Many network managers are quickly becoming aware that security has rapidly evolved into a minefield of hazards and preventing the next attack before damage is done is becoming increasingly difficult. Take for example the nefarious botnet, which is a group of compromised systems working together to bring a zombie horde of trouble to any internet connected network.
Botnets can be used for a variety of maleficent intentions, ranging from generating massive volumes of spam to orchestrating denial-of-service attacks to instigating brute force security attacks against hardened systems. Even more troubling is the fact that botnets are on a growth pattern and are used as avenues to perpetuate fraud, steal intellectual property and damage the reputations of the victims.
Efforts to bring down botnets normally fall under the purview of law enforcement agencies and are often focused on taking down command and control servers. However, that is akin to closing the barn door after the horse has run off. Simply put, law enforcement's efforts to kill botnets come too late to protect the initial victims.
Most arrests come after the damage is done
In many cases, authorities work with experts from security companies and other organizations to identify botnets; law enforcement then works to seize servers and arrest perpetrators. "Such efforts can be effective, but they are after the fact, and in any case, such servers can eventually be replaced" said Alana Maurushat, a professor at the University of New South Wales in Sydney, Australia, and director of the university's Cyberspace Law and Policy Center.
In other words, relying on others to protect your network from a botnet based attacks proves to be ill advised and network managers need to put in place appropriate best practices to minimize the impact of an attack.
- Educate users against social engineering practices
- Protect connectivity devices, apps and OSes with anti-malware technology
- Identify attack vectors and exploits - secure accordingly
- Patch systems and software with latest patches
- Monitor networks for abnormal activity
- Monitor for account abuse
- Log and analyze anomalous system behavior
- Monitor for user performance complaints
- Identify fraudulent emails
- Frequently scan systems for breaches
- Monitor network traffic
- Inform users of suspicious activity
- Inform management of detected threats
- Gather evidence for possible legal responses
- Post attempts and vectors to security organizations
Remediate and Recover:
- Seek professional guidance
- Repair and restore systems
- Implement resources and tools to prevent future attacks
- Institute more aggressive identification and monitoring techniques
- Make appropriate changes to usage policy
- Modifications to firewalls, OSes, connectivity hardware may be needed
- Improve identity management systems
- Validate account credentials
- Identify depth of compromise
- Institute outreach to improve reputation with customers, users and partners
Although it may not be possible to prevent the latest botnet driven attack, the best practices above should go a long way towards prevention and if needed, remediation and recourse to minimize the damage. What's more, with sufficient evidence captured, network administrators can assist law enforcement agencies with identifying and prosecuting those responsible for the spread of botnet based attacks.
Frank J. Ohlhorst is an award-winning technology journalist, author, professional speaker and IT business consultant. He has worked in editorial at CRN, eWeek and Channel Insider, and is the author of Big Data Analytics. His certifications include MCNE, MCSE, A+, N+, L+, and Security+.