This is the first of a three-part series of AppSec predictions for 2021. You can read the complete series here.
Every year(ish), I publish our AppSec predictions — three of the threats that look to be the biggest problems in the upcoming year. In the past two years, the predictions were: credential stuffing/account takeover attacks, API attacks, and supply chain attacks.
This year is slightly different. The predictions are a little more targeted, but they are mostly around the same lines. Over the past year, we’ve augmented our Threat Intelligence Service (part of Barracuda Advanced Bot Protection) with more sensors and intelligence. Combined with our customer conversations and other threat research, we have the following predictions:
Bots will grow smarter and become a bigger part of mainstream awareness
In a way, you could say that pandemic-induced boredom has caused the public awareness of bots to come to the forefront. Bots — especially sneaker bots — have been growing in popularity over the past few years. People used these bots to “cop” the latest sneaker or other popular limited-item “drops” and then resell them for profit. This trend has been growing for quite some time, but the release of the new AMD RX6000 graphics cards, Ryzen 5000 series processors, and the Sony Playstation 5 has led to pretty much everyone interested in these products and learning about the bots.
The reCAPTCHA approach is an example of how bot mitigation solutions are more likely to annoy humans than bots. The older image-based reCAPTCHA that we all know and “love” broke a couple of years ago, and Google released v3 , which is based on user “reputation.” One of the things that give you a higher reputation is the behavior of your Google account, and there are now services that can provide you with “high reputation” accounts.
While we talk about the exploitation of scarcity and running bots for resale, the socio-economic factors that contribute to the rise of bots is also quite important. To start with, bots are expensive. Really good bots cost thousands, and people end up renting out bots to make money. Beyond buying the bot, you also need to buy subscriptions to good residential proxies because all the good sites block the usual suspect IP ranges, like specific countries and datacenter IP ranges. So, it gets quite expensive to buy and run a bot. However, in our research, we are seeing more and more people getting into botting, especially around bigger launches. There is a whole economy around bots, with marketplaces like Tidal, Botmart, Botbroker, etc. Some of these marketplaces have middlemen who will make sure you don’t get scammed while buying or renting bots. Most bot makers have their own discord support channels and offer proper support. The bot economy is quite big and is going to keep growing quite a bit. This economy also runs on scarcity; Cook groups or the groups that provide all the support and information for bot users have limited spots and cost a fair bit in terms of subscription.
Getting back to the people who are actually doing the botting and resale, we’ve seen a number of posts on the various forums from people who are getting into botting in just the past few months. People are hurting economically and see this as a way of making some extra cash. There are posts on forums of people trying to figure out the cheapest way to get into botting and talking about spending their savings on bot rentals to make some money during the holidays. A growing number of people from the EU and Canada are getting into this scene, which was earlier dominated by U.S. users. A number of these users are students.
In our Threat Spotlight from early December 2020, we looked at two specific patterns in bot behavior. We looked at data from our Advanced Bot Protection systems and had two specific findings: one, bot makers seem to follow a regular schedule of working hours; and two, bad bots seem to hide quite well in standard browser traffic. It's a small wonder then that Gartner predicts in their 2020 WAF Magic Quadrant that bot protection is now an ever-growing part of web application protection.
By 2023, more than 30% of public-facing web applications and APIs will be protected by cloud web application and API protection (WAAP) services, which combine distributed denial of service (DDoS) protection, bot mitigation, API protection, and web application firewalls (WAFs). This is an increase from fewer than 15% today.
Source: Gartner Magic Quadrant for Web Application Firewalls 2020
Come back next week for part two in this series. Meanwhile, join our application security experts for an informative panel discussion about current cybersecurity trends, web application security, 2021 technology predictions, and a lot more. This webinar is free and available on-demand:
2021 applications security predictions: Bot, API, and supply chain attacks
Watch the webinar here
Tushar Richabadas is Senior Product Marketing Manager, Applications and Cloud Security, Barracuda. Prior to this role, Tushar was a Product Manager for the Barracuda Web Application Firewall and Barracuda Load Balancer ADC, with a focus on cloud and automation. Tushar has a wide range of experience, from leading networking product testing teams and technical marketing for HCL-Cisco. Tushar closely tracks the rapidly increasing impact of digital security and is passionate about simplifying digital security for everyone.