The ability to effectively analyze network traffic is a must for a successful enterprise cybersecurity program, as it’s critical to identifying and defending against many types of attacks. That message isn’t lost on CISOs, with the use of network traffic analysis tools nearly universal among security teams.
But even as NTA tools evolve their capabilities, CISOs still face challenges in gaining full visibility into the network traffic flowing into and through their organizations, due to both the ever-increasing volume and complexity of network traffic.
Part of that is the growing volume of what some call “fake network traffic.”
“The State of Fake Traffic 2024,” a report from security tech company CHEQ, shows just how big the problem is getting. According to its research, 17.9% of all observed traffic in 2023 was automated or invalid, a 58% increase from the 11.3% identified as such by CHEQ in the previous year. (Others that count all automated traffic put the volume of non-human traffic even higher — upwards of 50%.)
The CHEQ report issued a warning, saying that “in 2024, cybercriminals and fraudsters are no longer confined to simple bots and click farms; they now wield highly sophisticated bots capable of mimicking human behavior, evading detection, and perpetrating a wide range of malicious activities. They scrape data without permission, inflate engagement metrics, commit fraud, and compromise the security and integrity of countless websites, mobile apps, and APIs.”
Others also are sounding alarms, saying that the growing amount of this fake traffic represents an increasing risk for CISOs and their organizations, not only due to the threats presented directly by that traffic but also due to the distractions that it poses to the security team’s resources.
“With the amount of traffic, including fake traffic, trying to come into their networks, CISOs have to think about the risks to availability as well as the confidentiality and integrity of their data,” says Rebecca Herold, a member of the nonprofit professional association Institute of Electrical and Electronics Engineers (IEEE) and CEO of The Privacy Professor, an information security, privacy, IT, and compliance services firm.
What is considered fake network traffic?
Fake traffic can be grouped into three broad categories, according to the CHEQ report, with each category comprised of hundreds of individual threat types. The category of bots was the largest group, making up 49.1% of the fake traffic counted by researchers; suspicious traffic made up 42.3%; and malicious traffic came in at 8.6%.
Champlain College Assistant Professor of Cybersecurity Syed Noaman Ali classifies fake network traffic as good bots, bad bots, and other automated traffic.
Good bots, he says, are “legitimate automated tools that perform helpful tasks, [such as] search engine crawlers [like Google’s bots that index web content], monitoring bots and bots that provide customer support.”
Bad bots are those “designed to carry out malicious activities,” Ali says. Other automated traffic includes traffic “generated by various automated scripts that may not fit the traditional definition of bots, [including] automated testing tools, ad fraud scripts, and more.”
Given the mix, Georgia Cooke, a research analyst within ABI Research’s digital security team, uses the terms “organic” and “inorganic” traffic instead of “fake network traffic.”
Bot traffic is real traffic as far as the network is concerned
“It’s worth saying that all network traffic is real. Traffic is traffic, and bot traffic is ‘real traffic’ in the eyes of the network,” Cooke says. “There is a lot of automation happening on the web, and bots are just a part of it. There are scripts and policies which have a life of their own. There are automated playbooks, web crawlers, and IoT devices speaking to each other. There are probably many more machine-to-machine interactions than human ones online.”
Cooke points out that research puts the amount of bot traffic somewhere between 47% and 64% of all internet traffic (noting, however, that the definition of “bot” can vary).
As such, she says, “The distinction of the sender — whether they are human or a bot — is not important to the network. It’s simply traffic to route. Is the traffic of approved or harmless scripts, policies and bots ‘fake,’ if not sent by a person? Some script-generated traffic is very popular and considered a useful addition to a site.”
She continues: “Perhaps the better approach is to consider traffic which is not relevant to a function — for example, the need for advertising companies to understand the legitimate number of potential customers on a platform – or traffic which is ‘not legitimate’ for security professionals — i.e., traffic which is in some way disingenuous and therefore a potential threat.”
The threat of fake traffic has increased with the advent of AI
Fake and inorganic traffic is not new, nor is it all problematic. However, artificial intelligence is heightening the threat and creating additional challenges for security teams beyond those presented by the growing volume of this type of traffic.
“AI has significantly impacted the landscape of fake network traffic in several ways,” Ali says, citing AI’s impact as producing enhanced sophistication, increased volume and adaptive tactics.
“AI-powered bots are more sophisticated and harder to detect. They can mimic human behavior more closely, making traditional detection methods less effective,” Ali says.
At the same time, AI has brought about increased volume, as the technology “allows for creating and deploying bots at scale, increasing the volume of fake traffic,” he says. Additionally, Ali says AI “enables bots to adapt to countermeasures, learning from the defenses they encounter and evolving to bypass them.”
All of this increases the work security teams must perform to defend their organizations, experts say, with Cooke predicting that AI “will result in a significant increase in both proliferation and success of this type of malicious traffic in the coming years.”
The security impact of fake traffic
Sales and marketing teams have long recognized the negative impacts of fake network traffic on their efforts, such as when fake network traffic falsely indicates high interest in products or social media campaigns. Such impacts remain an issue today.
However, security leaders say the increasing volume and sophistication of fake network traffic has upped the cybersecurity implications, too, which makes fake network traffic a risk not only to sales and marketing but to the organization’s cyber defense and protection efforts as well.
