Maksim Kabakou - Fotolia
Security Think Tank: Smart botnets resist attempts to cut comms
As attackers begin to use multiple command and control systems to communicate with backdoors and other malware, how can organisations ensure that they detect such methods and that all C&C systems are removed, including "sleepers" designed to be activated at a future date
When it comes to all kinds of cyber defence, it is always less expensive to prevent attacks and infections than to deal with them once they are in place.
This is especially true in the case of botnets. What is a botnet? A botnet is an army of mini-programs; malicious software designed to infiltrate large numbers of digital devices and then use them for any number of tactics.
For example, botnets can be instructed to steal data or launch huge distributed denial of service (DDoS) attacks and all while simultaneously stealing the electricity and computing power to do it.
Most organisations aim to have at least some cyber security in place. These fundamentals can include Items such as implementing the most effective choice of anti-malware, configuring digital devices and software with as much hardened security as practical and ensuring that security patches are always applied swiftly.
However, even when an organisation invests in implementing cyber security essentials, it is still no guarantee of a fully bot-free environment.
As shown in all of the major breaches that hit the headlines, hackers are very keen on remaining unnoticed for as long as possible. The dwell time is the term given to the duration between the initial intrusion and the point of discovery.
In many cases, Yahoo, Starwood and other mega breaches included, you might have noticed that the dwell time was measured not in hours, days, weeks or even months – it was years between the initial intrusion and eventual discovery.
Determined hackers design their bots to be as stealthy as possible, to hide as best as they can and to communicate as efficiently and discreetly as possible.
When researchers find new botnet armies, they often do it by accident and say things like, “We stumbled across this data anomaly”, eventually tracing the cause back to a new botnet force.
Although botnet communications may try to hide, the thing about bots is that they generally need to communicate to work. These botnets used to work through command and control servers. That meant that disconnecting communications between bots and their botnet command and control servers was enough to “decapitate” the bot and render it unable to steal anything or accept new commands.
However, newer botnets are smarter. They still need to communicate, but now many of them can spawn dynamic, peer-to-peer networks.
Bots do still need instructions to work and they also need destinations to send anything they steal. Identify and block those communication routes and your bots will cease to offer their bot master any value.
The challenge is that not all organisations use or install the technologies that can detect and block bots.
For the few organisations that do have the budget and motivation to ramp up their anti-bot defences, there is plenty that can be done.
It starts with ramping up the security that prevents initial infection and locking down unnecessary trust permissions. Prevention is still better than detection and the expenses involved in containing and resolving the threat. There is a huge difference in the efficacy of many security products and sadly, many of those with the highest marketing budget are far from the most effective.
There are also great, real-time security technologies that can detect, alert or block botnet activity in real-time. These operate by continually analysing network traffic and local system logs.
If your organisation does not have the budget for real-time monitoring, then it is still worth inspecting devices and checking for any suspicious processes that seem to be taking up a lot of memory – especially if any users are reporting their device has slowed down. That can be an indicator of compromise, but only when the botnet is awake and active.
And if you are wondering just how much of a threat botnets are, just think about this: most of our attention as cyber security professionals is on the botnets we can detect and eliminate from our own environments, but the internet of things and sub-standard security present in many devices means the internet is riddled with enough botnets to effectively stop the internet from working.
The only thing stopping that from happening at present is that it would harm rather than profit the hackers. After all, 2019 might just be the year when the proceeds from cyber crime reaches a trillion dollars.
Read more from Computer Weekly’s Security Think Tank about malware comms
- Combine tech, process and people to block malware comms.
- Basic steps to countering malware comms.
- Situational awareness underpins effective security.
- How to tool up to catch evasive malware comms.
- Three steps to detect malware comms.
- Firms neglect DNS security at their peril.
- Severing C&C comms key, but complex.
- Prevention and detection key to disrupting malware comms.