Imperva on the Bot Surge Behind Half of Global Internet Activity

[00:00:06] Almost 50% of all internet traffic now comes from non-human sources. With bad bots alone accounting for nearly one third of them, these bots have become increasingly sophisticated, exploiting business logic rather than technical vulnerabilities to execute malicious activities like transaction fraud, data harvesting and web scraping.

[00:00:32] So Lynn is going to guide us through the trends that she's seeing shaping automated bot traffic, highlight vulnerable areas such as APIs and hopefully provide actionable insights into protecting businesses from these growing threats. And the big question of course, what strategies can businesses adopt to combat these bots that are mimicking human behavior? But enough from me, let's get Lynn back onto the podcast now.

[00:00:59] So a massive warm welcome back to the show, Lynn. For anyone that missed the last conversation, can you just remind everyone listening a little about who you are and what you do? Sure. Thanks so much for having me on the show again, Neil. So my name is Lynn Marks. I am based in sunny San Francisco, California, and I'm a senior product manager at Imperva, where we protect applications and data and all paths to them.

[00:01:28] I specifically focus on two areas that organizations should protect themselves from. First being bots or automated attacks. And then the second is how can organizations protect their client side from attacks such as mage cards? And more recently, how can they also ensure that they are compliant with the new PCI requirements, which is actually what we talked about last time I was on the podcast.

[00:01:55] And I've been working in the cybersecurity space for around eight years. Fantastic. Well, it's a pleasure to have you back on. And I'm glad you mentioned the word bots there because it's something we're hearing more and more about. And I think it was the 2024 Imperva Threat Research Report, which revealed something that we probably all suspect anyway, anyone that spends any degree of time online. And that is almost 50% of Internet traffic now comes from non-human sources.

[00:02:24] So can you tell me a little bit more about that and what factors are driving this sustained increase and how advancements in AI and large learning models, although they're positive, they might be contributing to that growth too? Sure. Yeah, this is a very important topic. And of course, AI and LLM models are definitely driving this. Before we go into the details, I just want to first highlight that when we're talking about non-human sources,

[00:02:51] we're talking about two different groups of bots. So we're talking about bad bots. And then we're also talking about what we call good bots. Now, really, what they're doing is the same thing. But the difference really is, is this a bot that I want to have running on my application or do I not want to have it? So that's really what differentiates on is it something that's bad or good?

[00:03:14] So when we're talking about what are the factors that are driving this increase, definitely the fact that generative AI has become more prolific over the last year or two has definitely been driving this. So we first of all have to think about the fact that in order to train all of these models, a lot of scraping across the web had to occur.

[00:03:38] And of course, there has also been a couple lawsuits that had occurred because of this scraping, where organizations were complaining about their proprietary data and information on the web that's being scraped. And if you're an organization that the big value that you're providing is your proprietary information, then scraping in order to train the LLM models is not something in your favor.

[00:04:04] So that's definitely something that we've seen been a big increase for why this increase has occurred. And then, of course, because generative AI and just AI in general has become a lot stronger and easier for people to use day to day. We've also seen that bots have become a lot more of a commodity, right? So bots as a service are becoming more of a thing.

[00:04:32] Of course, this is something that we've seen over the last couple of years. Let's say sneaker bots, right? This is a term that we've been hearing for a couple of years where the attackers might be leveraging bots in order to be able to procure limited edition goods like sneakers. We oftentimes talk about that or maybe like the PS5 when that originally came out.

[00:04:55] But now we're seeing that the normal people, normal users are trying to also gain an edge by leveraging bots that they are able to easily procure online in order to also try to maybe get those tickets that are very hard for them to get for like the concert that they want to go to. Or once again, for any sneakers or other limited edition items that they might want to be able to purchase.

[00:05:24] So definitely the fact that we have to train all of these models and then that the models themselves and AI is making it easier for day to day people to be able to leverage bots. We're seeing that as a larger increase in the bad bot traffic across the web. And one of the other things that stood out in that report is it highlights that bad bots are increasingly sophisticated.

