Bots are becoming more and more of a challenge for companies to deal with. To learn more about how bots impact different industries, we spoke with Nick Rieniets, field CTO of Kasada, on the most recent episode of our podcast Get With IT. They had recently released a report on this topic, so we invited them on the podcast to talk about it.

Here is an edited and abridged version of that podcast episode:

Nick Rieniets: Threat intelligence is something that Kasada takes very seriously, and really what we’re looking at is there are many use cases for bots, and many problems that bots cause. And you can almost always trace them back to some form of monetization. No one’s going to bother writing a bot, really at scale, unless they’re going to benefit from it monetarily. And this report really looks at specifically the concept of an account takeover and how that impacts different industries. So the impact on an airline or hotel chain, whilst that may be similar, it’s also exactly the same as the impact on a retail store or an ecommerce platform. Then you can look at industries like social media and the streaming platforms, and exactly the same techniques are used from a buying perspective,  but the benefit there is typically access to other stolen accounts from a social media perspective, or free content from a streaming perspective.

David Rubinstein: We certainly have that issue here. We’ll post an article and we usually know what the average readership is, and then suddenly, it’ll be eight times the normal readership. And we’re like, wow, that was a great article, or was it? Was it bots just bombing our site? So then it becomes hard for us to gauge should we write more on that topic because people are interested in it? And really, how do you track what’s real and what’s the bot?

NR: From the bot mitigation provider perspective, what we’re really trying to do is understand as a user engages with an application, as they load that website up in their browser, we’re collecting data that helps us differentiate between, well, this is David and he’s on a Windows machine and I can see he’s using the latest version of Chrome, versus maybe this is Nick and he’s doing something on a Linux server in a data center in Russia somewhere, and he’s using an automation framework to load this side, and he’s going to all of a sudden start spamming us with lots of requests. And so there’s lots of signals that you can collect in that way. And that really helps us differentiate between the two.

DR: The report showed that almost half of all web traffic is generated by bots, so this is clearly a huge problem. And I assume, and we’re hearing that with AI, that people are using it to do good things and people are using the same AI to not do such good things. So what are you seeing in terms of the ability of these bots to avoid detection or bypass certain gates or walls that would prevent them from coming in?

NR: Yeah, it’s a really interesting world in the bots space. The practical reality is that bot developers have benefited from AI in exactly the same way that we all have. And so, Sam (Kasada’s founder) and I have gone out and spoken to a number of bot developers that we’ve engaged with in the past and they’re all using exactly the same tools as we are. And so, at this stage, that represents an equal weighting in terms of the benefit and risk associated with AI.

In our game, it’s certainly true, though, that we’re now starting to see tooling being generated that leverages various different LLMs and enables bot development to be done by people who don’t necessarily have the skills to do it without artificial assistance. So certainly, the bar is being lowered, which means that that percentage of bot traffic is only going to be higher.

And perhaps the other interesting angle is that a lot of AI developers are now turning to bots to scrape content to feed their LLM from a training perspective. And so now you’ve got this really interesting situation where the training data is becoming the differentiator between the different models and scraping content is a primary feeder of that.

DR: The report took a look at some of the patterns that these bots might employ. Can you talk a little bit about that and how that helps you mitigate these issues?

NR: I think the pattern that we see is just constant activity against primary targets. And so if you happen to be in an industry, or you happen to be a brand that is attractive to a community of developers, then what you can expect is persistent traffic and persistent problems. And so what we’re now seeing is a lot of businesses who are in that situation are realizing they need to sort of double down and reinvest in newer technologies to help them keep one step ahead. 

It is a game of cat and mouse, there’s no doubt about that. And it’s a difficult one to play as a defender, because you need to constantly be reinventing the way you play your game. The minute you stand still, for any more than a few months, the attackers will get the advantage. So it’s a challenging game to play for sure.

DR: Are there particular techniques that organizations can use to spot and defend these on their own or with a third party?

NR: I think there’s certainly patterns in data that would indicate bot traffic or suspicious bot traffic. If you’re thinking about, are there bots that are targeting your login to your customer facing portal, for example, then you’d be looking not just at the number of requests over time, but you’d be looking at the response code to that say is there a spike in failed login, for example? That would be a really key indicator that perhaps you’ve got a problem. 

And you can move across different parts of your application, and you can sort of look for what’s the unexpected outcome of someone engaging with that particular endpoint? So we see problems on checkout and add to cart and product details pages in the ecom world, for example. 

You may also like…

Report: Nearly half of all internet traffic is bots, a third is bad bots

Kubernetes at 10: Where it began, and where it’s going