The Human Element Behind Botnets
Benjamin Fabre, co-founder and CTO of DataDome, discusses the launch of DataDome’s new threat dashboard which focuses on the human element that directs bots and botnets in their attack strategies. The video of Fabre’s conversation with Mitch Ashley of Techstrong Research (formerly Accelerated Strategies Group) is below followed by a transcript of the conversation.
[Music]
Voiceover: This is Digital Anarchist.
Mitchell Ashley: I have the very great privilege of talking with Benjamin Fabre. Welcome, Benjamin.
Benjamin Fabre: Hello.
Mitchell Ashley: Benjamin is DataDome cofounder and CTO. I like that title a lot. I kind of relate to that title. Just do an introduction, and then we have some new news we to catch up on. Tell us a little bit about yourself, Benjamin, and also about DataDome.
Benjamin Fabre: Sure. I’m DataDome cofounder and CTO. I created the company six years ago, because we discovered that the bots traffic was huge on the Internet, and that generated a lot of threats for e-commerce website, classified media, et cetera. So we have created DataDome, a cybersecurity company that protects any online businesses against all those threats.
Mitchell Ashley: Yeah. I can relate to the bot problem, so we can have a long conversation, longer than this will take, that we have time for here. Well, let’s chat about it. You just had a recent announcement, just a few days ago, some new things in your product. Tell us about what’s happening.
Benjamin Fabre: Yeah, exactly. We have worked very hard at the R&D and the product department during the last 12 months, working on a new major addition of our products. Historically, DataDome is a cybersecurity solution that is fighting against all automated threats. Our threat research team have worked a lot on not only the threats generated by bots, but also the threats generated by humans. That can be card cracking, account take over etc.
We have just released a new major addition of our dashboard that is really threat-centric instead of just being bad bot-centric. And all our customers can start to have a very key understanding on the different threats they are facing that can be done by bots or humans or by a combination of bots and humans, and that’s the kind of scenario that we are seeing more and more lately.
Mitchell Ashley: Interesting. Now you’ve added the human element to it of what isn’t automated or there’s a person involved in it. Maybe step back for a moment. What’s changed in the bot landscape, the threat landscape of bots?
I mean probably when we started thinking about bots, it’s the people crawling sites for search engines and things like that. Most of the time that’s helpful, not always. Sometimes those bots like to download your whole site, and sometimes those bots have a lot different interest than just being nice and searching to point to your contact. What’s happened in the bot world that we need to be concerned about?
Benjamin Fabre: Historically, we all know that bots, specifically for instance, Google bots, that is a good one. You definitely want Google on your website, whether that’s to have strong visibility on the search engine. But by the time this technology was used more and more by the bad guys, by the hackers, but are leveraging the bad bots in order to scale their attack. So that’s how you can just test, for instance, one million of login password combinations on an e-commerce website. Of course that is not doable by a human, so they start to involve bots.
A few years ago, bots were kind of easy to detect because they were coming just from one IP address, for instance. So it was just a cat and mouse game in the logs to try to find the IP addresses of the bad guys. But by the time, they’ve been able to leverage hundreds or millions of different IP addresses by distributing the attack using residential proxies for instance or botnet activity also.
That started to be kind of impossible to manage on your own. So the CTOs, the DevOps, the DevSecOps started to understand that it’s a lost battle if you don’t choose a very dedicated solution that uses AI in real-time to get back and to prevent those attacks.
More recently, we’ve seen that the hackers are not only using bots, but they start to use humans. We have a combination of humans, for instance, to work around the CAPTCHA, you know, the painful actions that are asked for humans that you can spend millions on it. So now, the hacker values the human to automate action to pass CAPTCHA, then try to reuse this credit to bypass some security numbers.
Mitchell Ashley: Yeah. I would guess there’s probably bot software out there that can pick out a bicycle in a picture by now. I’ve clicked on more bicycles than I know what to think of.
That’s part of what I wanted to ask you about. I’m sure you didn’t add the human element just because people also can attack, but also this combination of bots with people. I think that’s a great example that you gave, which is: how do you get around things that a bot can’t easily get around, like a CAPTCHA.
