Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Battling Bots Brings Big-Budget Blow to Businesses

Fighting off bot attacks on Web applications extracts a heavy cost in human resources and technology, according to a just-released report.

A new report carries the unsurprising news that battling botnet attacks is a way of life for modern business security teams — a way of life that carries heavy costs in both technology and personnel.

"The Critical Need to Deal with Bot Attacks," published by Osterman Research, surveyed more than 200 large organizations with a mean employee count of just over 16,000. All had externally facing Web applications with login pages and were actively working to prevent, detect, and remediate attacks against those applications.

According to the report, the average company surveyed suffers 530 botnet attacks each day, though some organizations see thousands of attacks each day, with some attacks probing millions of potential victim accounts every hour.

The numbers in the Osterman Research report broadly mirror those seen in other security reports issued in 2018. One example is Akamai's "Summer 2018 State of the Internet/Security: Web Attacks Report," which noted that many botnets follow a "low and slow" tactic of probing accounts in at attempt to remain undetected by automated systems, while others floor victims with probes in a strategy of overwhelming defenses and retrieving valued information.

In the face of recent attacks, such as that against Starwood/Marriott, in which the attack's "dwell time" inside the database was roughly four years, the average time to detect a botnet attack reported in the Osterman Research survey — 48 hours — may seem remarkably fast. Add in another 48 hours for remediation, and first attack to remediation is four days. In a public-facing Web application, though, that can mean four days of data exfiltration or four days of reduced application access due to a denial-of-service attack, depending on the nature of the botnet.

And keeping the response time as short as it is requires an organization to devote expensive, precarious resources to the battle. According to Osterman Research, most organizations — three in five — have no more than two staff members devoted to a botnet response, while only one in five devotes four or more staff members to the fight.

Each of those staff members is expensive, with the fully burdened cost of a bot-fighting security specialist averaging more than $141,000 each year. Each of those staff members is kept busy working with multiple pieces of equipment, as 91% report using a Web application firewall, 49% an IPS/IDS, 40% a SIEM, and lower percentages other technology in combination to combat Web attacks.

According to the report, the average organization now has 482 potential applications vulnerable to bot attacks and spends an average of 2,600 person-hours per year managing the threat. In the report's final section, on dealing with the threat, the No. 1 recommended activity is for an organization to understand the full cost of responding to bot-based threats to Web security so that appropriate steps can be taken to battle the automated attackers.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19729
PUBLISHED: 2019-12-11
An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects _bsontype==ObjectID in the user-inpu...
CVE-2019-19373
PUBLISHED: 2019-12-11
An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parame...
CVE-2019-19374
PUBLISHED: 2019-12-11
An issue was discovered in core/assets/form/form_question_types/form_question_type_file_upload/form_question_type_file_upload.inc in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can delete arbitrary files from the se...
CVE-2014-7257
PUBLISHED: 2019-12-11
SQL injection vulnerability in DBD::PgPP 0.05 and earlier
CVE-2013-4303
PUBLISHED: 2019-12-11
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-s...