Just in time for the Halloween season, we have a story of stolen property, stealthy takeovers, and mass destruction. The cause of this mayhem? A menace, which combines the power of big data with the speed of automation and downright creepiness of sophisticated, remote control.
Sound sinister? It should, because the menace is a botnet, and no one’s IT ops are entirely safe from attack.
Botnets: IT marauders, bully-boys, and sneaks
IT security professionals are catching up with hackers and cybercriminals, but the bad guys still have the advantage because:
- Users continue to secure legacy hardware poorly or not at all. Users make it easy for hackers and cybercriminals to mess with their IT infrastructures. For example, IoT devices and other hardware appliances provide easy access to an IT system.
Some of these devices provide only simple security such as out-of-the-box passwords. Many others are poorly configured without thought of the multi-layered tactics that effective cyber-attack defenses require.
- Attack tools are easy to find and use. It takes surprisingly little time, money, and expertise to mount a cyber-attack.
Distributed denial of services (DDoS) attacks get the most media attention. However, you can rent the required hacking skills or access to malware to launch a wide variety of exploits. Just find a shady malware-for-hire operation online (please don’t). It’s surprisingly cheap and requires no IT experience.
- Cybercriminals are using botnets in increasingly sophisticated ways. The security research community has recognized criminals’ ability to take the botnet to new and more dangerous levels.
Hajime and Reaper, successors to the infamous Mirai botnet, use automatic functions and a set of sophisticated cyber tools. Hajime, for example, supports five different platforms, includes a toolkit with automated tasks, and uses a dynamic password list that can be updated remotely. Reaper’s capabilities include easily updatable code and exploits that search for nine different known vulnerabilities found in a wide variety of IoT devices.
So, as botnets become more powerful and versatile, it might be a good time to review what enables them to do so much damage.
Botnets change the IT attack landscape
The basic concepts of botnets include power, control, and efficiency – the ability to do lots of damage to many network endpoints in a short period. It’s these capabilities and the increasing sophistication of botnet-based attacks that are changing IT security practices.
A flexible and potent weapon
What comes to mind when you hear the term, “botnet?” If you’re like most folks, you think of malicious hacking, lurid media headlines, and tales of powerful DDoS attacks. Unfortunately, there’s more to botnets than media coverage would suggest.
A botnet is a group of computers, Internet-connected smartphones, or IoT devices, whose security has been breached and controlled by a third party. The disturbing aspects of botnet attacks include the takeover of resources (usually by remote control) and the sophistication of what happens during the attack.
Modern botnets include these features and capabilities:
- Peer-to-peer operation. Although client-server attack methods exist, modern botnets seek and infect targets directly rather than via a server.
- An executable file. Bots infect each target directly by downloading malware onto the computer, smartphone, or IoT device.
- Automated, high-volume attacks. An abundance of network endpoints and the ability to write and automate small but harmful scripts multiply a bot attack’s damage. After infecting target devices, botnets can find and modify personal information, attack other computers, and commit other crimes. More complex, autonomous bots can continue to carry out seek-and-infect missions.
- Remote control via a bot herder. A person directs attack functions remotely, often with a sophisticated toolkit that includes changing lists of passwords and downloadable malware.
The power and flexibility of these capabilities enable attackers to deliver a wide variety of cyber-attacks.
Variations on the themes of theft and destruction
The ability of bots to monitor system traffic and monitor individual keystrokes on infected sites enable botnets to retrieve usernames, passwords, and other sensitive information. These and the capabilities mentioned previously are useful in a wide variety of exploits, which include:
- DDoS attacks. In these exploits, an attacker engulfs a system with data or service requests. The result: loss of network connectivity and services. DDoS attack targets can include web servers, internet-enabled devices, or internet services.
- Spamming and phishing. Think of thousands of bots, equipped with versatile tools, automated functions, and remote control by an unfriendly operator. Think of the damage that a massive bulk email (spam) attack can do when bots harvest stored email addresses. Or, add a bit of deception to the spam, and you get a phishing attack, a common doorway into IT systems.
- Spreading malware. In most cases, attackers use botnets to create new bots by downloading and executing infected files. This type of attack is a very efficient way to spread an email virus, for example. A botnet with 10,000 hosts, each of which acts as the starting point for a fast-spreading email virus, can deliver a massive, fast-growing malware attack.
- Mass identity theft. Attackers can combine bot capabilities to commit large-scale identity theft exploits. The same bots that carry out phishing expeditions can also host multiple fake websites and harvest personal information. Keylogging and data sniffing can also help to steal personal identity data or healthcare information.
Botnet power and versatility create more dangerous attacks
Botnets can deliver a wide variety of high-volume, malware-driven assaults to servers and Internet-connected devices. The power and scope of these attacks make it easier than ever for hackers and cyber-criminals to harm internet systems and services.
Although security teams are learning to fight botnet attacks, success requires a significant change of view: inside-out security. Traditional security strategy concentrates on preventing breaches at the outer edges of a network. Firewalls and security appliances alone can’t protect networks from botnet attacks. That’s because these attacks are more sophisticated, and internet-connected devices offer many alternative entry points.
Now, IT organizations are finding that starting from the inside with rapid detection and response is a must when a botnet attack occurs.