Andy Still, Netacea: “humans can never be as quick or as intelligent as bots when it comes to identifying threats”

When website security systems struggle to discern real visitors from malicious bots, one solution remains – fight fire with fire.

As more businesses race to shift their operations online, new website owners have to adapt to a new way of doing business and deal with a variety of online threats.

While most of us think of disrupted websites or servers going offline when we hear the words “bot attack,” the reality is often different. The recent rise in bots being used to scrape sensitive data or quickly buy up limited edition items proves that taking a website down is no longer the main goal.

We reached out to Andy Still, CTO & Co-Founder of Netacea, to discuss the problems many websites face today and how the power of AI could be harnessed to combat them.

Tell us a little bit about what you do. How did the idea of Netacea originate?

Netacea was originally TrafficDefender, an online waiting room that meant businesses could better deal with exceptionally high levels of traffic — such as when new products are launched or concert tickets go on sale. Just as in a real queue, people are given the opportunity to buy in the order they arrive, rather than simply clicking faster than anyone else.

While TrafficDefender was a success, it was obvious that there was a bigger, related problem: bots were being used not only to try and skip queues but for all manner of harmful activities, such as trying to take over accounts with stolen passwords and scraping content for use elsewhere. It was clear there was a need for a sophisticated product that could protect businesses from bad bot activity while not restricting automated traffic that is not harmful, such as search engine crawlers.

After two years of development, Netacea was launched in 2018. Our instinct has proved correct, as bots have become more common and more easily accessible since then, creating a demand for a product that can mitigate this problem.

It is evident that AI is an important part of Netacea. Can you tell us more about the ways in which it is used in your company?

In the fight against malicious bots, we’re dealing with enemies that are experts on automation, and many bot mitigation providers still believe the best solution is human monitoring. This is ultimately futile — humans can never be as quick or as intelligent as bots when it comes to identifying threats. You need to fight fire with fire: an automated threat needs automated protection.

The traditional approaches to the bot problem use CAPTCHA challenges or inject additional JavaScript code into a webpage to detect when a user is real. These approaches often mean a bad user experience for real customers — and they increasingly fail to stop the bots. JavaScript is easily bypassed by sophisticated attackers who will spoof signals or simply use a mobile app or API to avoid the script.

Our multi-dimensional machine learning-based approach provides an innovative and profoundly more effective alternative to traditional methods. It provides frictionless access for genuine users in real-time while preventing non-human traffic from compromising a business.

Powered by machine learning, our proprietary Intent Analytics™ technology provides an incredibly fast, accurate and transparent solution that protects websites, mobile apps, and APIs by actively seeking out malicious bots’ intent and prioritizing genuine users.

What set of tools do you use to identify and eventually eliminate bots?

Netacea Bot Management provides real-time identification of new and emerging threats to businesses with a digital presence. Our Intent Analytics™ engine sits at the heart of our solution to enhance response times to bot attacks and is supported by our team of experts who provide “human in the loop” interventions.

With Intent Analytics™, we can monitor all visitor activity and apply a three-layered approach to distinguish automated bots from humans. Netacea works hand in hand with in-house security teams from implementation to providing accurate detection and empowering businesses with actionable threat intelligence.

By stopping malicious bots, the tool ensures websites run efficiently, and both customers and the business are secured against bots that commit fraud, steal customer data and cause damage to web applications on a large scale.

Did you notice any new cyberthreats emerge as a result of the COVID-19 pandemic?

While this is not new, ransomware was one of the largest threats throughout 2021 — perhaps as attackers felt that other pressures made businesses more likely to pay up. As a result, during the height of the COVID-19 pandemic, there were significant worries that there may be attacks on vital healthcare infrastructure, vaccine rollouts, and more.

Some of these worries did manifest. For example, the Irish Health Service suffered a crippling ransomware attack. Aside from healthcare targets, we also saw attacks on oil pipelines in the US, power plants across the world, and many more instances of critical national infrastructure. This has encouraged many governments (including the USA and UK) to consider the role those private enterprises have in a nation’s security, how vulnerable they are to attacks, and what impact this can have on the public.

We expect to see governments becoming much more hands-on in regulating security at private enterprises and in helping such organizations respond to attacks. We also expect to see more international collaboration and competition in policing cyberspace.

How can bots cause any serious issues for one’s website?

