PDF
version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files.
The reader
is available for free
download.
Enterprise
Botnet Defense
Copyright
2020, Faulkner Information Services. All Rights Reserved.
Docid: 00021158
Publication Date: 2006
Report Type: TUTORIAL
Preview
Botnets rank among today’s
biggest IT security threats, both in their impact across the world and
the danger
they pose to individual enterprises. But while security firms and law
enforcement agencies attack botnets at their core command servers,
individual organizations are left to fend for themselves.
Fortunately for enterprises, there are tools and processes that can
provide reasonable protection against botnets – if they are used
wisely and vigilantly.
Report Contents:
Executive
Summary
[return
to top
of this report]
Botnets are groups of
secretly infected
computers connected over the Internet, working together under the
command of hackers interested in theft and other malicious
activity.
Related Faulkner Reports |
Network Security Best Practices Tutorial |
Cybersecurity Best Practices Tutorial |
If just one computer
in an enterprise gets infected, a bot can propagate to other clients
on the network, multiplying the potential damage and making eradication
of
the infection difficult. A good defense
strategy for an enterprise entails steps to prevent infection and
steps to mitigate the effects of an infection if it occurs.
Bot
infections and the damage they cause are most effectively thought of as
a
problem affecting both individual network clients and networks as a
whole. At both levels, many of the most effective tools and techniques
will be those already in place to guard against other malware. The most
important of these are securing browsers, using
anti-virus and intrusion detection tools, and educating users about
social engineering attacks. But botnets have some unique
characteristics that administrators must keep in mind if
they are to effectively protect their networks.
Description
[return to top
of this report]
A
bot is a
malicious
software program that
secretly installs itself on a computer and then joins a
large group of infected systems. The infected
computers
that make up a botnet can be spread across many enterprises in many
countries, and their
target is often a distant network to which they do not otherwise have
an affiliation. Botnets enable hackers to conduct spam campaigns,
launch DDoS attacks, steal personal information such as banking data,
and perform a variety of other harmful operations. (It is worth noting
that some botnets are designed for work that is essentially harmless.)
And this list of attack goals continues to grow. The
business of botnets has created, in effect, marketplace
innovations, leading to the emergence of attack types including
“credential stuffing, brute-force password cracking, cryptomining, and
even as a ticket bot to scoop up the best seats for resale.”1 Botnet
services are sold online, often on the Dark Web, making their use
widespread and lucrative.2
Bot infections
progress
in stages. The best
defense strategies stop bots before the first stage, which is infecting
a system, but enterprises would be wise to develop defense strategies
for each stage because there is no way to guarantee that an infection
will not occur.
Table 1
describes each
major stage of an
enterprise bot infection and outlines the steps that can stop the
infection’s
progress or mitigate its damages. (Prevention and mitigation steps are
discussed in further detail in the Recommendations section below.)
Infection Stage |
Prevention and Mitigation Steps |
---|---|
Pre-Infection
The |
Most of the steps that an organization can take to prevent bots from landing on enterprise clients in the first place are the same as those used to guard against other types of malware, such as educating users about social engineering attacks, running anti-virus software, and conducting intrusion detection scans. This is good news for network administrators who may fear needing a whole new set of tools and techniques to protect themselves. But |
Payload Delivery Once a The |
The communication between a bot and a command and control server is most often performed over Internet Relay Chat (IRC) or Hypertext Transfer Protocol (HTTP).3 Blocking IRC and HTTP traffic on a network can go a long way toward preventing botnets from doing serious damage to an enterprise. But |
Post-Infection
Bots and |
Efforts to identify and combat bot infections will be most effective if they are regular parts of an enterprise’s security routine, not one-time projects done in response to a particular threat. In addition to anti-virus and intrusion detection scans, these efforts will include timely patching of systems and ongoing employee education covering social engineering techniques. An |
Current View
[return
to top
of this
report]
Botnets
are a significant and widespread threat. Botnet command and
control servers are proliferating, numbering 17,602 worldwide in 2019
compared with 10,263 in 2018.5 Some attacks have
lasted over
12 days and used “amplification” techniques to cause more damage.6
And even moderate-sized attacks can cause hundreds of thousands of
dollars in business losses.7 This prevalence of
botnets is driven by profits. One estimate determined that a network of
30,000 bots can earn $26,000 monthly for denial-of-service attacks or
$18 million a month for fraud against banking sites.8
Finally, as is the case
in other segments of the
security landscape, hackers are making it easier for non-experts to
become cyber criminals by selling tools and expertise that make
sophisticated botnet attacks relatively simple to launch.9
Outlook
[return to top
of this report]
Botnets
are an effective and versatile attack methodology, and hackers will
continue to find new applications and targets for them.
