For many years now, the world of cybersecurity has seen computer attacks, sometimes on a very large scale, which have compromised the availability of major websites on a worldwide level. Such large network attacks, such as the one known as “Mirai” in 2016, have demonstrated that it is possible to use a large number of infected devices to saturate sections of the Internet’s infrastructure and cause significant damage to companies and the population at large.
These network attacks all have one trait: the infected devices are used and managed by a “Command and Control Server”, through which it is possible to direct these devices to perform particularly simple actions, which, when suitably orchestrated, direct a huge amount of network requests with the goal of creating outages.
In other words, all this is possible due to “Botnets”, or networks of “Robots” – in the sense of automata – which are composed of deliberately infected machines.
It is worth reflecting on the fact that there is a general lack of awareness amongst people unfamiliar with these matters. They might say “but my PC has nothing secret or nothing to hide,” or “what would they do with my PC or my devices?”.
This type of reasoning betrays a lack of focus on a more serious problem which could compromise personal data and a consequent poor level of protection of personal devices, such as tablets, smartphones, routers and smart devices, such as TVs, which are now all connected to the Internet and represent huge processing power belonging to each individual.
Technological advances, and above all the evolution of the IOT (Internet of Things) is beginning to have significant effects on our way of life. It is estimated that in the next twenty years, over a trillion devices will be connected to the Internet. Worrying about the safety of these devices is therefore natural, but above all we feel limited in protecting our personal information.
Let’s move on and take a look at some of the more technical details.
The measures for fighting botnets described in this article fall into two categories, “traditional defensive measures” and “offensive measures”. The goal is to outline the limits and advantages of the different measures in order to provide guidance on the most appropriate type and the most suitable strategy on the basis of the specific company and its appetite for risk.
What is a Botnet?
A botnet, literally “network of robots”, is a network of computers connected to the Internet which are infected by malware or bots. These computers can be used, unbeknown to their legitimate owners, by a “botmaster”, who uses a “Command and Control Server” to take control of them in order to carry out DDoS (Distributed Denial of Service) attacks, spam or phishing, or data and identity theft.
Before continuing, we should define some terminology which we tend to take for granted, but which not everyone may be familiar with.
- What is malware: Software which, when executed, damages the operation and security of the operating system.
- Bot: Computer program designed to automate repetitive functions and which accesses the network via the Internet. In the case of botnets, this program is used as Malware to carry out repetitive activities ordered by the Command and Control Server, to which it responds via an encrypted, and therefore non comprehensible, communication channel. Sometimes the infected terminal is referred to as a Bot, or also Zombie.
- Command and Control Server: This is a software program created by a cybercriminal with the goal of managing an enormous number of machines infected with “bot” type malware by sending specific commands to perform actions specifically directed at the victim of a computer attack, which is typically represented by a target organization.
Traditional defensive measures for fighting botnets
There are three types of traditional measures which a company can use:
- Host-based, for example personal firewalls and antivirus software
- Network-based, such as N.I.D.S. (Network Intrusion Detection Systems) and I.P.S. (Intrusion Prevention Systems)
- Measures designed to remove the Command and Control (C&C) server, in other words the server which sends the commands to the infected machines (robots)
Host-based solutions, although widely used, have proven to have limited effectiveness, although they are always necessary in the context of botnets.
For example, antivirus software requires frequent updates in order to reduce the window during which users are exposed, or can become ineffective when faced with rootkit techniques. Personal firewalls, on the other hand, can be disabled by malware which has the same privileges as the operating system it is protecting.
Rootkit: program designed with the goal of having software installed with root privileges (or administrator/system privileges on Microsoft systems) which is able to alter the normal behavior of diagnostic applications in order to hide the presence of the rootkit itself and of the software to protect, in order to make detection and elimination more difficult.
Network-based measures are primarily represented by intrusion detection systems designed to recognize an attempted attack. These have specific limitations, depending on the type of approach used - misuse-based or anomaly-based.
- The misuse-based approach, which is founded on the coding and comparison of a series of signature actions of the various known intrusion scenarios (e.g. changes to the properties of a file, given strings of characters sent by a server), is susceptible to generating false negatives, as it is able to detect only the types of intrusion known and set in the system.
- On the contrary, the anomaly-based approach is more empirical, based on the construction of models “of normal activity”, and for this reason has the advantage of detecting a greater proportion of attacks, but at the same time generates more false positives.
Removal of the C&C server
The third technique is based on the removal of the C&C server. Removing a C&C server has proven to be highly effective in most cases, as it involves the elimination of the entire botnet, but it can be carried out only when the following factors are all present:
- Centralized botnet structure (a single C&C server)
- Knowledge of the position of the C&C server
- Cooperation from the provider hosting the C&C server
In some botnets, however, it has been observed that it is the clients which periodically contact the Command & Control Server on a secure and encrypted communications port. This, as you might imagine, is very difficult to intercept at the corporate firewall level, since such communications would be mistaken for normal web traffic accessing pages via https. In these situations, the only way to identify a botnet on the network is to find the IP address of the Command & Control Server and block it with the firewall, before then removing the infected software on the client.
