In this story on the ITSPmagazine podcast network, hosts Sean Martin and Marco Ciappelli invite guest Karl Triebes to take a look back at 10 years of Imperva Bad Bot Reports. Looking forward to the future, they discuss the increasing sophistication of bot attacks, the challenges in detecting them, and the potential damage to businesses and society.
In this story on the ITSPmagazine podcast network, hosts Sean Martin and Marco Ciappelli invite guest Karl Triebes to take a look back at 10 years of Bad Bot Reports. Looking forward to the future, they discuss the increasing sophistication of bot attacks, the challenges in detecting them, and the potential damage to businesses and society.
As they discuss the evolution of bot attacks in the last decade, they outline the increasing focus on API security, account takeover, and business logic attacks. They also discuss the challenges of detecting bot attacks with the rise of AI. The conversation raises philosophical questions about the future of humanity and the potential damage to businesses and society caused by bot attacks.
Note: This story contains promotional content. Learn more.
Guest
Karl Triebes, SVP and General Manager, Application Security at Imperva [@Imperva]
On Linkedin | https://www.linkedin.com/in/karltriebes/
On Twitter | https://twitter.com/Triebes
Resources
Learn more about Imperva and their offering: https://itspm.ag/imperva277117988
Download the 2023 Imperva Bad Bot Report: https://itspm.ag/impervv0sg
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
Show Intro00:15
Welcome to the intersection of technology, cybersecurity, and society. Welcome to ITSPmagazine. Every company has a story to tell from the small startup to the large enterprise, and everything in between. This is one of them. Knowledge is power. Now, more than ever
Marco Ciappelli00:41
you're gonna call me. Now you're gonna call the professionals.
Sean Martin 00:50
The, you're gonna call the professionals to deal with the ghosts that are lingering 1010 years of ghosts been around
Marco Ciappelli01:00
10 years, I think, more than 10 years. 10 years is when someone, some company that we're going to name really soon started to create some reports. So if they decided to create a report 10 years ago, I'm pretty sure it's been a few years before then that that is was already a pesky problem, let's call it pesky problem, which is not ghost,
Sean Martin01:25
Narcos, but it's a thing that ghosts are one type of these things. But let's just let's just say that the traffic on the internet is not always driven by humans, there's a lot driven by bots, and which are basically little bits of machine code that act on our behalf or do things that we don't have to. And a lot of it's for good purposes. Customer supports, probably a good example of that, where you interact with something to find something else, to not waste somebody's personal, physical time as a human. But a lot of that stuff can be used nefariously, because at the end of the day, we're not ghosts, we are humans and humans do weird things. And so a lot of the traffic we see on the internet is not always human and not always good. And our good friends at Imperva have been following this trend, as we noted for 10 years or longer. And I've produced a report on this. And I mean a decade of following these bots to see what's happening. There's lots and I'm very, very interested in and excited to have this conversation and kind of take a look back at 10 years health how things have changed over time and, and where we kind of sit and of course, Marco, you won't rest without us going into the future. So while there too. That's, that's probably enough from me talking. The real star of this show is Carl tribus. Carl, how are you?
Karl Triebes03:07
I'm doing great. Hey, guys, thanks for having me on today.
Marco Ciappelli03:09
Of course, of course,
Sean Martin 03:11
it's gonna be fun. And, Carl, a few words about before we get started a few words about your role at Imperva. And some of the things you you do there, I presume a lot of it is bot oriented. But what else goes on there?
Karl Triebes03:27
Yeah, so I'm the general manager here for the OpSec business unit at Imperva. And we focus exclusively on application security when I talked about OpSec. And what that means is it's bots are absolutely a critical component of that. But but we also protect, you know, API's, for example, we protect your web applications, we protect your networks, you know, against DDoS attacks and other types of malicious behaviors. You know, we protect DNS sec. And we've done this, that's the that's basically the history of the company. It's been it's a pure play security company very much focused on application security. And so that's what we do day in and day out. And the bots are critical to that because they they act as a delivery mechanism for a lot of these these malicious or these attacks. And they do it by you know, essentially emulating valid humans, right? What they're trying to do is look like a human, but do bad things behind the scenes. And that's, that's really, you know, why you got to watch these bots and they can do it at speed and very, in very sophisticated ways.
Marco Ciappelli04:31
You Yeah, and there is a reason I guess why the report is not called the board report, but it's called the bad Board Report. Because that's, that's unfortunately, where we have to focus. But I always like to have this conversation and I found the wrong this is at least the fourth time that we talk about these reports in the past two years. And so we have a clear idea at least Shawn and myself are prepared to do this, but there may be some new To listener in the audience that are there or not so prepare. So maybe it would be good to start. As Shauna said, I'd like to ask futuristic question, but you got to start from the past. So how do we get to where we are now? And and I have to say you mentioned before we started recording these years seems like it's the interest for this report is even bigger. So it's not, it's not a fad that is going away. Right?
