Understanding the botnet threat

Telesoft Telesoft

How is the threat of botnets changing?

Botnets have been part of the threat scene for so long that it’s easy to underestimate how central these networks have become to today’s cybercrime economy. When experts talk about malware, they are often referring to malicious software or attacks that arrived on a computer thanks to the action of a botnet. Historically, botnets started out as a cheap way to distribute spam using other people’s computers and networks.

Soon, the concept was expanded to do the same for malware such as banking Trojans and, later, ransomware. Eventually, botnets became a popular way to distribute any malware until, more recently, criminals hit on the clever idea of turning this capability into a service sold to other criminals.

It is this innovation that has fuelled the dramatic expansion of botnets from being a threat type to a complete threat architecture. As with any technology, the point of turning it into a service is that it increases the potential size of the customer base. In this case, criminals who want a way to profit from crimeware without having to be technical experts. With business booming, this model shows no sign of tailing off.

Ways of countering botnets

Broadly, there are three ways to counter botnets: endpoint security, high-level action against bot infrastructure, and different layers of LAN and WAN network detection. The first of these, blocking botnet malware on endpoints, is the default. But as the number of serious malware incidents attest, it is no longer a reliable shield on its own, particularly with threat actors creating fileless and polymorphic malware to specifically evade endpoint detection. Compounding this, networks are filling up with new types of devices — such as IoT equipment that lack endpoint security — leaving them vulnerable.

understanding the botnet threat

The second, directly disrupting botnet infrastructure, has become a more regular occurrence in recent years. For example, January 2020’s Operation Ladybird saw police seize 700 command & control servers (C2) used by the notorious Emotet botnet. Despite being a worthwhile operation, botnet takedowns have limitations. Crucially, this approach doesn’t address how malware is cleaned from infected computers or stop rival botnets from replacing them.

A final option, network detection and response (NDR), is based on the observation that botnets become vulnerable when their C2 is uncovered and blocked. This, too, has its pitfalls, including the need to interrogate traffic without impacting performance or overloading defenders with alerts and false positives.

The mainstay of NDR is signature-based detection, through which the behaviour of individual botnets is profiled, triggering an alert if that pattern is detected. The weakness of this is that botnets change over time and the patterns identifying a known botnet might look very different a few weeks later. Botnets also increasingly communicate with C2 using encrypted protocols such as HTTPS.

Telesoft solves this issue using techniques such as JA3 fingerprinting, a way of detecting botnet communication by analysing the TLS handshake, which is unique for each application. Botnets also change these parameters rapidly, which means that JA3 signatures must be regularly updated to avoid false negatives.

Making anomaly based botnet detection effective

A second NDR technique is anomaly detection, which provides a way of tracking botnet communication by noticing unusual traffic patterns. Sometimes these stand out – large volumes of a protocol indicative of DDoS attacks for instance – while more subtle deviations require first modelling the normal state for a network to provide a comparison.

Although in practice, organisations must use both signature and anomaly approaches in an overlapping way, over time there has been a growing focus on anomaly detection which demands high levels of real-time network visibility. It is also important to feed anomaly engines with the right data via a competent IDS system such as Telesoft’s CERNE.

The challenge for CSPs is that high-throughput WAN networks will inevitably manifest large numbers of smaller botnets. This turns the challenge of applying either of the above techniques into a huge engineering headache that requires constant attention. The challenges of this are considerable but so are the benefits to customers. Every botnet stopped at CSP level is one less that can do damage in the multitude of businesses lower down the stack.

Telesoft designs and manufactures the world’s highest rate network visibility platform, enabling large network operators to accelerate their ability to provide superior network detection and response.

Related products