Centralized structure of a botnet: this is the simplest and oldest structure, in which the bots periodically report to a single central C&C server using push communication and very common communication channels, such as IRC, HTTP, P2P, HTTPS.
Push communication requires the bots in the network to remain in standby status until the botmaster decides to alert them by sending them the order to be carried out. (Image source: Enisa)
Offensive measures for fighting botnets
Offensive measures against botnets are represented by mitigation, manipulation and exploitation techniques. These techniques aim to monitor or disturb the connection between the bots from the inside, by taking advantage of the fact that botnets are designed to allow new machines to join the network.
Mitigation strategies aim to slow down a botnet by acting at the routing or IP address level. Some interesting examples are:
- temporary DoS attacks on C&C servers to make them unreachable by the bots
- isolating the infected bots (by blocking their connections)
- blocking malicious domains
- sinkholing of the malicious traffic
These solutions all aim to counter the damaging effects of a botnet, but are limited by not being able to eliminate its root cause.
Sinkholing: a technique used to redirect the damaging traffic from the original destination to a server under the control of a defender, thus protecting the network from interruptions from DDoS or botnet attacks. The server which functions as the C&C (Command & Control) for this traffic is called a sinkhole.
Manipulation strategies aim to alter or remove the commands of a botnet, for example DDoS, Spam, commands for downloading and running programs, thus allowing remote cleaning of the infected machine and limiting the damage. This solution, however, leads to ethical and legal issues regarding privacy and data protection, as injecting a command requires control of the C&C server or bot, a prerogative expected only for the owner of the infected machine. Examples of “manipulation” are redirecting the bot to another server which carries out an attack against the level of addressing by distributing removal instructions, remote execution of the programs on the bot aimed at scanning and removing the bot etc.
The last strategy, exploitation, as the name suggests, exploits programming bugs or defects of the bots to perform actions on the infected machines aimed at combating the malware, or on the C&C server in order to take control of it. This strategy, however, exposes the infected systems to the risk of damage following injection of the exploit code, with all this entails in terms of civil and criminal liability.
Choosing the right strategy: criteria
There are numerous solutions for dealing with botnets. The choice between a defensive or offensive solution, or a combination of the two, depends on different factors such as the specific company context, as well as the security infrastructure and existing levels of countermeasures, the risk appetite, the core business, and national and supranational legislation. As such, the first step to take in order to define your defensive strategy is the adoption of a structured analysis model which includes the following areas:
1. Contextual analysis
Contextual analysis involves examining the internal and external factors relating to an organization. A primary example of an internal factor is identifying the core business. In the case of a provider of essential services or digital services, it is essential for their networks, systems and IT services to be secure and reliable, as important economic and social activities depend on them, as well as the operation of the internal market.
An example external factor is the legislative context. An organization which opts for an offensive type of defensive approach must check any legal implications due to the implementation of mitigation, manipulation or exploitation techniques with regard to potential computer crimes. This analysis must hinge both on the legal system of the country in which the company is based, as well as that of any third or EC countries involved in any way. As such, it will be important for the company to have a multi-disciplinary team with legal as well as IT expertise.
2. Analysis of the IT and security infrastructure
In order to define the defensive strategy, an assessment must be made of the state of the security of the company’s own IT infrastructure and of the implemented controls, in order to obtain a snapshot of the current situation (AS IS), in other words an assessment to determine the current security status. In this phase, the controls which have already been implemented or which are planned to protect the business information and data must be identified and documented. Subsequently, the operational effectiveness of these controls must be tested.
The results from the first phase of the contextual analysis must be used in the final assessment on the suitability of the IT and security infrastructure.
3. Risk Assessment
This has the goal of identifying the risks of “Cyber-attacks” carried out via botnets (e.g. DDOS, phishing, data and identity theft). To this end, Risk Identification activities must be carried out, requiring identification of critical company assets, Cyber-attacks, vulnerabilities which could be exploited by hackers, and any countermeasures which have already been applied or which are planned, allowing an estimate to be made of the risk of falling victim to threats such as DDOS attacks, phishing, data and identity theft.
4. Identification and evaluation of the countermeasures
Identifying the countermeasures, the final stage, is simplified by the Risk Analysis and Risk Evaluation activities performed in the previous phase. As a matter of fact, the choice of defensive strategy and technological solution to adopt will depend on the level of risk obtained with the Risk Analysis, from the cost/benefit ratio of each assessed countermeasure, and the chosen plan for dealing with the risks.
Thank you for your interest!
We have received your contact request; we will be in touch shortly to further discuss your business requirements.