Karl Triebes05:27
Yeah, I mean, we're just seeing this problem grow. Over time, and we've been doing this for 10 years, like you said, we get a really good response every year, a lot of you know, we provide a lot of interesting data we try not to, we don't focus on, you know, our product or anything like that, we're actually just producing what we see out there based upon our analytics. And what we see both through are we you know, we provide a big SAS service. And so we see a lot of things that we have other mechanisms for going out and doing searching through our, for these different types of bots, through our our threat research team, and like we said, is that we just see it continued to grow. And this year, in particular, I think it just seems to have hit a nerve, or maybe we hit kind of some critical point, because it is definitely a much bigger, you know, in terms of the interest the amount of feedback that we've seen on this report this year. And specifically, it's been a much bigger year than previous years, the way I'd characterize it.
Marco Ciappelli06:18
And I'm guessing, I bet you're gonna talk about that later.
Karl Triebes06:22
Absolutely. AI is on top of everybody's minds today, you know, various ways. And absolutely, that's, you know, we actually leverage AI and other mechanisms, machine learning, have done it for years, to help detect and do these things. But, but now, you know, with, you know, you know, basically like hugging face and chat GPT and all that. They they're democratizing, you know, the access to AI, which means the barriers to entry to do sophisticated things quickly and easily is dropping rapidly. Right. And so that's, that's where you got to be aware of this because that that will change the attack profiles and the types of attacks we see. So So I expect next year's report to be very inclusive, a lot of new style of attacks based upon that.
Sean Martin 07:03
And when when Marco and I can get our hands on AI, and chat GBT type stuff. We're in a world a world of trouble. But yeah, but But on a serious note, let's look back, because and maybe connect it to kind of the history or the some of the trends throughout the years and the report as well. What's changed from we'll just focus on the the business environments, infrastructure, I can point to a couple of things to kind of give you an idea where I'm headed with this, the number of homegrown applications within an organization, how has that changed? With that API's? Cloud? Just all I'll leave it to you to kind of paint the full picture here. But those are kind of some of the things that I'm thinking of how have things shifted in 10 years? That here's the kicker, that have enabled bots to succeed and grow over time as well.
Karl Triebes08:03
Yeah, I mean, there's a lot of a lot of things that have happened. And I think what you're pointing out a lot is the attack surface has changed significantly, in the last 10 years, because in the past, especially enterprise, kind of the classic enterprise, it application was built fairly monolithic, you know, you would have a team that would put together a stack, and it would run in its hole, you know, on either servers within the data center, or it could be running like on a cloud server. But the application itself was this very monolithic app with the OS was built in and everything kind of happened within the stack and any modifications within the stack. In the last 10 years, you know, apps have become distributed. And what that means is these monoliths had been broken up. And in they do that because one, you want to have scalability to you want to break it up, to allow it to run in different types of infrastructure, you know, flexibly. And so those are some of the big changes the other, the other changes with that as well has been how the applications are put together, open source, specifically, there's been an explosion in the use of open source in the last 10 years, just look at just go on to you, what is it, the various, you know, GitHub repositories out there, and the open source project to shore. And these things get leveraged in many different ways. So for example, you could be building an app, you need a database, you may go to Amazon, leverage one of their databases, but maybe you're doing a self managed version of Kafka. And tying that in. So there's some open source you're having to manage and you've opened up your attack surface because now you have something that's not being controlled by you that there could be code defects and other kinds of vulnerabilities that hackers can take advantage of, you know, good examples of that would be the log for Shell vulnerability that came out, you know, over about a year and a half ago in Java. And so job applications that were unprotected or unpatched, were susceptible to that. So with that landscape of changes with with, you know, the types of components that come together, how they're being distributed. And then on top of that now becoming API driven, because not all automations, bad automation. You know, in fact, you know, there's many cases for good automation, you know, like business to business systems, inventory management, there's all sorts of applications where you want to be able to share and freely exchange data in an automated way. And API's absolutely support that. But because they're open, and, you know, developed by developers, you know, and I'm a developer by trade, you know that a lot, a lot of times they're focused on, you know, how did they get the business logic in? Versus how do they protect the business logic, they don't really, they're not security experts. And so all these things conspire to kind of create this, this landscape, or this this this vulnerability, these vulnerability, this vulnerability landscape, that that just broadens that attack surface for these different, you know, bad bots, if you will.
Marco Ciappelli10:53
So we know that the battle of good versus evil is never ending, and we're not hoping to resolve cybersecurity issues, problem in one conversation, nor or in 1500. Like, we've done an ITSPmagazine. But we also know that this battle goes on. And so as you mentioned, a lot of different way that the bad guys have been working with the new technology. I'm also assuming that there are some advantage in using AI or other advanced technology. And we're fighting that battle in a different way than what we were doing maybe 10 years ago. So you can you can you tell us a little bit about? What has been what has been the evolution on the on the good guys?
