A rising number of cyber criminals are turning to bots and automation to make their attacks more efficient and effective and to help them avoid detection, according to research from online security company Barracuda Networks.
The research – released in Barracuda’s most recent ‘Threat Spotlight’ – found that the top five web application attack types were dominated by those performed using automated tools, and these five attack types alone contributed to over 54 per cent of all cyber-attacks blocked by Barracuda in November and December 2020.
The most significant attack type recorded were ‘Fuzzing attacks’, which use automation to try to find and exploit the points at which applications break – one in five (19.5 per cent) of attacks recorded by Barracuda researchers were diagnosed as fuzzing attacks.
‘Injection attacks,’ contributing 12 per cent to the total recorded, were the second most significant attack type. These use automated tools like sqlmap to try to get into applications and often involve script-kiddie level noise – attacks being thrown at an application without reconnaissance to customise the breach attempt.
‘Fake bots’, defined as automated attacks pretending to be a Google bot or similar, were a close third, accounting for just over 12 per cent of the web application attacks analysed. Application DDoS (distributed denial of service) was also surprisingly prevalent, making up more than 9 per cent of the sample Barracuda researchers analysed. Finally, a small portion of attacks (less than 2 per cent) come from bots blocked by site admins.
The ‘Threat Spotlight’ also revealed that although bot traffic is a fast-growing problem, it doesn’t mean cybercriminals are moving away from their old standbys, as a large part of the attacks analysed are what could be considered classic web app attacks, such as injection attacks (12%) and cross-site scripting (1%). Most of the attack traffic came from reconnaissance tools or fuzzing tools being used to probe applications, as noted above.
Tushar Richabadas, Senior Product Marketing Manager, Barracuda Networks, said: “Automated attacks can overwhelm or infiltrate web applications, and defending against all the varieties of automated attacks can be daunting.
“The good news is that multi-purpose solutions are consolidating into Web Application Firewall and WAF-as-a-Service solutions, also known as Web Application and API Protection services (WAAP). Thus, organisations looking to bolster their defences against this growing threat should look for a WAAP solution that includes bot mitigation, DDoS protection, API security, and credential stuffing protection, as a minimum, and also make sure it is properly configured.
“It is also important to stay informed about current threats and how they are evolving, so that your business can be defended against them. Over the coming year we can expect automated bot attacks, attacks against APIs, and attacks against software supply chains to develop in quantity and sophistication, especially as these newer attacks have fewer protections and defences blocking them.”