Are there other reasons or other scenarios, where having the combination of the human –? Because I can imagine there is all kinds of things you could learn from what bots are doing, and either successes or problems that they’re having attacking. Maybe it is sort of putting the car back on the track, you know. The bot goes there and then it sort of does as much as it’s gonna do, and so you help get it back on track. Are there other scenarios that would be helpful for us to know?
Benjamin Fabre: Yeah. The point that you would take the example of the credential stuffing attacks or the hackers that are using bots to try millions of floating password combinations. We just one test per IP per day, for instance, because they are massively distributed. As soon as one combination is working, at that very moment, sometimes this information is pushed to a human that have a valid login password, and they can use it manually on the e-commerce website to start to look for coupons, to look for individual information like addresses, credit card numbers, the bank account, et cetera.
So those last miles, sometimes they are human because it’s cheaper sometimes than developing some very advanced bots that afterwards create the content. Anything that’s hard to be scaled, that’s like trying millions of login passwords maybe done by bots, and the very last miles can be done by humans.
Mitchell Ashley: I’m interested, too. Oftentimes, AI gets brought up as bots increasingly use AI. Is that real? Is that happening? In what kinds of scenarios is AI helpful?
Benjamin Fabre: Of course the CAPCHA pass, there are two options today. The first one is to use the AI to find the bicycle.
Mitchell Ashley: Traffic lights, bikes, and boats I think is all of them.
Benjamin Fabre: Yeah, exactly. It’s interesting because sometimes the hackers will use Goggle AI to fight Google reCAPTCHA. So they are using their own Google technology –
[Crosstalk]
Yeah. Also, they can leverage AI to find a way to simulate human actions on the page. To detect if the request is coming from a human or from a bot, we are collecting a huge amount of signals like the user interactions with the page, how the mouse is moving, the different interactions with the keyboards, et cetera.
So the bad guys are trying to reproduce human interactions by using AI to generate fake events on the page, for instance. So that’s one of the situations where the hackers can leverage the AI to do those bad actions.
Mitchell Ashley: I often wonder – I think of the strangest things. But do the bots talk to the chatbots? That’s a whole science fiction show I think or something.
So do you serve as kind of a proxy or filter for the bots, both to examine, but maybe take some action or do things to say we don’t want certain bots coming into our sites, servers or network? I assume you do something like that.
Benjamin Fabre: Yeah. The way DataDome is working, we have server-side integrations that are labeled for CNs or the balancers or Web servers. So we have modules, for instance, for Apache, _____ or HAProxy or Cloudflare. So we have more than 15 different server-side integrations. Those integrations, they will hook the incoming request, send a short code to DataDome AI, that we respond if the request should be allowed or blocked. So that means DataDome will make a decision to let the request go through or to block it when we think it’s a bot.
We are doing that not only on the website’s traffic, but also on APIs and mobile applications. That’s one of the recent trends on the bad bots topic is that the threat is evolving from the website through the mobile application, because that’s a way for the bad guys to get proper APIs. That is even sometimes easier to access rather than the website itself.
We are seeing that most e-commerce websites’ media is classified. They tend to be less protected on the mobile application, because that’s a place where the WAF or the historical solution around the protection are not accurate at all.
Mitchell Ashley: Interesting. One of my assumptions, one of my beliefs about DataDome – and you can validate – there are a lot of people who proxy and filter bots. I tend to think what happens in those solutions is often kind of set and forget. That’s not their specialty, to really understand all the things happening with bots, because it’s not a static thing. It’s constantly changing, just like any other threat approach. Their job is to continue to innovate until something else works, until the next thing comes along.
Oftentimes, it’s only a Web Application Firewall or a proxy or maybe a CDN. All of them are helpful, you know, staying on top of the bots specifically. For some sites that’s critical. It’s absolutely essential.
Benjamin Fabre: You are 100 percent right. That’s a constant war against the bad boys, because they are trying to make their threats evolve regarding the different protections. So that’s why we have a strong R&D team, a threat research team that’s working on a daily basis, to make sure that we are always leading the race in terms of protection. We are infiltrating. We are going inside the bad guy community to understand the different iterations they are doing.