Karl Triebes11:42
Yeah, I mean, you know, it is an arms race, like you said, you know, being able to keep up with these different exploits, or stay at or trying to stay ahead of them. I would say that the pervasive feature, the last 10 years has been the sophistication of the bots and how they've increased. You know, back in 2014, we first started seeing, you know, the use of kind of mobile browsers and things like that to emulate, you know, users. And then what we saw them that following year was this explosion, like an 11% increase in sophistication. So they're now using these kind of mobile browsers, and then they were coming in, and being much more evasive. So they would start rotating IP addresses and things like that, or coming through different proxies or, or they start emulating human behaviors, you know, like, you know, they can try to emulate how a mouse might move and things like that. And the whole idea there is to obfuscate the fact that there are automated bots. And that's continuing that that is the one feature that we see for sure, the sophistication just keeps going up. And what we see now is part of that is that sophistication is now they're trying to take, and this is especially true of API security. So like last year, for example, 70% of attacks against API's, where we call business logic attacks, and this is by bots. And what that meant is they go in and they surveil the application, they look at, you know, basically the endpoints, or they go and look and see what are the parameters and what and they try to inject information, see what comes back and take advantage that eventually they map out the entire application, find vulnerabilities. And they either do things like account takeover, inject malicious code, things like that. And that's, that's a big, that's a big, big vector for attack. Because, you know, your, your application logic, your business logic tends to be very complex and broad, and it's changing all the time. So it's really hard to necessarily for developers to kind of stay on top of that, ensure that they're not opening up vulnerabilities or exploits. I mean, look at any source, you know, open source project, these are big developer, you know, centric solutions, and they're changing all the time. And you're always just seeing tons of vulnerabilities as a result of that. So it's no different when you're in house. And just imagine now multiplying your problem by all this open source that you're leveraging in there, and then stitching it together with vulnerable API's. So it creates that big attack surface. And so what that means now is these these, you know, these, you know, you tried to defend against these, these malicious users by saying, I'm gonna do behavioral analysis, I'm gonna watch and see what they're doing. And over time, observe this. And then based on that block that well, with as AI, we're talking about this as AI becomes more sophisticated, and the use of it becomes more sophisticated, it's going to be much harder to detect a valid user from an invalid user because they're just going to get much better at emulating human behaviors. You know, things like CAPTCHA you know, today CAPTCHA is kind of a way to slow down hackers, right? You go and throw the CAPTCHA up. And you assume a human can get at it is the only one that can solve that. Well, that's going to change you know, you're you already have CAPTCHA farms. Now, those are going to kind of go away because anybody using AI will be able to start to evade using behavioral mechanisms. And so what that means now is that you have to look at your toolkit differently. You know, here we do things like we do client side injections, we actually look at the client try to figure out, you know, you know, based on what it is how it responds to specific messages or things we sent down to it. It's History, you know, previous we fingerprint things like that. And that way, it helps us, you know, set some credibility, you know, understand what it's doing. We use other mechanisms like, you know, looking at low level transactions between memory and CPU space and seeing if they're, you know, accessing invalid parts of the memory are doing things they shouldn't be. That's with our rasp products. So, you know, my belief that you gotta kind of go towards the client, you got to kind of go towards down in the stack. And these are the mechanisms that are going to become much more effective in detecting these AI induced attacks, or there'll be part of that toolkit, I guess, just the way to say it. Hopefully that make sense? I know, I'm kind of going over a bunch of stuff here, but
Sean Martin 15:41
certainly, certainly does. And I mean, your your point on the captcha, CAPTCHA is only good if, if you're trying to enter through the captcha, but if you, you know, the logic can go around the CAPTCHA through an API that doesn't interact with the caption, the caption doesn't matter anyway. And then if it does, right does get encountered, like to your point, there are many, many tools and technologies to kind of help you get through that from a bot perspective, too. So I want to look at this from a sector perspective. Because over 10 years, a lot of the new technology may have come in, and customizations and growth and scale and things like that may have been focused, or only absorbed and used by certain industries. And I think it's probably used by every industry. Now, some of the things I mentioned earlier, there, homegrown apps and use of the cloud and things like that. And certainly, with that, the use of open source and API's and whatnot. So how have How have the sectors changed? In terms of bot activity? Are Are there any particular sectors that continue to be prime targets? Are there other new ones that the demand targets? Is it Are they targets? Or is it a matter of just the nets being tossed? And those fish now are in this sea that they weren't before? Kind of paint that picture for us? If you don't mind?
Karl Triebes17:16
Yeah, I mean, it has changed a bit. I mean, the number one place to attack is, you know, the financial services industry, you know, banks and others, you know, account takeover attacks, you know, carding scams, you know, things like that, because those, those have real money sitting behind them, you know, like a carding scam, if you can take like a gift card or a credit card, and you can just start pumping numbers in there until you get a hit, then, and then that's this cache, basically, that's gone. And so those are those are you see a lot of those there's others, I'd say one of the bigger ones now is like on either econ, you know, e commerce side because of the explosion of E commerce, and especially over the coat, you know, during the the closed downs with COVID. That's just that's really exploded. And so everything from like I mentioned earlier, these Grinch bot attacks, where they were buying, like gaming consoles at Christmas time, and then reselling those for like four times the price. They do that like a lot of times for like events, tickets and things like that. But you also see, like, within the leisure and travel industry, a lot going on there with web scraping, would you say are scraping for like pricing information. So if you get your competitors pricing, and you can get that then you can adjust your pricing and, and do that. And so there's things like that, that go on in numbers. So one of the big ones we saw last year, and this actually wound up being more about DDoS style attacks was, you know, geopolitical. When geopolitical strife is hit, we'd see like, a lot of attacks, like on government sites, you know, you can imagine the countries where some of this was happening, especially back at the start of the Ukraine, you know, Russia conflict. But you saw it in other parts of the world when there's other issues, you know, other other things where they come in attack government websites, shut down services and do things like that. So you're seeing more of that kind of things happening based on politics or political events or, you know, world events, geopolitical events, I should say.