[00:05:49] Not too many surprises there, but many are exploiting business logic rather than technical vulnerabilities. So can you tell me a bit more about how that shift is impacting organizations and ultimately their ability to mitigate some of these threats? Definitely. I think business logic in this context is a newer term or a newer way to think about this, right?

[00:06:16] So the business logic is what are the different steps or the different pages that a user would need to take throughout an application or website in order to achieve their goal, right? So for purchasing something, I would need to add the product to my cart and then enter in my credit card information and then finish the checkout process.

[00:06:35] But I think that the change here is that organizations are realizing that they need to look at solutions to protect their business logic that aren't just necessarily security based. Now, of course, looking at security based solutions is a must. You always need to ensure, well, let's say, do I have a WAF in place, which is just looking at technical vulnerabilities.

[00:07:02] But you also need to ensure that you're getting a good understanding of what are the most crucial parts of your business logic and if there's any changes that you need to make within your organization to the business logic itself. So, for example, let's say you have a hot ticket item and you don't require users to create an account and to log in in order to buy it.

[00:07:32] Now, if you are seeing that you are having many different bots that are successfully being able to purchase the products and thus the real users are getting upset with your organization and how they're not able to purchase it, you might want to speak with other parts of your organization.

[00:07:51] Right. This might be the application team or the marketing team or anyone who controls like the sales aspect and understand, well, can I make any changes to the business logic in order to better secure the assets that I'm trying to protect? So maybe in this case, even though some parts of the organization might say, well, I don't want to add this extra step of having a user create an account or needing to log in.

[00:08:19] If the organization realizes that important enough for us where the ROI for adding this additional step is more important than the potential additional work that the end users would need to do, then that's really something that organizations need to start thinking about.

[00:08:38] Right. How can you work with other teams in order to ensure that your business logic flow is not only as conducive to the end users actually being able to do their business, but actually is set up in a way that also protects the business itself?

[00:08:58] And of course, we are living in the age of the application programming interface or APIs that ultimately enable businesses to set rules and protocols that allow different software applications or systems to communicate and interact with each other. And the reason I bring this up is account takeover or ATO attacks have also seen a significant rise, according to the report, with almost half of them targeting APIs directly.

[00:09:27] It can be a huge vulnerability. So what is it that makes APIs particularly vulnerable and how can businesses better bolster their defenses against attacks like this? Yes, APIs are a very fun and tricky asset to protect, but very important, of course. So one reason that we've seen for why APIs are so vulnerable is, first of all, they are very abundant, right?

[00:09:54] And I know you mentioned ATO attacks, but APIs, of course, are used for many different parts of the business logic. But the APIs themselves, they are readily available, right? Applications now, no applications are being built without APIs. And many of these APIs are publicly exposed.

[00:10:16] And the people who are running the applications, like the security teams, they might not have a good understanding of all of the applications and the APIs that make up those applications, right? Like shadow APIs. And they might have new APIs that are being added by the developers as new features are being added.

[00:10:40] So just from an API security perspective, right, this is something that we've seen a bigger trend in the last couple of years. But even though a lot of organizations are getting more visibility and are really clamping down on what are the APIs that are being used, making sure that they're all secure, making sure that the security team can be aware of all of them and make sure that they are secure. But there's still a gap that many organizations are trying to overcome.

[00:11:09] And thus, the attackers are taking advantage of this. And if they do find APIs that maybe still aren't very well protected, because APIs, of course, are the ones that are going to have that sensitive information on them, that's going to then end up giving the attackers a very good ROI.

[00:11:28] A very important thing to remember is that APIs generally are just easier or simpler to attack than going after the web application as a whole. When we're thinking about the HTML page, right, they could be getting changed quite frequently, right, as the developers or the marketing team or whoever else are making changes to it.

[00:11:53] So if I'm trying to create a script that is trying to attack the HTML page, I might need to change my script accordingly as the web page is changed. But APIs don't change very frequently. And in order to interact with them, they always require the same structure or the same format for the request and the response.

