What is a Botnet?
Botnets are networks of devices with data processing capability, controlled by malicious individuals or groups to promote unwanted or cybercriminal activities. In general, botnets integrate thousands of contaminated devices, which promote malicious actions without the knowledge of their owner.
Botnets are not a new threat to information security, but with the emergence of new connected device (Internet of Things), new possibilities of botnet expansion are open to cybercrime.
Several malicious actions can be promoted by botnets, from unwanted activities to serious threats:
- To distribute PUAs – adware, spyware and spam;
- To distribute malware – virus, trojan, worms, ransomware etc;
- to infiltrate systems to steal data and privileges;
- To promote denial of service attacks – DoS and DDoS;
- To mine criptocurrency – like bBitcoin, Monero, Ethernet etc;
The reason cybercriminals use botnets is simple: the tracking of the devices responsible for promoting an attack is much more difficult and, whenever it occurs, the owner is unaware that their device was being exploited by a criminal network.
How to put up defenses against botnets?
The best defense in most information security scenarios is to create a multilayer approach. In the case of botnets, it would not be any different.
Since malicious activities of these networks can be diverse, it is important to adopt cybersecurity controls with complementary capabilities. In fact, botnets are complex networks, so there is no security product that addresses multiple types of attacks at the same time.
The adoption of a Unified Threat Management (UTM), for example, can be an efficient alternative, for it unifies different technologies of cybersecurity; that is to say, even in this case, the layered defense approach is applied.
An important tip is that the activities promoted by botnets consume bandwidth, decrease network performance and deplete information stored on systems under the control of servers that command malicious actions. These traces should be investigated to determine if a device or more on your network is infected by a bot.
Cybersecurity technology is indispensable for detecting botnet activities. Intrusion prevention can monitor the network traffic for suspicious activity, including command and control server traffic. In addition, to identify malicious malware traffic and to block unknown threats, such as Zero-Day, advanced threat protection platforms can be great allies of the security team.
Another important tip is to keep whitelist signatures up-to-date on all security products as they are responsible for defining which applications or codes are pre-approved, helping to prevent installation of unauthorized software such as a botnet client.
A vulnerability management platform can also be equally relevant, mapping breaches in systems that can be exploited maliciously by botnet networks (for example, products would be able to identify outdated systems or backdoors).
It is worth noting that the techniques used by botnets to compromise new systems are the same ones used by malware, viruses, social engineering scams etc. Therefore, the techniques already used to protect networks and devices, when well adopted, will be instrumental to prevent this type of threat: Antiphishing systems in e-mail servers, application control or content filters that help prevent users from visiting websites suspects, for example.