BOT networks have surprisingly penetrated many corporate networks around the world. Yet many of the information technology and security operations teams often have difficulty identifying their activity and eliminating them from the network.
The term botnet is derived from the combination of the words robot and network. A cybercriminal creates a network of these robots connected together for the purposes of coordinating some large-scale activity, most often to function as a cyberattack tool for cybercriminals. These activities often include the propagation of attacker malware tools, economic gain, or perhaps targeting a debilitating attack upon one or more websites on the internet, effectively harming revenue and reputation for enterprise organizations and online e-tailers. The larger the botnet, the more effective it can be in achieving the desired goal.
Botnets spread via malware, often distributed through malicious email, and may also be self-propagating so that they move laterally from your laptop to other workstations and network devices within the network. Alternately, they can infect your laptop when you visit a compromised website, setting in motion a series of malicious events that result in a compromised system (drive-by download) and automatically installing the botnet software unbeknownst to the owner of that system. Very typically, due to a lack of effective cyber defense for both detection and remediation, cybercriminals find undefended internet of things (IoT) devices to be ideal hosts to harbor and hide their botnet malware. These IoT hosts can include the new generation of IoT enabled devices such as smart refrigerators, security cameras, digital video records, network connected access management systems, thermostats, and much more. Enterprise security departments are often surprised to find that their access management systems and security cameras are completely compromised by such botnets.
The most common indicator is users complaining that computer programs are running much more slowly. This is an often key warning sign that hidden botnets or other malware are using your computing resources. More subtly, you may notice that your cooling fans are running when you are not actively using your computers or servers. This may be symptomatic of the considerable computational overhead created by botnets heating up the processor boards. Finally, on your Windows endpoint platforms, failure to shut down properly, or at all, or failure to download updates are other key indicators, any of which by themselves may not confirm the presence of a botnet, but together raise the suspicions to a high level.
Some of your employees might also see unknown posts placed on their Facebook accounts. This might also be directly related to botnet activity. Cybercriminals can use social media accounts to easily disseminate malicious content. Conceptually, this social media botnet attack is very different than infecting your computer. By infecting your social media account, the botnet can propagate more rapidly across your entire social media account and never has to physically sit on your laptop or other home computers.
Botnets usually work through automation set up, of course, by cybercriminals you don’t know. Key symptoms are almost always technology related – not related to insider activity or insider malicious threats. Beyond the symptoms already mentioned above, there are also technical indicators, such as strange processes running under windows, but these are very hard to detect. As quickly as cyber defense automation and tools evolve, so do the tactics, techniques, and procedures of the botnet cyberthieves.
Most botnets don’t damage the host computers – most of what they do is degrade your performance and effectively “steal” your computer resources. More dangerous is the damage the cyberattackers can cause by using the botnet to maliciously target other websites. For example, when they launch a denial of service (DDOS) attack.
Several best practices can help cut down or eliminate botnet infections and the secondary attacks that may be launched once an attacker has access to your networks through a botnet. These include:
Utilize software that filters or cuts down on suspicious email attachments and don’t click on any links which are suspicious;
Make sure your operating systems have all patches and updates installed;
Keep your antivirus protection up to date – these often have the signatures of known and recent botnet malware components; and
Encrypt your data end-to-end (at rest, in use, and in transit) so that an attacker in your network will be unable to make use of it.