For example, the CHEQ report lists service outages and data exfiltration as security problems that can be caused by fake network traffic, along with “wasted advertising dollars, skewed analytics, and disrupted marketing campaigns … and ultimately lost customers.”
Those security violations can happen in multiple ways, says Herold. For starters, fake network traffic can impact availability by creating more traffic than bandwidth capacity.
Herold says it also can make it harder for security teams to identify anomalies and malicious traffic, particularly as the volume increases and AI is used to make fake network traffic appear more legitimate. As Cooke explains: “Anomalous traffic detection is a key component of threat detection systems, and bot traffic can confuse or mask this if not handled appropriately.”
That then can take up more of a security team’s time and attention, which can further stretch limited security resources. In fact, sophisticated hackers could leverage such inorganic traffic to obscure or distract teams from their actual attack plans. “It can draw attention away from what the actual target is,” Harold says.
The CHEQ report summarizes the threat: “Fake traffic isn’t just a nuisance, it’s a strategic business issue.”
Countering the impact of fake network traffic
Monitoring traffic as it enters and moves through an organization’s IT environment is already a well-established cybersecurity practice, as are practices to identify and block malicious traffic. It is a challenging task further complicated by fake traffic.
“Certainly, not all scripted or machine-to-machine interaction online is malicious — not by a considerable margin. Even some undeniably ‘bot’ traffic which does disguise itself has good intent — such as the Negobot/Lolita bot project,” Cooke says. “However, plenty is. And what’s more, there are multiple forms of malice, as not all are going for the smash-and-grab of direct network exploitation.”
It’s difficult to gauge the financial impact on social media sites of these more subtle bots, she says. “Costly engagement algorithm research is undermined by bot traffic and engagement manipulation such as the buying of likes, and poor user experiences resulting from the prevalence of bots could erode a platform’s standing and usage.”
She adds: “Attempting to homogenize the bot world and the potential threat it poses is a dangerous prospect. The fact is, it is not that simple, and cyber professionals must understand the issue in the context of their own goals, and the intent of those working against them.”
Cybersecurity teams need to understand the bot ecosystem
Adding to that challenge today is the increasing volume of fake traffic and the hackers’ skills at using AI to mask the malicious nature of such traffic. Both trends necessitate even more attention from CISOs and their teams.
“Cyber professionals need to understand the bot ecosystem and the resulting threats in order to protect their organizations from direct network exploitation, indirect threat to the product through algorithm manipulation, and a poor user experience, and the threat of users being (increasingly successfully) targeted on their platform,” Cooke says.
“As well as [understanding] direct security threats from malicious actors, cyber professionals need to understand the impact on day-to-day issues like advertising and network management from bot profiles as a whole,” she adds.
“So cyber professionals must ensure that the problem is tackled holistically, protecting their networks, data and their users from this increasingly sophisticated threat. Measures to detect and prevent malicious bot activity must be built into new releases, and cyber professionals should act as educational evangelists for users to help them help themselves with a strong awareness of the trademarks of fake traffic and malicious profiles.”
Fighting the impact of fake traffic requires a gameplan
Herold recommends that CISOs create a game plan for addressing fake network traffic, refining existing network monitoring policies and procedures to account for the specific threats and challenges it creates for the organization.
“That should address how fake traffic is used in positive ways such as stress testing as well as identify how it can be used in malicious ways and what to do about it. It should be documented as part of the risk management plan,” Harold says. “Even though this issue has existed for a long time, it’s often not addressed separately.”
Herold also advises security teams to regularly review exceptions to the traffic flow policy; she recommends doing this at least annually or when significant changes are made, such as when implementing new technologies. And she advises removing exceptions when they are no longer required, such as when there is no longer a business need.
12 steps that can help mitigate issues with fake traffic
Herold offers 12 specific steps that can help security teams avoid traffic threats:
- Establish a traffic flow policy that applies to each managed interface to the organization’s network and full digital ecosystem.
- Implement procedures, controls and tools to monitor and control network traffic at the external managed interfaces to the system such as firewalls and DMZs, web servers, IoT devices, and employee-owned wireless routers and at key internal managed interfaces within the system.
- Deny all types of network traffic by default and allow specific types of network traffic by authorized exceptions and/or established authorized types of traffic.
- Implement procedures and tools to detect and prevent unauthorized exchange of network traffic with external networks.
- Connect the organization’s network to external networks or systems only through managed interfaces consisting of boundary protection devices and digital tools designed, implemented, and aligned with the organizational security and privacy architecture.
- Limit the number of external network connections to support managed monitoring of inbound and outbound communications traffic.
- Implement a managed interface (including controls such as access controls, etc., and protections such as IDS/IPS, etc.) for each external telecommunication service.
- Implement subnetworks for publicly accessible system components that are physically and/or logically separated from internal organizational networks (e.g., internet access hubs for visitors/public users from within the organization, such as in hospitals, schools, etc.).
- Protect the confidentiality and integrity of data transmitted across each interface.
- Document each exception to the traffic flow policy (should support a corporate security policy exception policy with centralized management) with a supporting mission or business need, including required mitigating controls, duration of the exception, etc.
- Patch or update all components of the digital ecosystem as soon as possible.
- Provide training at least once a year and following major changes to IT staff responsible for performing these activities and send them occasional awareness reminders.