One interesting story is that the hacker values – they are using a version of the Chrome browser that can be automated. There are some forks of this _____ list that are trying to evade the protection in place, and we have some of our engineers that are spending 100 percent of their time looking at those repositories, to make sure that we are always able to detect them, and we have automated tests to make sure that we are able to detect all the new technologies used by the hackers and the bad bots.
Besides the technology, we have humans involved because it’s also about having the best data scientists to make sure that we are always able to make our detection capability evolve on a daily basis.
Mitchell Ashley: Excellent. I would like to pursue that idea of – you mentioned working with other technologies, like a CDN. For example, I think you said Cloudflare. How would DataDome fit into architecture like that, a CDN kind of Cloudflare type solution, which does some of its own bot filtering, of course, too? What do you add to that? How would you work in that kind of scenario?
Benjamin Fabre: First, of course, the integration is super smooth because all modern CDNs offer a work capacity, so compute at the edge capacity. That’s the place where DataDome can be integrated just in just a few clicks.
Then if we are having a look at the different channels, I mentioned the threats are going from the Web to the mobile applications. Today –I’ll give you a few numbers – DataDome is collecting millions of events per day to detect the humans and the bots. Also, our SDK, that is, the client-side integration that is in charge of collecting those events – is today deployed in 500 million devices, where DataDome SDK is embedded.
This is how we can protect the mobile applications. That’s an area deeper and closer to the application that the CDNs are not managing at all. What we are seeing is that if you don’t protect 100 percent of your traffic, the hackers will find the weakest spot inside your application, to try to reach you and to hurt you.
The second topic is that most of our customers have a multi-CDN approach or a multi-cloud approach. So they can use Cloudflare for some continent. They can use their Alibaba for China traffic, et cetera. So they can use a multi-cloud provider, and what they want is to have one protection across all their cloud provides, all their environment. And they can leverage DataDome because we are pushing different integrations to the user, DataDome and CloudFront on one place, Cloudflare on another one or Apache on another one.
Mitchell Ashley: Interesting. That makes a lot of sense. It’s sort of the old network model versus all the way out to the application. Not that the network model is bad. It’s just now we live in a more complex world, right.
Well very good. Congratulations on the new product releases and bringing the human element into the dashboard. One more question about that. Are there some aspects of now having that on the dashboard that you do different kinds of alerting, or a different kind of reporting about maybe how those things are working in concert with each other? What can people gain from the dashboard that’s telling you about this?
Benjamin Fabre: Now we provide more insight on every single threat that is trying to reach your website, and that can be pushed to the right decoders. So the DataDome dashboard solution is used by different customers. So that can be the security team. It can be the DevOps team. It can be the business part, depending on the threats.
For instance, the DevOps will be concerned by all the DDoS attack, because that might impact the performance of the website. With the new version, they can get notifications inside their slack, inside their on-call solution, like – [inaudible].
Then we have the business side. That’s maybe something that you’ve seen lately, but the – PS5 topic – there are bots that are doing scalping. So they are trying to find any restock on the market, and that can impact the business side. So will be able to push the right notification through the business when it’s scalping attack on the product and cart sections.
Finally, the security team are most of the time very concerned by vulnerability scanning or by the credential stuffing attacks, and we are able to push them the right notification into their own CDN or SOC, to make sure that they are informing in real-time for any attempt to reach their security.
Mitchell Ashley: That makes a lot of sense. Benjamin, it’s been wonderful talking with you. Where can folks find out, maybe get a free trial or be able to check out more about DataDome?
Benjamin Fabre: They can reach DataDome.co, our website. We have a 30-day free trial. We always encourage all users to just test the solution. It’s super-easy to deploy, and that provides a real-time dashboard, to be able to measure all the threats that the application and the website are facing on a daily basis.
Mitchell Ashley: Great. And that’s DataDome.co not C-O-M, just to be clear. I think you have a 30-day free trial, if I remember right.
Benjamin Fabre: Yes.
Mitchell Ashley: So check that out. Well, congratulations on the announcement. I really appreciate the kind of work that you’re doing. We’ve all got to work together to be able to combat the bad guys. So we appreciate that as well.
All right. Thank you, Benjamin.
Benjamin Fabre: Thank you. Have a good day. Bye.
[Music]
[End of Audio]