; beta distribution (Distil Networks) 4. Annual cost of wasted web site marketing (e.g., negative SEO, skewed web site analytics, etc.) resulting from bad bots • (1) x (2) x (3) Source: Aberdeen Group, April 2016
  • 54. 54 Modeling the Risk of Bad Bots: Data Breaches 1. # of “incidents” represented by bad bots (i.e., an attempt) • One extreme: all bad bots = 1 incident • The other extreme: every bad bot = 1 incident • My modeling choice: 1 (one incident per year) to 12 (one incident per month); beta distribution 2. Likelihood of a “breach” (i.e., a success) • 0% - 100%; mostly likely 30%; beta distribution (Verizon DBIR) 3. Business impact of a data breach • Expressed as a function of the number of records (Verizon DBIR) • Use 100,000 – 1,000,000 records as the range (Privacy Rights Clearinghouse) 4. Annual cost of data breaches resulting from bad bots • (1) x (2) x (3) Source: Aberdeen Group, April 2016
  • 55. 55 Modeling the Risk of Bad Bots: Loss of Current Revenue (1) • Bad bots → negative impact on web site availability and performance • Combination of downtime and slowdown results in web site customers abandoning what they were trying to do … which leads to lost revenue during this time of disruption 1. Web site contribution to annual revenue ($ / year) • For the purposes of this analysis, let’s model based on $100,000,000 2. Time that web site is negatively affected (e.g., downtime or slowdown) (hours / year) • For simplicity, assume 24x7x365 operation • Model as 0 – 720 hours; most likely 200 hours; beta distribution (Arbor Networks) 3. % of revenue lost during the period of downtime or slowdown • Model as 1% to 30%; most likely 3%; beta distribution (analyst estimates) 4. Loss of current revenue as a result of bad bots • (1) x (2) x (3) Source: Aberdeen Group, April 2016
  • 56. 56 Modeling the Risk of Bad Bots: Loss of Current Revenue (2) • Bad bots → fraudulent transactions 1. Web site contribution to annual revenue ($ / year) • For the purposes of this analysis, let’s model based on $100,000,000 2. % of web site traffic represented by bad bots • 0% - 50%; most likely 18.6%; beta distribution (Distil Networks) 3. % of web site revenue lost as a result of fraud from bad bot traffic • Model as 0% – 10%; most likely 1.4%; beta distribution (Kroll, Global Fraud Survey) 4. Loss of current revenue as a result of bad bots • (1) x (2) x (3) Source: Aberdeen Group, April 2016
  • 57. 57 Final Important Detail: Effectiveness of Countermeasures for Bad Bots • Status quo = manual blocking • 0% - 50%; most likely 12%; beta distribution • Assume that the annual cost of manual blocking is already baked in to the cost of overprovisioned web site infrastructure • Future state = use the Distil Networks solution • 90% - 100%; mostly likely 99.9%; beta distribution • The model for the future state must also incorporate the annual cost of the Distil Networks solution Source: adapted from Distil Networks, 2016 Bad Bot Landscape Report; Aberdeen Group, April 2016