Sean Martin 19:14
So what, what are some of the most, and I'm a fee, if they're called payloads, with the outcomes of these malicious acts performed by bots, you mentioned DDoS for is one example scraping prices is another cutting, give us a picture of what some of those common ones are? And if there had been any significant changes in the last 10 years or even just last year? Some of those?
Karl Triebes19:43
Yeah, I mean, one of the big ones is account takeover attacks. Because what what attackers will tend to do is, you have these data breaches, and then they'll sell that breached material online to these attackers and then what they do is they buy it and And then basically, they just keep trying different sites, and just sequencing through these credentials or these credit cards or whatever these this data they have. And then in hopes to get a hit. And that's, that's kind of that's one profile. But to do that, obviously, they have to use, you know, evasive technology, if it you know, very evasive tech techniques, because trying a bunch of, you know, try a bunch of logins from one IP address that's going to get caught right away. You know, that's a basic thing, you can set up on any Linux server three strikes, and you're out, right? So what they do is they rotate IP addresses, or they will rotate where they're coming from Geo, you know, from different gos, because it's easy to block on Geo. So I might say, Oh, I'm gonna block addresses from this country. Well, they can go through a proxy somewhere and do that they can also then then defeat challenges, you know, because Another technique is to say, Okay, I think you might be a, an invalid user. So I'm going to present a challenge, like a CAPTCHA, or they have to enter some other information. So I think, you know, those those are become those will become easier to defeat. But but, you know, account takeovers is probably the most common one that we that we see out there. And again, we're beginning to see now the rise of the business logic attacks, like I mentioned earlier, that's more aligned with API's, API's have become really that new area where there's so much focus from attackers, because that market has not matured yet, you know, they, you know, the belief was, Oh, my API gateway is safe, because I'm authenticating the user. Well, that's all fine. But how do you how do you manage an invalid user, you know that that stole some credentials or something else, and they're able then to get in, and then you know, have at it on your API back end, there's nothing looking at the actual data, for example, or how the, you know, how they're trying to manipulate the flows or the business logic within the application. So we're seeing a lot more of those types of texts. Like I mentioned, about 70% of black bad bot attacks, were these API attacks, you know, spell against the business logic.
Sean Martin 21:59
And I know Mark has probably jumped in to get in. But I have one more. One more point on this that I wanted to touch on is it's about the advanced piece, and more so the the invasive nature of these things, certainly not a lot of money to investment to get a bot running. And if there's a lot of low hanging fruit doesn't have to be too advanced, it can be simple, right? To create a bot that does something for you, especially if it's very targeted, you know, there's a weakness there that you can exploit. As the surface becomes more complex, certainly, there's more and more complex. And as the logic is more complex, and perhaps even some of the some of the protects general protections that are in place, become a bit better, the they have to become more advanced in in how they conduct their activities. But then there's this idea of being evasive, so not just advanced in its ability to succeed, but it's also ability to remain undetected. Right. So, you know, don't know that actually something actually bad happened. So I don't know if I described any of that in a good way or not. But if you can kind of give us the description of those levels. And what, what organizations need to think about with that in mind.
Karl Triebes23:26
Yeah, no, I think it's a great a great question. Because these bot attacks, like I said, that the sophistication is going up, and we see what we call a lot of these low and slow attacks. It's not like an attacker shows up and just throws the kitchen sink. And everything at at you it's, they tend to show up, and they'll try one thing for one IP address. Later, they'll try something else. And they'll just continue to do that kind of probing in a way that makes it very hard to detect, unless you're actually keeping track of all these different login attempts and what the behaviors look like and then be able to correlate and then that start to establish that there's the you know, that there is an ongoing attack that this is actually bots coming in and doing this and that's, that's why it's so important to think about having, you know, the bot protection solution, because it's what's delivering the attackers intent, you know, it's what's delivering the bad things. And so if you can eliminate that surface, you've taken out a big chunk, or even mitigated, you've taken out a big chunk of that toolkit that they go after your with. Now, of course, the key is you got to allow the good bots and because they're like I said earlier, there's plenty of good bots. So you have to look for solutions that are able to reject with high fidelity. You know, the bad the attackers and the bad guys, but present low false positives so that you're not blocking business that did the big thing we always hear is don't stop my business. in us, I mean, that's not security, right? That that becomes a brick, and I can't deal with that. So you have to, you have to ensure that that business continuity goes on. And that's key for this. So so, you know, low and slow is most insidious. In fact, you might find this interesting, one thing we started seeing was, we'd start seeing these, like DDoS attacks, you know, like these network DDoS attacks. And then, you know, the IT teams would get fired up and be focused on that and reducing that, while behind the scenes, it was obscuring these the spot level, kind of bad bot attacks, you know, these low and slow attacks kind of coming in around it, and they couldn't, they weren't paying attention to other LibAnswers alerts going on the back end, because they had all this noise on the front end. And so that's why we also think that it's important to, you know, to have a solution that's multi layer, that is that one that can reject those types of attacks, that can reject, you know, webapp, perhaps other, you know, bot attacks, and present kind of that unified picture of what's going on. So you can capture this because I also think that's going to be the future is that you're going to get attacked on a number of fronts. But only one is really trying to go in and get your critical assets, your data or your financial, you know, money, if you will, or Bitcoin whatever that's that's the profile, I think that we're going to continue to see more and more of as AI gets more sophisticated for these tax.
