How to Defend your Organization Against Botnet Attacks

How to Defend Your Organization against Botnet Attacks

The botnet: perhaps the most epidemiological of threats facing organizations today. A botnet takes over the resources of millions of computers, launches targeted attacks, steals information, and all around wreaks havoc on individual desktops as well as on entire networks.    

What is a botnet?

A botnet is a collection of software agents or robots that run autonomously and automatically. When discussing a botnet of the malicious variety, it is typically a collection of compromised computers called zombie computers running malicious software.  Your computer could either become another bot in the botnet -a zombie computer- or it could simply be attacked by the botnet.   

A computer becomes part of a botnet when the user installs the software created by the bot herder (the bot creator) which turns your computer into a bot or zombie. If your computer becomes part of the botnet, it is typically first instructed by the bot herder to search for and recruit other vulnerable hosts which spells disaster for your company’s network.

What are the biggest botnet threats?

Distributed Denial of Service (DDoS) Attacks

A botnet may launch what is called a distributed denial of service (DDoS) attack which is a grand-scale, coordinated attack with the aim of bringing down a high-profile site or service (think Google or a bank site) by flooding the connection bandwidth or resources of the targeted system.  

A very famous and recent example of a DDoS attack is Operation Aurora. This DDoS attack targeted Google and at least 20 other companies through a vulnerability in Microsoft Internet Explorer and was detected by McAfee on January 14, 2010. Microsoft has since issued a security bulletin and patch.

Spyware and Malware

Bots monitor and report one’s Internet activity for profit, without the knowledge or consent of the user. They may also install additional software to gather keystroke data and harvest system vulnerability information for sale to third parties.

Identity Theft

Botnets are often deployed to steal personal information such as financial data or passwords.

Adware

Bots can automatically download, install, and display popup ads based on previous surfing habits, or they can force the user's browser to periodically visit particular sites.

E-Mail Spam

Most spam is sent by bots; roughly 80 percent of all spam comes from zombies.

Phishing

Botnets hijack vulnerable servers to host phishing sites, sites that impersonate legitimate sites such as PayPal or a banking site in a ploy to steal passwords and personal information

How do I protect myself?

Traditional packet filtering, port-based and signature-based techniques will not actually alleviate your organization from botnet attacks, as botnets all too quickly can change the exploit code and control channel, port-hop, or shift over to a new zombie host.

There are many tools on the market today for botnet detection. Many of these tools analyze traffic flow data reported by routers such as the NetFlow by Cisco. Others use behavioral techniques or anomaly monitoring techniques where they build a baseline of a network under "normal" conditions and use it to flag abnormal traffic patterns that might indicate a botnet. DNS log analysis is another technique used to detect botnets, as botnets often rely on free DNS hosting services and botnet code often contains hard-coded references to a DNS server. These DNS log analysis tools can spot this code and alert you and the DNS server administrator to the presence of a botnet. One final tool to use in the fight against botnet attacks is the honeypot, a trap that imitates a legitimate network or service so as to lure in and detect malicious attacks and intrusions.     

Conclusion

Your organization needs to protect its network from these targeted botnet attacks; that means everything from server to endpoint.  Botnets try to locate vulnerable servers to turn them into malware servers and vulnerable desktops to turn them into zombie computers. What you really want to do is take preventative measures to avoid infection.   Firewalls, intrusion prevention systems (IPSes), intrusion detection systems (IDSes), and threat detection technologies are all recommended. Another preventative measure is to ensure that no unauthorized changes can be made to applications on desktops or servers in your network.  Also, be on the watch for any suspicious device behavior. Track network user behavior as well.   If your network does indeed become infected, you must isolate and clean infected machines so as to avoid the spread of the botnet.

Another thing to truly lock down is all of your personal information. Bot herders are looking to steal data that will aid them in identity theft. If you need any help with protecting your electronic files, give Bryley a call today. Our Three-Part Program guarantees the complete safety of your online data. Remember that to truly protect your organization from botnet attacks you must develop and deploy a solution consisting of a suite of appropriate products and services geared towards protecting both the servers and endpoints of your business network.  No single solution will secure your organization from the threat of botnet attacks as botnets use multiple attack vectors.    

Want to Learn More?

Contact Bryley today for a complete understanding of the products and services we offer that will help your organization treat and prevent botnet attacks.

Call us at 888.280.5799

Email us at Sales@Bryley.com  

 References

1.      Cisco – www.cisco.com

2.      Symantec – www.symantec.com