Contents:
If you’re one of our regular readers, you may have grown accustomed to our article series that address today’s most common cyber threats targeting organizations. In today’s blog post, I’m going to take a look at how a botnet attack affects your business and also offer you a protection guide against it.
What is a botnet attack?
A botnet is a group of infected machines, which are coordinated through a command and control server. Simply put, botnets are networks of machines used to attack other machines. As the collection of bots grows, there will be a high amount of computer and storage power available for malicious actors to use. And when bot malware is running on an endpoint, it has as much access to the resources of the machine as its user does.
Some botnets also act as droppers and plant a secondary payload (for example, they are able to initiate ransomware payloads later on).
Botnets and stealth oftentimes go hand in hand. It will always be in a malicious hacker’s interest that the victim isn’t aware of the infection so that the botnet stays available for the longest time possible.
How do botnets spread?
A botnet’s propagation strategy essentially determines its development, laying the foundation of bots for further exploitation. Once an attacker has compromised a machine on a network, there is a possibility that all vulnerable computers on that network become infected.
And more recent technologies, such as the IoT, have some unique vulnerabilities that make them desirable targets.
IoT networks are becoming an important part of our digital world. Their sensor networks are different from conventional networks, in the sense that sensor devices are low powered and sometimes even use batteries as their energy source. Thus, due to their power restrictions, these constraints mean devices have limited processing capabilities, which often lead to poor cybersecurity. And oftentimes, IoT devices also can’t be remotely patched, and therefore are left vulnerable.
Mirai, one of the biggest DDoS botnets ever seen
Through major distributed Denial of Service Attacks (DDoS), back in 2016, Mirai disrupted many high-profile websites such as OVH, Dyn and Krebs on Security. According to OVH, these attacks exceeded 1 Tbps—the largest on the public record. What’s more, as reported by Bleeping Computer in March 2019, a new Mirai variant with 27 exploits targeting enterprise devices had been spotted. And this time, apart from its normal targets (routers, network video cameras, and wireless controllers) this particular Mirai version identified during January 2019 was also scanning for and exploiting LG Supersign TVs and WePresent WiPG-1000 Wireless Presentation systems, found in enterprise environments.
Back to the present day, the Mirai IoT botnet remains in power, still representing one of the biggest threats to IoT.
How do botnets spread?
Botnets are capable of spreading in both active and passive ways.
In order to spread passively, botnets require some form of user intervention. For example, some websites that run JavaScript can become infected and then they pass on the malware to the website’s visitors. Botnets can also be spread through social engineering campaigns.
Actively, botnets spread without the need for user intervention. In this case, a botnet has an inherent mechanism to find other hosts on the Internet to infect. For instance, they scan for hosts that have known vulnerabilities that can be exploited.
Why is it so difficult to stop botnets?
Throughout the years, fighting and preventing botnets has proven to be a never-ending task. In short, the main reason seems to be the lack of communication between the cybersecurity industry and the government, as pointed out by a joint report issued by the U.S. Department of Homeland security and the Department of Commerce. Here is what the report highlights:
- Botnet attacks are a global problem, which means that increased collaboration between international entities is highly required.
- Prevention tools are neglected. Even though tools that can prevent a botnet attack are available, most organizations and individual users are not aware of them, want to keep their costs as low as possible, are not being given any market incentives to deploy them, or don’t have sufficient technical expertise.
- Not all products are secured during every single stage of their lifecycle. A lot of devices are left vulnerable due to various reasons, such as the lack of patching, they are still being used even though they are no longer supported by vendors, or are even released on the market with existing vulnerabilities.
- Users are lacking education. Unfortunately, both employees and home users sometimes have insufficient knowledge on how to prevent botnets. This is why cybersecurity awareness training should be mandatory to everyone.
- Market incentives are not effectively aligned. At this time, market incentives are not properly aligned to reduce threats. And “product developers, manufacturers, and vendors are motivated to minimize cost and time to market, rather than to build in security or offer efficient security updates”, the report suggests.
- Botnet attacks are part of an entire ecosystem. As noted by the paper, “No single stakeholder community can address the problem in isolation”.
How to protect your organization against botnets and spot attacks in time
Once a botnet becomes part of your organization, it can result in a DDoS attack, which will take your company’s website down. At the same time, botnet attacks can capture entire email threads in spam campaigns for later reuse and of course, an increased spam activity will slow down your network.
So, how can you stop a botnet attack from infecting your organization? In a nutshell, the most effective approach will always come in layers. Below are the main ones you should consider:
#1. Use a Firewall
Your Firewall is your first layer of defense and the most basic cybersecurity tool you can use. However, even though it’s a must-have, it won’t be able to stop a botnet attack on its own. This is why you need to keep adding other protection layers as well.
#2. Update your software and systems to the latest version
Software and systems that lack the latest updates and patches make it easy for cybercriminals to infiltrate your organization. One of my colleagues has written an extensive piece on software patching, so I encourage you to check it out here.
#3. Get protection that works at DNS-level
For example, Heimdal™ Threat Prevention stops threats at DNS, HTTP/HTTPS level and blocks requests to C&C servers. And it also features an automated patch management tool to help you keep up with your patching.
Heimdal® DNS Security Solution
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
#4. Manage admin rights in your organization
Not granting everyone admin rights in your organization does not only mean you’ll reduce the risk of insider threat, but this practice also leads to better security against external threats. If you would like to learn more about why removing admin rights closes vulnerabilities in your organization, make sure to read this article.
Heimdal® Privileged Access Management
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
#5. Train your employees
I can’t stress this enough – cybersecurity awareness training will always be one of your most important protection layers.
Conclusion
Prevention tools are certainly your most important weapon, regardless if you are a home user or an organization. Here at Heimdal Security, we continuously develop solutions focused on both threat prevention and detection and deliver cybersecurity solutions for companies, with packages customized for every need. Get in touch today for a free consultation at sales.inquiries@heimdalsecurity.com.