Unlike, the ghastly creatures of film, botnet zombies may look and act like normal, uncompromised machines. The two key challenges are preventing a machine from being compromised in the first place, and detecting and thwarting botnets or their components if they get past defenses.
“The majority of the botnet instances I encountered over a six-year period as a security engineer for a mid-sized hospital were based on poor user decisions,” says Andy Hubbard, senior security consultant for Neohapsis, a provider of mobile and cloud security services. Hubbard explains that the trouble often starts while the user is outside of the corporate network – for example, using their laptop at home. However, some of the users who caused problems managed to become infected even with the defenses the hospital had in place – for example, by directly interacting with malware while running as “admin.”
“With use of internet access control (IAC) and threat-monitoring tools, we could detect a botnet before the device managed to synch with a command-and-control (C&C) system,” he says. “Our threat monitoring and IAC solutions detected and blocked outbound communication attempts allowing us to identify the infected host and clean it.”
Hubbard's experience underscores the nature of the threat. “It isn't a sexy answer but the truth is that a lot of malware and botnets just go after the low-hanging fruit,” says Rick Holland (left), principal analyst, security and risk management at Forrester Research. He says that when he has asked audiences at his talks questions such as, “How many of your end-users are also local administrators on machines,” invariably at least half the hands go up. Even at a SANS event, where people are focused on security, the results are similar.
He says he has also observed that many organizations have little or no visibility other than at the perimeter. “This wasn't a scientific study, but it seems like most of these companies within their networks have no Layer 7 visibility – or even Layer 3 and 4,” he says. The point, he emphasizes, is that organizations need to start with basics. “Failing to do these basics allows botnet herders to compromise more machines,” he says. “In one of our recent reports we pointed out that there's no need to fire a cruise missile when the screen door is wide open.”
While botnet herders are more “commodity oriented,” Holland says advanced attackers can take advantage of the same low-hanging fruit. “Using Slash or Acrobat they can leverage the same vulnerabilities, so when organizations don't do the basic ‘hygeine,' it puts them at risk for mass malware
Taking a similar tack, Tom Gorup, security operations center manager at Rook Security, a provider of IT security solutions and services, says that the big culprit that allows botnets in is poor configuration and patch management. “That is the root cause of a lot of these botnets,” he says. “Web and server admins, unfortunately, do a poor job of ensuring their content management system and services being used by that system are properly updated. Your website is the glass door to your iron-clad network.”