Posted By ALGOSEC
There’s an army of the undead, wreaking havoc on the Internet and constantly adding new recruits as it spreads from network to network, organization to organization, stealthily infecting machines to conduct malicious work in the shadows.
This isn’t just a scary Halloween story. Bots – mini software applications that run automated tasks – are the zombies of the Internet, and they’re all too real. Research suggests that up to three-quarters of organizations globally are infected by bots, so the chances are that a few of these creatures have already burrowed their way into your network, just waiting to follow their masters’ bidding.
Bots are the ‘boots on the ground’ for cybercriminals, enabling all kinds of criminal activities to be executed by remote control, using others’ networks as the launchpad. Earlier this year, US authorities dismantled the Kelihos botnet, one of the world’s largest, which was used for sending out hundreds of millions of emails infected with ransomware and malware. Bots are the foundation of DDoS exploits, such as last year’s massive Mirai botnet attacks. They’re also used for other nefarious activities such as illicit cryptocurrency mining, online advertising fraud, and more.
Because bots are designed to be stealthy, they can remain dormant and undetected on networks for weeks, months or even years. Yet as soon as they receive instructions from their external ‘command and control’, they will reanimate and get to work, whether that is downloading further malware or ransomware, replicating themselves across networks and devices to try and exfiltrate sensitive data, or participating in spam or denial-of-service campaigns.
So how do you go about neutralizing the bots on your network? The good news is that unlike the zombies in movies and TV shows, relatively simple techniques can go a long way toward disabling bots.
Warding off the zombies
The first technique is to try and stop bots infecting your network in the first place. Using up-to-date anti-malware and sandboxing products, and improved user awareness to phishing attacks, form an effective first line of defense here. However, these products are not infallible, because criminals continually modify bots’ source code, behavior and methods of distribution, to help them evade detection and bypass conventional defenses.
So a second line of defense is needed: preventing bots on your network from communicating with their external command and control servers. Once this link has been severed, the bot is isolated and rendered harmless because it can’t receive new instructions, or send any signals or exfiltrate data from your network.
There are several methods for achieving this. Next-generation firewalls can be used to inspect outbound network traffic, and identify traffic that misusing common ports for nefarious purposes, is being sent from your network to unknown IP addresses, or to addresses that are known to be compromised by hackers. It’s likely that data being sent via these methods is at best suspicious, and at worst, malicious, so the firewall can be configured to block it.
Intelligent network segmentation also reduces your network’s attack surface and helps to mitigate risk. By segmenting networks into defined internal zones, and placing firewalls to filter traffic between those zones, you can enforce restrictive security policies that can prevent bot infections from spreading laterally across your network. For example, it’s good security practice to place all of your organization’s desktop and laptop PCs in a separate network zone from other business systems, protected by firewalls. These endpoints are the most likely entry point for new bot infections, which the firewall can immediately block, neutralizing bots at the point of entry.
While you cannot stop this army of the undead roaming the Internet, you can stop bots taking over your network and using it as a launchpad for further attacks, using the simple techniques we’ve outlined here. Why not take some time this Halloween to boost your defenses against bots?
Learn more about Algosec :