By Harish Chib, vice president, Middle East & Africa, Sophos
Botnets are large volumes of distributed networked computers and devices that have been taken over by a cybercriminal. Botnets, also referred to as bots, are usually taken over by malicious software to enable remote control by a threat actor. They are set up and developed by a hacker to provide a powerful and dark, cloud computing network to conduct cyberattacks of a criminal nature.
The growth in mobile and network devices has created large scale social and productivity benefits for us. We can now remotely access computers, security systems, cameras, appliances, and a growing list of devices, interconnected with cloud. Collectively this is referred to as the Internet of Things or IoT.
A worrying aspect of the growth of Internet-connected devices is the absence of basic security precautions. Most end users rarely change factory defaults, which can be exploited by hackers to take control of the devices. Another door for cybercriminals to take control of connected devices is called the back-door entry. This is a manufacturer’s access to the device through an undisclosed connection, used for remote testing and updates.
This large distributed, network of computers, under the control of threat actors, represents an aggregation of computing power that can be used for a devastating effect.
Inside the network
Malicious software designed to exploit IoT devices are usually not sophisticated. They operate by scanning network ports, looking for access opportunities, and gaining access through default credentials, or brute-force hacking to gain access. This software is much easier to defend against, as it merely requires configuring the network firewall protection devices.
Similar to other malware, botnets can enter an organization through multiple points of entry. This includes email attachments, hacked web sites, connected sensors and other IoT devices, and USB sticks.
Once a malicious software has entered an organization, it will call home – the hackers command and control server – to register its success in gaining entry and to request further instructions. It may be told to lie low and wait, or be instructed to move laterally on the network to infect other devices, or to participate in an attack. This attempt by the malicious software to call-home represents an opportunity to detect infected systems on the network that are becoming part of a botnet.
Once an attack has got underway, the attack itself can be difficult to detect. From a network traffic point of view, the device will simply be sending emails out as spam, transferring data or mining bitcoins, or performing DNS lookups and a variety of other requests, usually seen in large scale attacks. In isolation, none of these types of activities are noteworthy.
Building protection
The most important ingredient for effective protection from botnets is the organization’s network firewall. The following can help to get best protection from the firewall.
- Advanced Threat Protection can identify botnets already operating on the network. Ensure the firewall has malicious traffic detection, botnet detection, and command and control, call-home traffic detection.
- Intrusion prevention can detect hackers attempting to penetrate and take over the network. Ensure the firewall has next-gen intrusion prevention system that is capable of identifying attack patterns inside the network.
- Sandboxing can pick up the latest malicious software before it reaches the organization’s computers. Ensure the organization firewall offers advanced sandboxing that can identify suspicious web or email files and activate them in a safe environment.
- Effective web and email protection can prevent malware from getting onto the network. Ensure the firewall has behavioral-based web protection that can simulate JavaScript code in web content to determine behavior before it reaches the browser.
- Ensure the firewall has top-shelf anti-spam and antivirus technology to detect malware in email attachments.
- Web Application Firewall can protect servers, devices, and business applications from being hacked. Ensure the firewall offers WAF protection for any system that requires remote access.
Best-practices
- Change the password for all your network devices to a unique complex password, and use a password manager if necessary.
- Minimize use of IoT devices and update all essential connected devices. Also disconnect unnecessary devices from the network and upgrade older devices to newer models.
- Avoid using IoT devices that require ports to opened in the network firewall or router to provide remote access. Instead, use cloud-based devices that connect only to the cloud provider’s servers and do not offer direct remote access.
- Do not enable UPnP on your firewall or router. This protocol enables devices to open ports on the firewall on demand without your knowledge increasing the surface area of attack.
- Use secure VPN technologies to manage your connected devices remotely.
Botnets have a massive slowdown effect on the global Internet traffic. They can also have a devastating impact on an organization, if the objective of the attack is to steal sensitive information. Even if the botnet operating on the organization’s network is not after its data, it could be using devices and network resources to cause devastating harm to another organization.
Do not let your network become part of the next global botnet attack.
