By Paulo Henriques, Head of Cyber Security Operations at Exponential-e

Thanks to Elon Musk, bots have been making headlines more than ever recently; according to some estimates, they now account for 20% of all Twitter accounts. But social media bots aren’t new and have been making appearances across many social media platforms, including Facebook, for some time.

To many they appear harmless, simply offering the ability to give politicians, celebrities and influencers increased follower counts. Behind these seemingly inoffensive accounts, however, lies a great deal of danger for the common social media user and their employers.

More than the eye can see 

Bots in the social media context are perhaps most well-known for spreading misinformation. But they’re also great tools for bad actors to spread credential-harvesting malware – dressed up as clickbait – to thousands of users’ devices, in the aim of exploiting their access to sensitive assets and systems.

It’s at this stage where the real ‘bots’ come to play. In an IT context, bots are conventionally known as automated software programmes that users or businesses use to automatically complete repetitive, pre-defined tasks. And it’s when these bots work together that things can go from bad to worse.

There’s no ‘i’ in bots

Bot networks, or botnets, are a result of cybercriminals compromising a series of these vulnerable internet-connected systems and devices using more conventional malware-based attacks, and combining them to form a pernicious web of accounts. While bots work together, botnets in fact often find themselves in battle with other malicious software – including other botnets – to hijack these devices, as they battle to displace existing malware to install their own.

These botnets can be used to coordinate a vast number of cyber-attacks beyond malware spreading, including DDoS, credential stuffing, phishing or SPAM flood attacks. Their success rate is increasing too, as the nature of the internet today means servers are scanned and probed by attackers for vulnerabilities almost instantly after they’re spun up. They rarely leave any stone unturned.

Such attacks have a particular preference for exploiting IoT devices because they’re an easy target; most users fail to take due to care in terms of configuring their devices when they install them. And the same unfortunately goes for vendors and ISPs, who often fail to issue regular updates to these devices, leaving them even more vulnerable.

At this kind of scale and with these tactics, bots represent an undeniable threat to corporate security as more and more employees use their work devices to access their personal social media accounts. To mitigate the risk, employees need the tools and knowledge to avoid falling victim to an attack, whether using the network for personal or professional use.

Don’t recruit a bot into your ranks

As it stands, businesses don’t take enough care to ensure their employees are as safe as they could be from botnets. As a result, while recruitment is a pressing issue for many organisations right now, too many are unwittingly inviting threat actors into their fold.

The best methods of protection are tried and tested, yet still so few businesses take note. On an IT level for example, a proactive security stance should be non-negotiable. Installing anti-malware software and scanning all company devices and systems – as well as any personal devices employees might use for work – for potential software vulnerabilities is essential; every device must be kept up to date or risks being rendered useless. Organisations should also minimise their attack surface as much as possible by ensuring that only required services are made available on the internet, and only to their intended audiences.

Beyond that, airtight training that addresses all potential causes for human error is crucial. Whether that’s avoiding unknown or suspicious links, using up to date internet browsers, or enforcing password managers as well as multi-factor authentication. Incentivising staff to report potential botnet activity too, whether on social media or elsewhere, is an absolute must.

But even with these solutions and training programmes in place, human error is aptly named and unfortunately is impossible to eliminate, so every business risks having devices compromised. To mitigate the risk of attack further, companies should consider using the honeypot tactic, which is a great way of sniffing out potential malware inflicted by botnets. This involves using a device or system as bait for cyber attackers, either to distract them from other targets or find out more information about the way they operate.

Protecting businesses from bots

So, while somewhat harmless social media bots are out there, it’s the bad software bots and botnets we should focus our thoughts and mitigation efforts on.

Businesses shouldn’t make light of the issue. The solutions discussed here are a key part of any robust security strategy. Unfortunately, they remain undervalued tactics for mitigating cyber risks, but could be the one thing protecting your business from attack.