[00:12:17] So it's much easier for the attackers to be able to create a script once and know that it's going to work consistently because APIs just don't get changed as often. And I think anyone following developments in this space will know that some industries, such as gaming and travel that immediately spring to mind, they experience a disproportionate level of high bad bot activity.

[00:12:47] So why is it that bots target some industries more than others? Is it because they're more lucrative? Is there something else going on? And what unique challenges do you think these sectors face? While all organizations in all industries really are facing challenges, we are seeing that some, like you mentioned, are getting higher activity.

[00:13:08] So in the gaming industry, one theory that we have is because a lot of the purchases that are occurring within the gaming industry are for in-game purchases. And the users, they have an incentive, let's say, well, either I can play, for example, for five or 10 or however many hours to gain this additional item in the game, or maybe to gain more in-game points or experience.

[00:13:38] They might also be able to purchase that. So what attackers are realizing is people in the gaming space, they are very committed to be able to ensure that their characters are as strong as they can get, so that they can continue to be stronger when they are battling other players in the game.

[00:13:57] So the attackers are realizing that, hey, maybe I can use bots to be able to more easily buy these items in the game, or be able to have these different hacks or advancements within the game that are going to then be able to sell those different items, or those virtual currencies, or experience points, etc.

[00:14:22] And the real human players are more likely to be able to then buy them. And so both in the gaming and in the travel industry, there is a lot of incentive for the attackers because of the incentive that real humans have to interact with these applications, right?

[00:14:47] So when we're thinking about gaming, a lot of what the humans are trying to do is they're trying to improve their experience. They're trying to buy more in-game purchases. They're really trying to be able to advance their characters in the game so that when they are then battling other humans in the game, they can become victorious.

[00:15:11] And the ways that they can do this, right, is either they can play for however many hours it takes them to be able to get more virtual currency or be able to acquire more items or experience points. But games have also realized that we can make additional money by selling these items to the humans. So, of course, when there is a way to make money, the attackers realize that this is a great way for them to make money as well.

[00:15:37] So they are using automation in order to try to gain the system. And if they are able to then acquire, let's say, experience points or this virtual currency or items and then be able to sell it to the humans, then this is a really great way for the attackers to be able to make money leveraging what they know about people wanting to continue to advance themselves within the gaming space.

[00:16:05] Now, the travel industry also have very similar problems. And they're specifically focused on the fact that the data that is used in the travel applications is changing all the time. And the travel space is extremely competitive, right? There are many different players in the space and the margins are often quite small for the players in the travel space,

[00:16:34] like maybe trains, planes, automobiles. And or because the margins can be quite small, having a competitive price and competitive availability is extremely important. So competitors are always trying to be able to outcompete one another, which means that we're oftentimes seeing that competitors might actually be, for example,

[00:17:00] scraping each other's applications to try to get the most up-to-date availability information and pricing information and anything else that might be useful for them to ensure that they can edge out the competition and get that person who's looking for that flight to Aruba to use their company instead of another airline. So many big points in there and a lot of food for thought for people in those industries.

[00:17:29] And something I always try and do on this podcast, as you know by now, is I try and demystify a lot of areas that things that people are talking about. And residential proxies have also emerged as a popular tool amongst advanced bot operators. So again, for people listening that may be outside of this space, how do these proxies make detection more challenging? And what kind of strategies should organizations be using to combat them? Yes, residential proxies have been a very hot topic

[00:17:59] and something that people like myself in the bot protection space have been working on trying to understand how can we ensure that the real end users that are leveraging residential proxies are being able to continue to make requests as needed,

[00:18:21] but the bad bots that are leveraging residential proxies in order to evade detections are caught. So really the real reason for why we've seen this huge increase is what I just said. If an attacker is able to use a residential proxy and they're able to be convincing an us that their traffic is legitimate, then an organization might not end up blocking them

[00:18:50] and they would be able to then complete their transaction and get that ROI. So really what organizations need to do, in my opinion, is continue to leverage bot management solutions that are really using tip of the spear strategies to ensure that residential proxies can be properly detected, but not only detected well,

