The 2023 Imperva Bad Bot Report: bots and corporate governance

Getting your Trinity Audio player ready...

• The Imperva Bad Bot Report this year suggests greater bot sophistication.
• The “middle class” of bots has shrunk significantly.
• More sophisticated bots mean a necessary change in approach by businesses.

In the tenth annual Imperva Bad Bot Report, there’s a full enough picture of bot activity in the year 2022/23 to reach a range of conclusions.

In Part 1 of this article, we spoke to Peter Klimek, Director of Technology, Officer of the CTO at Imperva, about the rise of bad bots during the year to fairly unprecedented levels over the ten years the Imperva Bad Bot Report has been running.

In Part 2, we got into the details and the explanation for the rise in bad bot attacks on APIs particularly.

And in Part 3, we explored what the Imperva Bad Bot Report this year could tell us about the impact of a massive emerging technology, generative AI.

Towards the end of Part 3, Peter mentioned the notion that given the rise in bots, coupled with the growing normalization of generative AI, the way that corporate governance was managed would have to adapt around the rising techno-norms.

To ease ourselves into an examination of what that meant, we started out with some straightforward prophecy.

The Imperva Bad Bot Report – five years on?

THQ:

Where do you think we’ll be five years from now? In terms of the fight against the swarm of bots?

PK:

I’m personally pessimistic in this regard. To be fair, I wouldn’t be a security professional if I weren’t pessimistic about it. But I do think the technology is advancing to a point where bots are just going to be a much, much bigger part of pretty much everything that we do – part of all our interactions on the internet.

THQ:

So…they’re not going away, then?

PK:

I personally believe they’re really going to detract from the value of the amount of time that people spend online, and what they get out of it.

In particular, the big challenge for businesses is that they’re going to have to really think about the overall trust and safety of their platforms as a whole and the experience of users, because if it’s infested with bots that are basically just making a lot of noise and drumming up drama, the platforms’ engagement rates will suffer.

And even if their engagement rates look really good, for advertisers on those platforms, bots aren’t clicking on ads, they’re not buying products, they’re not following through, so there’s not going to be as much incentive for them to advertise on those platforms.

That’s why I think this is one of the biggest things that organizations really need to think about. What’s the long-term impact of these bots going to be on your service? And how will it impact the overall user experience in your application? Because if there is a negative user experience, it’s going to cost you.

A bot-infested swarm-hell?

THQ:

So the future of the human race is not so much Orwell’s boot stamping on a human face, as a bot getting in a human’s face, and driving them elsewhere?

The suffocation of the internet as a whole in a kind of dystopian bot-infested swarm-hell?

PK:

I’ve seen what bots can do. I know where they’re going. I know how hard they are to detect. I think that’s one of the other challenges. They’ve become very crafty and so damn bad. It really takes a lot to actually go and battle these things. So…

THQ:

…They’re increasingly avoiding detection, and they weren’t that easy to find in the first place. So what does corporate vigilance have to look like in the world of the bots? And how has that changed in the last year or so?

PK:

Talking about how they’ve avoided detection is really interesting for us. One of the really big stats that we pulled out from this year’s Imperva Bad Bot Report was that historically, when we look at bots, we classified bad bots based on their sophistication level.

The Imperva Bad Bot Report and the Alien movies.

We’ve got three simple categories. We either say bots are simple, moderate, or advanced.

The simple bots are the ones I talked about before, where they can just easily go and scrape something very quickly and easily. They’re easy to identify, they’re really not very challenging. The moderate bots can do some very interesting things: they can process JavaScript, they can crawl sites that are more interactive, but they’re still not really doing much to cover their tracks.

And then there are the advanced bots.

The advanced bots are the ones that are really spending the time and energy to evade any sort of protection mechanisms that exist.

THQ:

Forgive us our geekeries as we forgive those who geek out around us. What you’re talking about is the equivalent of having a Facehugger, a Chestburster, and an Alien Queen, right?

PK:

You… may be right.

This year in particular, we saw a squeezing out of the middle class of those moderate sophistication bots. So the moderate sophistication bots decreased by 25% or thereabouts year on year. The downside of that is that the advanced bots –

THQ:

-The Alien Queens –

PK:

-increased by around 25%. So you effectively had this graduation in sophistication levels from these different thought-operators. That shows you this cat and mouse game of what’s ultimately happening.

 The Queens are cleverer, stronger, and more or less determined to ruin your day.

Bot operators are like malware authors. For every new defence an organization deploys, the malware operators, the bot operators, will try to figure out ways around it. And so they’re constantly changing their tooling. They’re constantly changing their applications. And so you need ways to stay ahead of what they’re doing, and be able to detect them.

This is a really big part of what corporate governance in BotWorld looks like.

The Imperva Bad Bot Report: the power of the fake-out.

The other thing is that when we consult with customers, we always talk to them about the fact that not every mitigation strategy is to simply block the bad bots. Sometimes you want to use deception. We’ve seen instances where ecommerce customers are going in and returning fake data for some of the bots if they’re trying to scrape prices. They’ll say “Here,” but won’t give you real prices, but 20% markup prices.

Those are some of the cleverer tactics that we’ve seen in the gaming industry. It’s very common now that they take bots and cheaters and things like that and put them on separate servers. So they can go and they can play against each other, and they’re not impacting normal users.

THQ:

A play-prison! We love it.

PK:

It’s one of the more creative solutions that are at the disposal of organizations.

Similarly, if you’re doing a highly coveted merch drop, you might say “We’re going to segment all of our users into a waiting room while we’re thinking about this,” – but you set up two waiting rooms, including one that’s just for the bots. You let the users in first, so you avoid the consequences of Taylor Swift or PS5 bot action. And then anything that’s left once the humans are done, you let the bots come in and buy, so you don’t lose out.

THQ:

And the sophistication is there in programming terms to identify and separate the bots?

PK:

Oh yeah.

What I think is most important is for security teams in particular to work with the business teams to figure out what needs to be done to actually deal with the problem and have the appropriate mechanisms for responding to it.

There will be instances where you want this bot traffic, or that bot traffic does serve a purpose. But finding those appropriate mitigations is really one of the most interesting and most fun challenges of the problem.

THQ:

So what you’re saying is that the future if full of bots, but as well as evolving the next Patent Pending Bot-Squasher, we need to accept that the world will be full of bots, but get a whole lot smarter on what we want our outcomes to be, understand what bot-operators want, and try and shift the battle onto an intellectual battleground, rather than a simple tit-for-tat arms race of “Here’s our new thing”?

PK:

Oh, that arms race will continue. Because some of the bots out there are genuinely impressive. I came from the malware and fraud prevention industry, and some of these bots are evidence of some very smart minds at work.

And clearly, they’re getting a pretty good rate of return for their work. Unless that changes, the war against the bots and the botmeisters will continue.

THQ:

Even as we get more accepting and more sneaky about the whole thing…

PK:

Oh, everybody’s always trying to get more sneaky about the whole thing.