Prepare for the smart bot invasion

We all know about the havoc wreaked by malicious bots, but soon, we'll have to deal with 'good' bots. How do you tell the two apart?

Prepare for the smart bot invasion
Credit: Thinkstock

For most of my professional life, the term “bot” has been associated with badness. As a computer security professional, whenever I saw bots involved, they were usually committing malicious acts and harnessing hundreds or thousands of otherwise innocent devices and computers to engage in harmful deeds.

But that will change as good bots become more common, thanks to chatbot initiatives from Microsoft, Google, and others. However, you can bet the rise of “good” bots will mean more traffic to filter through and possibly create confusion.

The tug-of-war between good bots and bad bots

The 2016 annual Imperva Incapsula Bot Traffic Report, now in its fifth year, is an ongoing statistical study of good and bad bots. It examined 16.7 billion visits to 100,000 randomly selected domains on the Incapsula network. Here are some interesting data points:

  • More than half the traffic to the websites reported is due to bots
  • Bot activity is on the rise after three years of decline, mainly due to good bot traffic
  • Bad bots accounted for nearly 29 percent of traffic, while good bots accounted for nearly 23 percent
  • The demise of RSS helped prevent further growth in good bot activity
  • Every third website visitor was a malicious bot
  • 94.2 percent of websites experienced a bot attack

Bad bots are mostly programs designed to bypass security controls and take over a site or device, with the intent of either attacking the victim or harnessing the collective power of multiple bots on multiple hosts to steal content or to handle tasks humans normally do (buy tickets, answer security challenges, and so on). Bad bots are coded from the ground up to perform unauthorized activity.

If you’ve ever reviewed public website visitor or firewall logs, you already know that websites are besieged by bot traffic, both good and bad. You can usually spot a bot by its name, origin, or programmatic frequency. Good bots tend to come, again and again, at predetermined times every day. They don’t try to hide what they are. Bad bots usually come from random origins that are trying to hide their true intentions, and they try repeatedly at random intervals. They also contain exploit code in their data fields.

Better than good bots: Smart bots

Good bots are coded to perform only authorized activity, though many sites they connect to may not necessarily want, need, or even know about it. According to Imperva’s report, good bots include the following types:

  • Site/Network/Feature health monitoring bots
  • Feed Fetchers, which copy content
  • Search engine bots
  • Commercial crawlers, for legitimate marketing purposes

The report, however, didn’t mention one of the fastest-growing good bots: AI (aka smart bots). Smart bots are coded to interact with users in a way that emulates human responses. You’ve probably heard about them trying to mimic humanlike responses to real human queries and directions on social media sites or tech support hubs.

Early experiments often did not appear to be human, to put it gently. But I’ve seen recent demonstrations where the smart bot outperformed the human. Smart bots are showing up on your favorite social media sites to answer questions and to help direct users to the relevant information, and they are doing it better and better every day. Microsoft even has a Bot Framework that is growing in popularity and helping others to program smart bots.

There isn’t an industry today that isn’t fighting both rising support costs and support quality issues, and smart bots can help achieve those goals. Think about how frustrated you are when dealing with call centers and technical support. Imagine if a smart bot could get you to the right human and to the correct support specialist faster, without punching a bunch of buttons and in a language you have no problem understanding.

Another rising smart bot performs network tasks faster. Decentralized, peer-to-peer PC maintenance software has been growing in popularity for years. They will often distribute themselves to one or more computers at each site of a multi-location company, then act as the controlling machine for the site to deploy patches, collect event logs, or even detect breaches. These programs are evolving from a peer-to-peer model into a bot model, where the controlling host (or number of hosts) changes depending on processing and network load.

Even if you don’t like the idea of smart bots, they are here to stay, along with instant messaging and social media. You can hate them, but they aren’t going away. Smart bots are also expected to handle more “housecleaning” chores that human PC and network managers could otherwise do. They function much like traditional good bots—for example, by detecting the health of a site—but will try to fix the problem if they find an issue. That’s a big, evolutionary change, and good bot coders have to make sure they don’t become a bad bot accidentally.

From good bot to bad bot

For decades, there has been an attempt to create benevolent replicating programs. There have even been a few dozen trials by well-meaning security researchers to create roving programs that looked for and removed malicious programs or closed known vulnerability holes. The idea is that if the owner of the device won’t clean up the malware or close the hole that allows the malware to spread, then someone else will do it.

Unfortunately, nearly all (or all) have created more problems than they solved—also, they’re illegal because they conduct unauthorized activities. For instance, when the very popular MS-Blaster malware worm came out in 2003, millions of unpatched Windows computers fell over. Someone in computer security decided to code a worm, called Welchia or Nachi, to look for, remove, download, and install the relevant patch for MS-Blaster. Unfortunately, it caused more problems than Blaster. I was a PC consultant in those days, and I remember spending weeks trying to get rid of Welchia, far longer than it took to stamp out Blaster.

The problem is that “helpful” worms are often as buggy as the malware they’re trying to clean out. They weren’t tested by a team of programmers through weeks of effort across every possible device and OS combination. Instead, it’s one guy writing and testing his program on one computer, then he lets it go. The good intentions are usually offset by untended negative consequences. And let’s not forget that it’s illegal to modify someone else’s device without their explicit permission even when you mean well.

What is changing is that good bots, developed in the same manner as normal, sophisticated software, will become more prevalent. I can see a day when a smart bot is used to look for malware and deploy fixes, without harmful repercussions. When the next Heartbleed worm comes around, you could fire off a smart bot to look for and fix vulnerable machines.

What do bots mean for computer security?

First, understand that bots are and have been a big part of our network traffic and site visitors for a while, and good bots are likely to increase over time. The uptick is a solid development—it’s automation of tasks we might otherwise do manually.

The downside is you have to filter them out when looking for the bad bots (actually you’ve been doing this for years). Because they are increasingly prevalent, they’ll be tougher to correctly filter. You’ll see more smart bots coming from more places, and if you haven’t been notified about them, you’ll have to dig deeper to figure out intent.

You’ll also have to open up more client-side firewall ports. For decades we’ve lived with the idea that most client computers don’t have to talk to other client computers, and most servers don’t have to talk to other servers. These traditional connection pathways made it easier to set firewall rules and to detect horizontal assaults, such as pass-the-hash or APT attacks.

But roving smart bots performing routine network maintenance will change that. How do you create a firewall rule for something that moves from computer to computer and even changes network ports to do its job? There are ways, but the recognition rules aren’t as easy to configure as they used to be.

We’ve been here before. A new technological battle on the horizon will make our jobs a bit more complicated. That’s life. That’s our career. If it was easy they wouldn’t pay us as much. Half the battle is being prepared for the coming change.

Cybersecurity market research: Top 15 statistics for 2017