A new report carries the unsurprising news that battling botnet attacks is a way of life for modern business security teams — a way of life that carries heavy costs in both technology and personnel.
"The Critical Need to Deal with Bot Attacks," published by Osterman Research, surveyed more than 200 large organizations with a mean employee count of just over 16,000. All had externally facing Web applications with login pages and were actively working to prevent, detect, and remediate attacks against those applications.
According to the report, the average company surveyed suffers 530 botnet attacks each day, though some organizations see thousands of attacks each day, with some attacks probing millions of potential victim accounts every hour.
The numbers in the Osterman Research report broadly mirror those seen in other security reports issued in 2018. One example is Akamai's "Summer 2018 State of the Internet/Security: Web Attacks Report," which noted that many botnets follow a "low and slow" tactic of probing accounts in at attempt to remain undetected by automated systems, while others floor victims with probes in a strategy of overwhelming defenses and retrieving valued information.
In the face of recent attacks, such as that against Starwood/Marriott, in which the attack's "dwell time" inside the database was roughly four years, the average time to detect a botnet attack reported in the Osterman Research survey — 48 hours — may seem remarkably fast. Add in another 48 hours for remediation, and first attack to remediation is four days. In a public-facing Web application, though, that can mean four days of data exfiltration or four days of reduced application access due to a denial-of-service attack, depending on the nature of the botnet.
And keeping the response time as short as it is requires an organization to devote expensive, precarious resources to the battle. According to Osterman Research, most organizations — three in five — have no more than two staff members devoted to a botnet response, while only one in five devotes four or more staff members to the fight.
Each of those staff members is expensive, with the fully burdened cost of a bot-fighting security specialist averaging more than $141,000 each year. Each of those staff members is kept busy working with multiple pieces of equipment, as 91% report using a Web application firewall, 49% an IPS/IDS, 40% a SIEM, and lower percentages other technology in combination to combat Web attacks.
According to the report, the average organization now has 482 potential applications vulnerable to bot attacks and spends an average of 2,600 person-hours per year managing the threat. In the report's final section, on dealing with the threat, the No. 1 recommended activity is for an organization to understand the full cost of responding to bot-based threats to Web security so that appropriate steps can be taken to battle the automated attackers.