New Targets
The diversifying of the types of devices connected to the
Internet has given botnets more targets to attack:
- Mobile Devices – Bot
infections of mobile devices are
increasing, with one study finding that 5.8-percent of phones had bot
malware.10 But unlike bots infecting desktops
and
servers, mobile infections tend to focus on retail activity, such as
cashing in an infected user’s reward program points or helping a
competing retailer identify the prices that other sites are charging
to particular customers. - Cloud Servers–
Cloud servers have become a popular target for
botnet infections. For example, one botnet that first came to the
public’s attention in late 2018 infects environments using Hadoop, a
platform for managing groups of cloud servers.11
And cloud hosting providers are now often infiltrated to host cloud
control software.12 - The
Internet of Things – The
Internet of Things is providing yet another target for
botnets. The
sheer number of new devices online makes the Internet of Things a
ripe target, and because many of these devices are simple, they are often not well secured.13
A New Goal: Cryptojacking
Today, cryptomining — the practice of using computing power
to earn Bitcoins or similar assets — is a large international
business. When performed on one’s own computers, it is a legal and
legitimate activity. But hackers are aggressively using the computers
of others, a practice called “cryptojacking.”
The growth of cryptojacking botnets relates directly to the
greater focus on cloud servers. Cryptojacking’s earning potential is
directly related to the amount of processing power used, and cloud
datacenters have large amounts of resources to exploit.14 But
ordinary desktop computers in enterprises are often used to mine
currency too, with infections sometimes going years without detection.15
A New Technique: Artificial Intelligence
To make their botnets more effective and dangerous, hackers
are predicted to take more advantage of artificial intelligence. “A
machine does not stop, get tired, lose
concentration or panic,” writes security expert Matt Conran.16
“AI-based attacks keep their cool maintaining
constant momentum while under pressure from defense mechanisms.”
But while AI is becoming a tool for hackers, it is also becoming a tool
for IT administrators.17 AI can be used to
establish baselines of data
traffic or system performance, for example, and then it can identify
anomalies and trigger responses. The introduction of AI into the botnet
attack-and-response battle will likely create an arms race for who has
the better technology. Large organizations may be able to defend
themselves against sophisticated hackers, but smaller organizations may
find themselves out-gunned.
Recommendations
[return
to top
of this
report]
Understand IRC
Many botnets communicate
through IRC, a
technology most often used for text chatting. Enterprises that are
defending against botnets can improve the effectiveness of their botnet
defense efforts by understanding IRC modes, commands, and operations.
An organization can also
decide to block IRC
unless it has a clear business purpose, without a viable alternative. A
network firewall configured to block IRC will typically be the most
effective tool for this job. If an organization determines that it
needs to use IRC, it may consider allowing its use on a small number of
computers that are isolated on a separate network, thus guarding
against widespread bot propagation across the entire network.
But it is important to
remember that IRC is only
the most popular method of botnet communication. Blocking IRC does not
block all potential botnet activity. For example, HTTP is popular for
botnet communication but is unlikely to be a candidate for blocking.
Keep an Eye Out for
Bot Infections
Bots can be hard to detect. For instance, a botnet of three
million dummy twitter accounts went unnoticed for several years.18
But there are some ways to help detect bots. In addition to running
routine anti-malware and
intrusion scans, spotting any
of the
following issues can help an
organization identify a botnet infection:
- Unexpected volumes of data being uploaded to the
Internet19 - Spikes
in network traffic - A group of network clients
communicating with a particular IP
address on the Internet - A group of network clients
performing DNS queries directed at a
particular Internet domain name - Network performance problems
- Network reliability problems
- Changes in network traffic
patterns - Suspicious processes running
in the Windows Task Manager - Programs set to “autoload”
in the HKEY Local Machine section of a
Windows registry
These
are not sure
signs
of a problem, as there
are harmless causes for each that can be investigated
before concluding
that there is an infection. But they are worthy of a close look.
Follow Core Best Practices
For enterprises, protecting against botnet-based attacks
primarily involves dealing with bots that might infect their networks.
