Automation has been an important tool that has benefited many businesses, for example, by enabling IT departments to take away manual tasks that can be too numerous to handle, while reducing human error.
However, just as scripting languages can be used for good, they can also be abused by malicious cyber criminals to automate attacks against businesses.
Today, automation in the form of bots is one reason for a wave of credential stuffing attacks around the world, including Asia-Pacific. It is a constantly evolving threat.
Akamai observed and defended as much as 85 billion credential abuse attacks on behalf of its global customers from December 2017 to November 2019, according to the company’s State of the Internet report.
These attacks often happen after hackers have acquired login credentials stolen or leaked on the Dark Web. They would do so by creating automated scripts to try logging into millions of accounts. Unfortunately, probability is on their side and they often succeed.
Though these attacks vary in terms of sophistication, one thing is clear – there is an entire economy of attack toolkits and even technical support for cyber criminals to get into the game quickly and fairly easily.
Three problems for businesses
The problem for businesses is three-fold. First, there is a clearly heightened risk, with the potential impact on apps and IT assets increasing drastically with digitization.
Second, the higher complexity of today’s IT systems means that it is harder to keep defending your assets in the same way as last year or week.
Apps in multiple places with inconsistent security posture, for example, add to this challenge. Plus, there often isn’t enough visibility of all that is happening.
Third, there is less agility for security teams to respond to the needs of business partners today, because of the pace that business is moving at.
Rather than planning strategically to counter new threats, the expertise is spent on “fighting fires” that seem to occur every day with new insights arriving on the screen all the time.
Clearly, with the increasing scale and sophistication of credential stuffing, there is no easy way for a business to go it alone to fight back. They have to look to strength in numbers.
Finding the signs
There are some existing measures to counter credential stuffing, for example, by implementing Captcha challenges or two-factor authentication. However, these may not be suitable for all businesses, for example, for a retail site where convenience and user experience are key.
The bigger challenge for businesses is to be able to visualize the threats automatically. They have to allow the good bots that perform useful functions while keeping out malicious ones that keep stuffing passwords onto a login page.
Akamai, which offers a portfolio of edge security solutions, has one called Bot Manager that delivers advanced bot detection to spot and avert the most evasive threats. With it, businesses can stay ahead of the evolving bot landscape and stop the most sophisticated bots at the edge.
It does this by looking for signs that a login attempt may not be made by a human. A browser can detect whether a mobile user is moving their phone (through gyroscope readings) and if a mouse is moving on a PC screen.
However, this only becomes useful if there is a large enough dataset to analyze and learn from. It is impossible for humans to decipher these signs and trends individually, so machine learning is a key component of a platform that does this job effectively and accurately.
Picking a vendor means trusting it with one of your businesses’ core functions, so having an independent recommendation is important to picking the right experts for the job.
In January 2020, research firm Forrester recommended Akamai as a significant provider of bot management solutions. It had evaluated how well each vendor scored against 10 criteria and where they stood in relation to each other.
To be sure, the job to keep out the bad guys from logging in with stolen passwords is not easy. However, it is possible with the right strategy. Here are three key recommendations:
- Understand what the exposure is: What are the apps that are exposed outside your perimeter? What do they talk to in the backend? Understanding risk is the first step. Learn more about risk exposure from security experts at Akamai Edge Live
- Don’t try to build everything yourself: You may be able to detect current threats but it is nearly impossible to keep up with evolving threats.
- Be open to a partnership: Speak to a technology vendor like Akamai that has the breadth of coverage and depth of knowledge to tackle this together. Use its experience of working on a global scale to improve your security posture.