[00:19:20] but detected in a way where if a real end user is using a residential proxy that the attacker is using, how can we make sure that that real end user can continue to do their work while that bad actor who might be using that same IP is getting blocked? So I believe that really the most important thing for organizations is you have to continue to ensure that you're leveraging

[00:19:47] the bot management solutions that are continuing to advance their strategies on this and ensuring that as the bot operators are leveraging newer strategies like residential proxies, they're going to be able to catch them, detect them and get them out of here. The rise of mobile user agents among bad bots also mirrors a shift in human browsing habits that we're seeing out there at the moment. Again, very tricky for business leaders,

[00:20:17] but how can businesses distinguish between legitimate mobile traffic and bots that are mimicking mobile users? I would imagine it's quite a tough balance. Yes, definitely. So once again, I want to start off by that attackers are always going to go after the system where they can get the highest ROI, right? And if an attacker realizes that an application,

[00:20:48] a mobile application might not have very good protection on it, but the web application does have very strong bot management protection against it, then they are likely going to go and attack that mobile application because it's probably going to be easier for them to be able to attack it and get the outcome that they'd like. So first of all, it's very important that businesses understand that you can't just protect the web application

[00:21:16] if the customers and thus the attackers can get the same outcome, right? Have the same business logic from the mobile application as well. You have to have protection that's as strong on the mobile application as they do on the web as well. Now, when we're talking just about how can we detect this anomalous traffic, it's really very difficult, maybe impossible,

[00:21:44] to do without having a dedicated advanced bot management solution. And this, of course, goes back to, well, how do you understand what parts of your mobile application are most crucial to your business logic and thus are the most likely to be attacked? How do you know what are the trends? What is the normal amount of traffic that is hitting them? Or what is the normal user agents or rates

[00:22:12] or the different types of requests that are supposed to be hitting and interacting with the mobile application so that if I see that, hey, all of a sudden there's a spike, right? And it's attacking the payment part in the mobile app, I can go and quickly investigate that. And of course, if you do have a good understanding, for example, what are the types of identifiers

[00:22:41] with using like user agent as just a basic identifier, then if you are starting to notice that there are these identifiers that aren't as common, you are going to be able to use that as a starting off point for doing your investigations. And another thing in the report that caught my eye was the discussion around the legal and ethical complexities of web scraping

[00:23:09] in this age of AI that we all find ourselves. AI was all anyone's been talking about the last two years. I dare to say it's probably going to be the same for 2025. But as it matures, what regulatory development should businesses watch for and how can they proactively protect their digital assets? Yes, AI is definitely a topic I've been hearing about nonstop. And just referencing regulations that are talking about AI

[00:23:38] or addressing AI, we've seen a huge surge in that. So this is from Stanford University AI Index. They said that in 2016, only one law was passed referencing AI while in 2022, which isn't even that current of data, there were 37 laws that were referencing AI. So we're seeing that even a couple of years ago, there was a huge surge. And in 2025,

[00:24:04] we're going to see a lot more countries, including the European Union, the United States. China has also been working on some laws in order to ensure that they get fully rolled out in 2025 and can categorize AI systems based on their risk and require very stringent transparency and governance standards. organizations,

[00:24:33] it's going to be very important for them to be able to keep up to date and make sure that they're educating themselves on what are these changes that are occurring from a regulatory perspective, right? You want to make sure that you're not caught doing something that is perhaps against the law and you're not aware of it. So you want to make sure that you're continuing to check what are the new rules and laws that are being made available by different countries

[00:25:02] and ensure that you are putting in place the different types of security tools that are going to be able to help you protect your digital assets. So you need to have a multi-layer security approach, which means you need to have a good bot protection solution in place. You need to have a good API security strategy in place and really just ensure

[00:25:31] that you have a good understanding of what are the potential threats that can occur against your specific applications. And if you are leveraging AI, ensure that you have a good understanding for what is the AI actually doing, ensuring that the security team is well aware of what the developers are doing with this AI so that when the legal discussions come around, they're able to have a strong argument

[00:25:59] for why their AI is not going against what the law is asking for. And looking at some of the recommendations in the report, it emphasizes a multifaceted approach to bot detection and indeed cybersecurity. So if we can leave everyone listening with maybe a valuable takeaway, is there anything you can share around maybe actionable steps that organizations or business leaders could take to safeguard their platforms