Marco Ciappelli26:23
Well, you went there, you said a future you said AI, so I'm going for it. When when you were talking about, you know, the detection part and how sophisticated they are, you mentioned chop, capture, and whatever. And I'm thinking like, this is the same problem they were having in detecting this is something written by Chad GPT is done by dolly or another online, you know, me journey or whatever I mean, how good is going to get and, and I'm wondering if, because I had the story about, I heard the story about this student making a paper that he was so good and creative, that the teacher told you must have done it, which adds up tea, because it was kind of too good. The assumption. So in a way, I'm thinking, do we need to start looking at fault into the humanity, because the bot is going to be so good that you're going to tell you're too good. You're too human. And you don't look, maybe you're not the human anymore? I mean, it's a big philosophical question here. And I want to touch that with Where are we going with this? Because I feel like it's it's not financial damage to the business, it's, it's going to become much more than that. I mean, it could be still financial, ultimately, but coming from copyright issue and branding, preposition that are completely distorted. So truth false. I'm, I'm a little bit concerned.
Karl Triebes28:00
I'm allowed to answer
Sean Martin 28:02
the simple simple use case of the the false reviews driven by bots and things like that, right? I mean, you just just one to your point on markoma on branding, and getting that credibility and all that
Marco Ciappelli28:14
kind of stuff, right? It's not just the stealing the credential, these actually say, you know, I'm gonna damage you like, the base of your reputation. So, some, some thought on that.
Karl Triebes28:28
Yeah, I mean, that's, that's, that is, you know, the typical DDoS type attack, right? It's the damage your reputation because it takes your service down. And some fashion or, you know, ransomware, it's another kind of variant of that, right, you're, they're basically holding your service hostage. So either you cough up money, or they have some other political or other motivation in the end that they want to have, you know, taken care of as a result of that. The way the way I tend to think of it with AI and ML is that yes, you'll be able to much more easily emulate valid humans, right. So and you're right, that that probably, if things are too perfect, then that may be a flag. But in and of itself, that'd be enough to make that kind of determination. That's not saying you have to use other factors to validate and see because it all becomes part of the toolkit, behavioral mechanisms are just going to become less effective, in that you can't wait those as much you have to look and find other ways to establish integrity of that, and the fact that, you know, AI will be so fast and how it learns and responds, that will also be more difficult because now, you know, now, hey, if I'm going to, you know, get a botnet going, I'll get some feedback, I'll see what's happening. Maybe I've put some instructions in there, but I don't know necessarily what's getting rejected, what's not. And it takes me time as the attacker to go and update the code, you know, update the botnets and do that. Well, AI is gonna do this in real time. You know, it's going to be able to just quickly learn figure out a I'm going to map out this business logic and, you know, say minutes versus days or weeks that it would take a typical hacker to go through and figure that out. So it's going to be more about kind of speed, and being able to act quickly and use more these immutable mechanisms to give me a sense of the integrity of that connection, then trying to kind of ferret it out based upon what they're doing. So that's the way it has to go. And that's why I said, You got to kind of go down stack and see what's actually happening under the hood more, or go and look at the client and see what they're doing. Identity will become another component of this as well, just making sure that there's high integrity in the internet, but but you're gonna have to look in those those those three or four areas. Instead, now where a lot of behavioral mechanisms are used, you know, in, you know, different products.
Sean Martin 30:39
And so, kind of with the, I can't help now, but look at the future, to see, where might we end up with this. But let's, let's kind of look back 10 years to now as well, kind of the growth of, of automation, and good versus bad. Where do we sit in terms of, I mean, how much how much human traffic to automated traffic was there early on 10 years ago, compared to now and how much is good versus bad? Early, early on, compared to now, because my sense is the automated while the automated is going to make it just the scale difficult to, to really get a handle on. And then the the fact that there's so much bad, you're spending a lot of time finding bad that, that there might be something good there you are, to your point earlier blocking a lot of bad, and but also blocking a lot of good. So any any insights onto some of that, that change over the last 10 years?
Karl Triebes31:45
Yeah, I mean, this year alone, just a one year, we went up over 5%. And the amount of traffic that was automated to almost 50% is like 47.4%. So it just continues to climb. I believe it was roughly half that 10 years ago, and the percent of just bought traffic. So it just continued to climb. In a few years, it's probably gonna get to 70 80%. I mean, that's just the nature of it. Because more and more automation is being leveraged, you know, everything from mobile applications, to these b2b apps to having highly distributed applications all over the place to IoT. IoT is another great example. In fact, IoT is probably another good example of, you know, things that can be used to create botnets and things like that. Right? Because you see a lot of, you know, for example, 10 years ago, one of the big exploits was hacking cameras, internet, IP, exposed cameras, you know, things like that, and then they were turned out those were actually a big source of botnet attacks. At that time. Now, it's all over the place, but But I expect that to continue to grow, but But it's, it's been, you know, right now, it's about like, roughly half the traffic. And of that traffic 30% of that are bad bots. So, you know, so that's, you know, we're talking, you know, 15%, roughly, of all traffic on the internet, bad stuff. You know, that's a lot of bad traffic out there, isn't it? And, and so, yeah, exactly.