Large-scale takedowns of botnets are beyond the capabilities of a
typical enterprise. (For more information on such actions, which are commonly
taken by law enforcement and major security agencies working together,
see “Organized Botnet Takedowns” in the November 2015 Faulkner
Security Management Practices.20) Handling
bot infections is, in most respects, like dealing with other
types of malware. A combination of anti-malware software, intrusion
prevention systems, and frequent software patches will be the core of
most enterprises’ protection strategy. “[T]he
majority of reported attacks are neither sophisticated nor advanced,”
says a 2016 report by the European Police Office. “While it is true
that in some areas cybercriminals demonstrate a high degree of
sophistication in the tools, tactics and processes they employ, many
forms of attack work because of a lack of digital hygiene, a lack of
security by design and a lack of user awareness.”21
Another useful reference source is the 2018 report “Enhancing
the Resilience of the Internet and Communications Ecosystem
Against Botnets and Other Automated, Distributed Threats,” published
by the US Department of Commerce and the US Department
of Homeland Security.22
The report recommends 20 steps for defending against botnets and
discusses larger goals for the overall security of the Internet and
federal government.
References
- 1 Steve Winterfield. “Day
in the Life of a Bot.”
Dark
Reading.
February 10, 2020. - 2 Ibid.
- 3 Zsolt Bederna and Tamas
Szadeczky. “Cyber Espionage Through Botnets.”
Security Journal,
Vol. 33. 2020. - 4 Tara Seal. “Unique P2P
Architecture Gives DDG Botnet ‘Unstoppable’ Status.”
Threatpost.
April
9, 2020.
5 "Spamhaus Botnet Threat
Report 2019.” Spamhaus Malware Labs.
January 28, 2020.
6 Alison DeNisco Rayome.
“In 2018, Q1 Saw a DDoS Attack that Lasted 12
Days, the Longest Since 2015, According to Kaspersky Lab.”
TechRepublic.
April 27, 2018. - 7 Brian Krebs. “Study:
Attack on
KrebsOnSecurity Cost IoT Device Owners $323K.” KrebsonSecurity.com.
May 7, 2018. - 8 “Inside the Business
Model for Botnets.” MIT Technology Review.
May 14, 2018 - 9 Fran Howarth. “Cybercrime
as a Service.” Security Management Practices. Faulkner Information
Services. February 2019.
10 Curtis Franklin, Jr.
“Botnets Evolving to Mobile Devices.” Dark Reading.
June
28, 2018. - 11 Julia Sowells. “New
Botnet that Targets Cloud Servers for DDoS Attacks.” Hacker
Combat.
October 30, 2018. - 12 Kelly Sheridan. “AWS,
Google Cloud Popular Home for Botnet Controllers.” Dark
Reading.
January 1, 2018.
13 “Into the Battlefield: A Security Guide to IoT Botnets.” Trend Micro.
December 19, 2019. - 14 Tara Seals. “Troy
Mursch on Top Botnet Trends.” Threatpost.
December 21, 2018.
15 Danny Palmer. “This New Cryptojacking Malware Uses a Sneaky Trick to Remain Hidden.”
ZDNet
. August 14, 2019. - 16 Matt Conran. “The Rise
of Artificial Intelligence DDoS Attacks.”
Network World. July 11, 2018. - 17 Mark Stone. “Fight Fire with
Fire: How AI Plays a Role in Both Stopping
and Committing DDoS Attacks.” SecurityIntelligence.
June 21, 2018. - 18 “Botnet of 3 Million Twitter
Accounts Remains Undetected for Years.” SecurityWeek.
June 23, 2016. - 19 Daniel Humphries. “How
to Prevent a Zombie Apocalypse: Five Deadly Cyberthreats Explained.” Intelligent
Defense. July 17, 2014. - 20 Geoff Keston. “Organized Botnet
Takedowns.” Security Management Practices. Faulkner
Information Services. November 2015.
21 "IOCTA 2016: Internet Organised Crime
Threat Assessment.” Europol. 2016. - 22 “US Departments of Commerce,
Homeland Security Release Report to
President on Promoting Action Against Botnets and Other Automated
Threats.” National Telecommunications and Information Administration.
May 30, 2018.
Web
Links
[return
to top
of this
report]
Europol: https://www.europol.europa.eu/
About the Author
[return
to top
of this
report]
Geoff
Keston
is the author of more
than 250 articles that
help organizations find opportunities in business trends and
technology. He also works directly with clients to develop
communications strategies that improve processes and customer
relationships. Mr. Keston has worked as a project manager for a major
technology consulting and services company and is a Microsoft Certified
Systems Engineer and a Certified Novell Administrator.
[return
to top
of this report]