Having been in the threat marketplace for several years, botnets are still successful today as it provides a powerful cloud computing network for hackers to spread malware and spam.
Like any other malware, botnets are introduced to the computer network through email attachments, websites and USB sticks. As the user accesses these files or compromised websites, malware from the botnets begin to spread and exploit vulnerabilities on the system.
In a recent research on global spam by SophosLabs, it was found that the global volume of spam dropped by more than half just before Christmas and continued to stay at around the same level, believed to be due to the notorious Necurs botnet going quiet.
However, an old-school type of scam was seen to have resurfaced just last month with huge success. Known as pump-and-dump, the scam inflated the stock price of Incapta, a media holding company, encouraging the public to buy into the scam, thus pumping up the stock further.
How does a stock scam work?
Hackers pick a cheap stock, concoct a believable story to talk it up, such as claiming the company is undergoing an acquisition. The hackers then buy the stocks to increase its stocks price and email unsuspecting victims encouraging them to buy shares in that company. The unsuspecting victims are influenced by the dramatic rise in the company’s stock price and are enticed into buying the shares, falling prey to stock fraud.
The impact of botnets
Botnets can have a devastating impact on organisations, particularly if the objective is to steal sensitive information. If the botnet is not after company data, it could be using the organisation’s devices and network resources to cause harm to another organization; likely a partner company by spreading malware to their network too.
Once the botnet has a foothold in your organisation, it will typically call home to the hacker’s command and control (C&C) server to register its success and request further instructions. It may be told to lie low and wait, attempt to move laterally on the network to infect other devices, or participate in an attack. This attempt to call-home presents an ideal opportunity to detect infected systems on your network that are part of a botnet, but it requires the right technology to be effective.
Unfortunately, other than the call home communications, a bot on your network may be extremely difficult to detect. In most cases, the infected device will continue to operate normally or perhaps experience a slow-down in performance that could be easily dismissed or attributed to other factors.
And this why a next-generation firewall is the first line of defence against botnets.
Best practices in protecting against botnets
Advanced Threat Protection (ATP): ATP can identify botnets already operating on your network. Ensure your firewall has malicious traffic detection, botnet detection, and command and control (C&C) call-home traffic detection. The firewall should use a multi-layered approach to identify call-home traffic and immediately identify not only the infected host, but the user and process. Ideally, it should also block or isolate the infected system until it can be investigated.
Intrusion prevention system (IPS): IPS can detect hackers attempting to breach your network resources. Ensure your firewall has a next-gen IPS that’s capable of identifying advanced attack patterns on your network traffic to detect hacking attempts and malware moving laterally across your network segments. Also consider blocking entire Geo IP ranges for regions of the world you don’t do business with to further reduce your surface area of attack.
Sandboxing: Sandboxing can easily catch the latest evasive malware before it gets onto your computers. Ensure your firewall offers advanced sandboxing that can identify suspicious web or email files and detonate them in a safe sandbox environment to determine their behaviour before allowing them into your network.
Web Application Firewall (WAF): A web application firewall can protect your servers, devices and business applications from being hacked. Ensure your firewall offers WAF protection for any system on your network that requires remote access from the Internet. A web application firewall will provide a reverse proxy, offload authentication, and harden systems from being hacked.
Written by Sumit Bansal, Director for ASEAN and Korea, Sophos