Sean Martin 33:12
Is there, is there an impact on on bandwidth and throughput? I mean, it because that's, that's a lot of garbage. On the internet, I don't know how much of that actually then enters into a business as bad. That kind of slows other processes down? Any? I don't know if that's part of the report, or not sorry, for not knowing but any any insight on on that?
Karl Triebes33:39
Yeah, I mean, bot traffic, in general, is more transactional, you know, you know, aside from like a DDoS attack, that's typically you know, more of that volumetric style, I'm just going to throw a bunch of network, you know, things at at, you know, at somebody's, you know, website or their network, whereas the sophisticated attacks tend to be pretty low bandwidth, because all they're doing is trying to get into that application. So it's just a lot of pipe filling, with the now that you don't need to back that's one of the reasons they moved that sophistication is that you can have a much smaller botnet, you don't need to have these massive volumes of stuff being tossed at, you know, you know, front ends through Well,
Sean Martin 34:23
which then makes it difficult, more difficult to detect because it's not filling up your pipeline slowing stuff down, either.
Karl Triebes34:29
You can't just look at a threshold and say, oh, yeah, there we go, you know, you can't do that.
Marco Ciappelli34:33
So it's kind of like as you were saying, as eventually if there is the noise, the noise is the distraction and then the the real attack it's it's goes more undetected. So it's making me think about, you know, strategic war war strategies here, you know, make some smoke there, but then we do that attack on the other side, but I also makes me think maybe we We started closing with this the fact that there was a number about the advanced attack classified as advanced. And I remember one of the past year that we were doing the reports, we went through the whole classification on, you know, what's bad, what's worst was even worse, and so forth. And now it seemed like the advanced one or the one that are prevalent. I was looking at 51%. Yeah, more than the year before classified as a advance. And I cannot not think about this is due to, again, machine learning and AI, where everybody can just go and say, Hey, write me a code for for something really effective. So everybody could be a potentially just become a bad guy.
Karl Triebes35:51
Yep, sir. Certainly, yeah, we started doubled last year, basically, it went from 25% of bad bots to 50 over 51%. So yeah, AI for sure, is playing a role in that also, just the availability of the toolkits, the hacker toolkits out there. And those are, you know, become more freely available. And then also the fact that I think that the targets over API's, and, you know, is necessitated more of these sophisticated attacks, plus just the general, you know, bots solutions, such as ours has just gotten so much better in the last few years in terms of their ability to defend against these attacks. So there, they have to move up in order to get that you know, paydirt, if you will. But But yeah, and I expect this, I bet you're next year, that percentage will be 75%. Probably, that would be my guess, right now. You know, just because I think everything has to move in that direction, it'll get a lot easier to do that.
Sean Martin 36:44
And I was looking at the report, it looks like the top two countries are America and Australia. Which shows me that, well, they're both English speaking. So I don't know what if you have any sense of what makes them targets? Is that there's just a lot of innovation there or that they are English speaking, or? And do the bots care about the spoken language of the people that it's targeting? Does that matter?
Karl Triebes37:16
No, I think it has to do probably with the openness. First of all, you know, for example, US Open Country, biggest economy in the world. So that shouldn't be a surprise. And we're probably the biggest online presence in the world. You know, if you think about it, right? Every bank every you know, Australia, obviously is a bit smaller that there, they also tend to be least my experiences, they tend to be very forward looking on adoption of Internet technologies and all that some of our biggest customers for Imperva are down there. And they're definitely ahead of the curve. We have a very large bank we work with down there and some others. And I've worked with many in the past in my previous lives. So So I think it's just more about online presence, sophistication, openness of the country, I don't think it has, I don't think it matters, you know, languages or cultures or things like that. It's more tech presence and the ability to, for hackers to find kind of a fertile ground to go after.
Sean Martin 38:15
I don't know if, if, if it's possible or not. But I mean, we've talked a bit about the impact it can have. We didn't talk specifically numbers of how much these things cost yet, but clearly, there's a there's a need to mitigate this stuff, right. And, obviously, you have customers, so they trust you to help help mitigate this risk and protect their apps from these bots. Any stories you can share, where organizations saw a large bot attack that could have taken them down or cost them a huge amount of money or, or just simply overwhelmed their team to where they they couldn't deal with other things, kind of the deal with the noise, and then the business falls falls apart as you're doing that. Any? Any stories you can share with us?
