A study released Tuesday by Netacea found that 72% of organizations surveyed suffered bot attacks that originated in China, and 66% from Russia.
The study also found that the average business loses 4.3% of online revenues every year to bots, or $85.6 million, a number that has more than doubled in the past two years.
Netacea commissioned independent researchers Coleman Parkes for the third straight year to survey 440 businesses with average online revenue of $1.9 billion across the travel, entertainment, ecommerce, financial services, and telecom sectors in the United States and UK.
The survey also found that it takes four months on average to detect bot attacks, with 97% admitting it takes over a month to respond. And 40% of businesses report attacks on their APIs, while attacks on mobile apps have overtaken website attacks for the first time.
“Using bots, they quietly target the APIs, websites, and applications powering these automations to corrupt business logic at massive scale,” wrote Andy Still, co-founder of Netacea, in the study's forward. "By doing so, they bleed revenues and abuse sensitive data wholesale, damaging reputation, degrading website performance and driving up technical costs.”
The best way to think of these bots is like the background radiation on the internet that will cause a lot of problems if you don’t have appropriate protection, said Andrew Barratt, vice president at Coalfire. Barratt said the bots are often blanket-sweeping attacks that only seek to get a simple foothold, often for further automated attacks or exploration.
“They can sometimes lead to vulnerabilities or initial access that are then sold to organized crime groups for monetization,” said Barratt. “When you consider the potential revenue losses, monetization of stolen payment data or further exploitation leading to ransomware or any more sophisticated attacks, it's super important to understand how to bolster defenses against these kind of attacks.”
Nick Hyatt, cyber practice leader at Optiv, said China and Russia both have capable offensive security programs — so it’s not surprising they are automating attacks. Hyatt said as the cyber landscape evolves and companies spend more on defense, state actors, state-affiliated actors and state-sponsored actors always seek to refine their processes.
“Much like any country, the activities undertaken by these groups run the gamut from intelligence gathering to espionage,” Hyatt said. “Given the vast swathe of organizations these groups often target, automation through bot activity allows for broad stroke initial activity, with actual hands-on-keyboard work once suitable targets have been found.”
Hyatt added that long dwell times related to bot activity are mostly related to the fact that bot activity is easily masked. With the amount of traffic a company sees on a day-to-day basis, determining what is bot activity and what’s legitimate activity has become a problem that requires a huge amount of time investment to detect, said Hyatt.