Bot attacks can cause poor website performance, site downtime, expose sensitive customer data, and ultimately cause lost revenue and damage a brand reputation. In fact, in 2021, we found that the largest businesses lose up to $250m every year due to unwanted bot attacks.

There’s a great deal of confusion over what we mean by a bot attack. Many people immediately think of DDoS attacks designed to disrupt a website or even knock it offline. DDoS attacks use a “botnet” of infected devices, but they are not what we consider a bot attack. Bots rely on a website being online and attack by subverting the way it is supposed to work, using its business logic against it. So, for example, it might use an online payment gateway to check the validity of stolen credit card details.

Our research has found that the most common bots detected in 2020 were account checker bots. These bots take lists of leaked username and password pairs (aka combo lists) and test them against a website—anyone who reuses a password on multiple sites is vulnerable to this type of attack. These bots also try to “brute force” access to accounts by using a known username with common passwords, again taking advantage of poor security hygiene.

Should every website owner implement bot protection, or is it only a necessity for certain websites?

Not every website will need bot protection, but if you handle sensitive information, operate in the eCommerce, financial services, travel, gaming, gambling, or telecoms industries, or regularly have high levels of web traffic, you will want to start thinking about using bot protection. It’s important, however, to recognize that bot protection is not exclusively a security solution. Bots can also affect website performance and marketing analytics, meaning decision-makers don’t understand how their website is being used by real people.

Our research found that 68% of businesses have suffered a financial impact from bots skewing their website analytics. For marketers, this is a big problem. If marketers make decisions based on flawed data, these cannot be good decisions. In fact, we find that marketing teams are often the first to recognize that a business has a bot problem because they spend more time analyzing traffic.

Bots also attack a wider surface than just websites, system owners should ensure that effective bot protection is in place for any mobile apps and APIs that they have available as attackers are increasingly targeting these as a weak link in application security.

Besides bot protection, what other security measures are essential for websites nowadays?

Security really isn’t a one-size-fits-all solution. There are certain things that all websites can do to improve security, like use HTTPS and SSL certificates, implement a Web Application Firewall (WAF), ensure that default administrator accounts are disabled, and take regular backups. However, your security investment should be tailored to the risks that are relevant to your organization. As an example, it is a good idea to invest in waterproofing the roof of your house in certain (say British) climates, this is pointless if your house is in the middle of the desert.

The most essential step for website security is to understand the threats that you are facing. Once you understand those threats, you can ensure that your defenses are geared towards dealing with them. This has the advantage of giving you targeted protective measures designed to deal with your biggest risks and counter the sorts of attacks that are either or both very likely and/or very damaging. This has the added benefit of not wasting resources defending against attacks that are less likely to happen.

You have recently published a list of predictions for 2022 cybersecurity trends. Would you like to share some of your insights for the upcoming year?

Over the last year, we’ve seen a huge influx of talent and resourcing into the bot developer ecosystem. Partially inspired by lockdown and partially by the increased awareness of low-risk, high-profit bot attacks, many more people are getting involved, whether it’s creating or operating bots. This has allowed many bot groups to professionalize, with many now actively recruiting employees who will fulfill roles in marketing, recruitment, support, development, and more.

In some cases, these groups have even registered themselves with governments as formal companies and begun paying people to work full time. Across all types of bot attacks, though, we have seen a segmentation of specialisms, with individuals choosing to specialize and fill a particular niche within the larger ecosystem, such as developing bot tools, selling supplementary services (including the information or infrastructure needed to run attacks), acting as trainers, hosting communication/networking services, or working with developers as a consultant. We have started to see bots being offered as a Software as a Service (SaaS) model as well. We expect to see this trend of professionalization continue in 2022.

Tell us, what’s next for Netacea?

2022 will be an exciting year for us. We have decided to expand our operations and launch a North American Partner Program. Bots are a global problem, and awareness of the issue is growing. With bots costing businesses an average of 3.6% of their annual revenue every year, there is increasing demand for tools and services that will fight back.

As part of the new program, we’ve expanded our on-the-ground team in the US. Joining us is Peter Berg, who will serve as the Senior Vice President of U.S. Sales. His new role includes spearheading Netacea’s go-to-market efforts for North America. Also joining our team is Kirk Horton, who brings to Netacea more than 20 years of experience in building channel programs, developing alliances, and overseeing sales and business development. Kirk will take on the role as Vice President of Channels and Partners and lead our NetElite™ Partner Program.