Karl Triebes39:18
Yeah, I mean, I can't talk about specific customers. So it's up to you. I mean, where we see some of the biggest, you know, large scale attacks has been travel industry, you know, like booking airline reservations and things like that. And you know, we've that's actually a big vertical for us, but that's where we see some of the biggest kind of web scraping attacks. And I was kind of surprised to see the volume or the amount or the you know, the the ingenuity of those attackers, to the point where if we're not protecting, you know, they they go into paralysis, because they just get such a volume of traffic because everything's hitting their API, so it actually gets expensive for them. They actually They lose money, because they're having to pay so much. Because you know, API gateways charge, usually by transaction or there's other things, you know, you're moving a lot of data around on the back end, that actually cost them quite a bit of money not to have a solution there to reduce that traffic. So it's not always just the data and protecting the assets, but it was literally hundreds of 1000s of dollars, that they were spending, you know, to, you know, to deal with this additional volume of traffic that they didn't, didn't want to deal with. So that that's one example of one that that we've seen. There's others were large, basically, it was a large company. It was funny, they're, they're very happy with us. They're protecting, we're protecting one of their other sites. And then they came under attack on an unprotected site. And it was just raising hell with the system. And it was kind of funny, because the seaso that that ran it, he said that, without getting into specifics, they released a new product. And it was one of the biggest product offerings ever. And for them, you know, they hadn't done it years. And what normally had happened in the past, they're worried about web scrapers get you know, these the actually these Grinch plot types getting on buying a bunch of this. And so in so they're they're very concerned about that we're protecting that. And what happened was at the end of it, he said that we were so effective, he had something happen, that never happened before. He actually got complimented on how good the infrastructure handled this. And it was funny, because then a few days later, then they came under attack to an unprotected site. They called us, we set up in front of it, we took that down, but it was the first time actually, he said that he's ever been, you know, they had somebody actually compliment them on something. So I thought, good, that's that's something to put in a check. You know, hey, security, we actually made us so happy you got a compliment. That was a new one for me.
Marco Ciappelli41:52
Usually, when people are happy to not necessarily write reviews, right, but when they are pissed, that's when you get a lot of it. So let's see. So that get compliments that goes in the book.
Karl Triebes42:04
Yeah, I figured they're gonna be a customer for a while.
Sean Martin 42:09
You said the magic word for me. And that that's infrastructure and, and don't need to look 10 years back necessarily to talk about this. I'm more interested in the now. Because Because the problem has grown so much, and the sophistication and advancement of the bad technologies have flourished. How does an exam and the I guess the company's infrastructures have changed dramatically as well. So how does Imperva now keep up with and fit into the modern environments that are multi hybrid cloud with containers and Kubernetes and apps everywhere and open source and shared this and an API that and you get the picture is it's how does Imperva fit into an organization now, where a team can actually manage it? And perhaps you help them with that as well, to stay ahead of this?
Karl Triebes43:08
Yeah, I mean, the way we're focusing is that we want to protect apps regardless of where they're running, which means apps. And to do that means we have to be able to provide protections, whether they're public facing apps, their private apps, they're running their own infrastructure, they're running cloud infrastructure, it doesn't matter to us, we want to make sure that we can apply our protections in a lightweight, easy way to consume. So customers can buy our SAS offerings, or they can buy what we call our anywhere offerings. They're all centrally managed, and can be deployed in a way that, hey, I just want to use your service. So for example, you know, when I got a web app, it's a public facing web app, I'm just going to let you front end it with our with your, your web service, well, then maybe later that time, same customer comes back. So you know, I have these API's, some are public, some are private. So what I'd like to be able to do is defend the public ones, but I also need the same security policies to defend the private ones, because, yes, maybe I don't expose them to internet, but they still get access, and they're still being transacted. And we want to apply protections to be in the same way. So our view is like, let's have one set of policies and multiple ways to allow customers to leverage that. And so that's kind of the that's one key aspect of it. The other is that they have to fit within these frameworks, right is that, that is if you're running like, you know, cloud native, off, you know, basically your, excuse me, if you're running an application that's built on a cloud, cloud native technology, let's say Kubernetes. To apply predictions, you can't have some big heavyweight thing sitting in there, it actually has to operate seamlessly with that with that microservices environment. So it has to plug in nicely to that. And so that's the other aspect of it is that it's lightweight and easy to fit with how these highly distributed apps, wherever they're going. And then finally, you have to have that intelligence to to block these types of trends, you know, types of malicious behavior, And so, you know, we have a variety of mechanisms, everything from machine learning, but also we have a, we have a dedicated threat research team. And what they do is they're, they're, you know, looking everywhere, they use various mechanisms to detect everything from honey pots to, you know, different ways to interrogate and, and look for malicious behaviors, we, we look across our existing, you know, we have, you know, 1000s of customers, and we see all the transaction histories across that meaning that we see all the events and what's happening. And we're able to, you know, see attacks as the evolved in many cases. In fact, the log for Shell attack that happened, we actually saw it developing about a week beforehand, started seeing this kind of pop up. And once we were able to get an insight what's going on, we, we had it blocked immediately. So all customers, by the time it got announced about a week later, we had been blocking protecting our customers for days. So So you know, we see those times, we get that kind of visibility. So we have to continue with that we have to always be out there, we're trying to be, you know, again, like I said, It's an Arms Race. And we have to stay in front of it. And as we go on, you know, AI and machine learning, which we already leverage is going to become a much bigger component of that, because it's not just about using the automation to provide, I think of it as the force multiplication, it provides the ability to assist our threat research team and their mission. And being able to ferret things out quicker and much with these more sophisticated attacks. That's where I think the real value is for us as a as a security company.