[00:26:28] against these evolving threats? Yes. I mean, I think you're going to hear this in many different security conversations. But the first and foremost, most important thing is really ensure that you catalog all of your assets and understand what is the current security status of them and what are the importance and the risk of each one of them, right? We always say in the security space, if you don't know what you're trying to protect, how are you supposed to protect it? You need to be able to have

[00:26:58] a multi-layer security approach in place so that you can protect those assets from different attack vectors. And lastly, this is very important, especially because we were talking about the business logic aspect. Security teams need to work with other parts of their organization to understand what are the typical metrics that not only can the security team monitor, but also what metrics or KPIs

[00:27:27] can other teams monitor and gather and share across the organization that can be used as an indicator for when attacks are occurring. Fantastic advice. And thank you so much for coming back on the podcast and sharing your insights. Usually I ask my guests to add a song to our Spotify playlist, but if I remember correctly, the last time we spoke in July, you added Elton John's Goodbye Yellow Brick Road, if I remember correctly. So you've done that already.

[00:27:57] This time around, I'm going to ask for a more personal takeaway from you because I think none of us are able to achieve any amount of success without a little help along the way. And very often there's someone or some people that spend a little time investing in us or see something in us that help us get us where you are today. Who would that person or people be for you that we can give a little shout out and a little thank you to today? Yes, thank you for asking. So I would like to call out

[00:28:26] someone called Gideon Marks, who some people might know as a CFO of a couple of tech companies, angel investor in Silicon Valley or mentor for startups. But I also know as my father. So he has been a really great support for me, not only throughout school, but exposing me to the tech industry as I did grow up in Silicon Valley. They always pushed me,

[00:28:55] even when I was young, to get more exposure within the tech industry, attend different events, and really helped me be able to ensure that I continue to grow and get exposed so that as I do enter the working world and as I have been working for the last 10 years or so, been able to have the confidence that is needed and ensure that when they do have moments of doubts,

[00:29:24] I can continue to push and believe in myself. Wow, what a beautiful answer and a powerful moment to end the podcast on today. But before I let you go, for anyone listening, just wanting to find out more information about that report that we've been referencing today or how you might be able to help or contact you or your team, where would you like to point everyone listening? Yeah, so we have the great bad bot report on Imperva.com. We release a new version of that every year.

[00:29:54] So coming in April, there will be even a newer version of that. And also because we were talking about AI and the regulatory around that, we also recently released a blog around that that you can also find on the Imperva.com website. And there's a lot more detailed information about the regulatory changes that we're going to see in 2025 and what organizations can do

[00:30:22] to protect themselves from those changes. Well, I will have links to everything you mentioned there so people can find out more information nice and easily. And we covered a lot there, especially around that 2024 bad bot reports, but not just highlighting the problems, but also thank you to you for providing tips on how to diagnose bot problems and some recommended actions to help people listening protect their business. Priceless work what you're doing here,

[00:30:50] but just a big thank you for shining a light on it again. And hopefully we'll get to speak with you later in the year, but thanks again for joining me today. Thank you very much, Neil. I think as we wrap up today's conversation, it's clear that bad bots are no longer a distant cybersecurity concern. They are a clear and present and growing threat. So a big thank you to Lynn for sharing how bots are evolving to exploit business logic and for emphasizing the importance of cross-team collaboration

[00:31:19] and proactive measures. Because collectively, this is what can address these challenges. Whether it be safeguarding APIs to combat residential proxies or simply understanding the ethical complexities of AI and web scraping. There's so much for businesses to consider in this fight against automated threats. How will you and your organization adapt to these challenges? And what steps will you be taking to protect critical assets

[00:31:47] in an increasingly bot-driven digital world? Email me, techblogwriteroutlook.com, LinkedIn, Instagram, X, just at Neil C. Hughes. Let me know your thoughts. But as always, thank you for joining me today. Don't forget to subscribe for more insights like this and I'll be back again.