Sean Martin 46:27
Nice and it? Are there cases, I would imagine if if a bots extremely successful. And it has a significant impact on some, some operation that ends up impacting financial results. It's pretty obvious, right? And then you probably get that call other other less obvious scenarios where the bots are running under the radar and scraping little bits here and there. So you don't you don't really see the big impact, but there is an impact? And if so how do you work with companies to kind of uncover that, to let them know that they have a problem that they didn't even realize?
Karl Triebes47:13
Yeah, I mean, one of the key mechanisms for us is to show them the problem. And we do that through a variety of mechanisms. But one of the big ones is that if if, you know, if they're already running on our service, it's very easy for us to say, well, you know, do you know what you're, you know, do you know how many API's you're using, you know, at the endpoints look like, you know, for example, we can do that discovery process, and then show that to them, you know, we offer we call attack analytics. And so that shows kind of these, these different categories of attacks or threats that they're experiencing. Same thing with, like bots, you know, problem is, like you said, most, most out there actually don't realize they have a bot problem. That's actually happening all the time. And they don't realize these things are just ongoing on their sites. And so, you know, it's not until, like you said that something actually gets breached, or some bad thing happens that they are necessarily cognizant of that could be ransomware. Could be whatever. And so, you know, we tried to show them, hey, look, we saw these type, we saw these account takeover attempts. So you might want to do something about that. Right? Yeah, this is not a good thing.
Sean Martin 48:26
Some percentage of that 15% of bad, exactly is going their way, even if it's not all 15%. Some of it is,
Karl Triebes48:35
yeah, I'll tell you right now, if you got a website, you got bought it, you got bad bad activity on it, no matter who you are, it's just out there. And it's just a matter of time that they're gonna find something or you're big enough target, and it'll just happen. But it's out there everywhere. Just given that number. I still remember this goes back eight years, nine years. i This is my home network. I opened up, I was doing some backups between systems. And you have to open up Port 22, which assistance H right. So I'm on any femoral IP address on my home router. And within an hour, I had four different attacks, where they came in and tried to do account takeover, basically just throwing, like, you know, basically default passwords and things like that at it. But that was with the ephemeral IP addresses, or excuse me, ephemeral ports, if you will, and ephemerally P IP addresses on a home network. That's how that was eight or nine years ago. So what that meant is that there was just bots out there trolling just to see if that port was open for 22. So now we're eight years later, a much bigger network, much more sophisticated bots. You can only imagine what that looks like. It's just everywhere pervasive all the time.
Sean Martin 49:43
pervasive, I think that's the that's the takeaway word.
Karl Triebes49:47
The operating word pervasiveness
Sean Martin 49:50
which means means you need to be persistent in in how you deal with it. Well, Carl, I mean, this has been fantastic. At a nice look back, maybe not the best, messed up left uplifting subjects until you until we talk about the fact that you can you can protect yourself against this protect the business from it. But interesting to take a look back to see how we've, we've progressed over the years, both in the operating environment and in the attack space. Any any final thoughts? Before we wrap here?
Karl Triebes50:29
Yeah, no, just I just to reiterate, like I said, you know, I think pervasiveness is the key thing, and that it's out there, people don't see it until something bad happens. And you want to you want to stay in front of this and in the opportunity for bad things to happen. It's just going to increase I think so. I know, it's not that, you know, the most uplifting message, like you said, but but, but, you know, there are companies like us that to help manage that. And, and, you know, like I said, that's all we focus on. That's, you know, we're not trying to be beyond that. That's, you know, security is our thing. And it's something we spent 20 years, hopefully getting right.
Sean Martin 51:08
And we barely scratched the surface. In the bad bot report. I know, there's so much information in there. I mean, it's probably the same message at the end of each of these conversations you've had over the last few years, there's so much pertinent info there that your organization can glean and help you define where you should focus based on your size and your industry and the environment you're running in, and blah, blah, blah, all these factors. And thankfully, Carl and team at Imperva have your back here. So we'll include links to the bad bot reports and to the bad bots, protection solutions and services. So folks can look at all those things. Of course, Karl's profile will be in the notes as well. So if you have questions specific that Carl can answer, not me. You'll be able to contact him there as well. Good stuff, Marco. I mean, we started with ghosts, no ghost here, just 15% Bad bursts. And there are still ghosts. There are ghosts, they're all
Marco Ciappelli52:15
in the machines. And that was my, you know, drumroll at the end. Right. Thank you, Carl. Very interesting conversation. Really appreciate it. And always appreciate Imperva to join us for this fantastic conversation that we hope are very educational for our audience and certainly was for me,
Sean Martin 52:42
an annual tradition. So thanks, everybody for listening. Check out Imperva Stay tuned for more conversations. There's a lot going on. There So thanks, everybody.
Show Intro53:00
We hope you enjoyed this conversation. If you learned something new and the story made you think then share itspmagazine.com with your friends, family and colleagues. We hope you will come back for more stories and follow us on our journey. You can always find us at the intersection of technology, cybersecurity, and society