Semalt: Understanding A Botnet's Activities Through Botnet Infiltration
Botnets are one of the biggest IT security challenges facing computer users today. Thousands of botmasters are working round the clock to evade security roadblocks developed by security companies and other concerned agencies. The botnet economy, in its complexity, is growing tremendously. In this regard, Frank Abagnale, the Semalt Customer Success Manager, would like to tell you about an awesome practice by Cisco computer company.
In a recent study by a Cisco security research team, it was found out that there are botmasters who are making up to US$10,000 a week from bot activities. With this kind of motivation to individuals who'd be interested in getting their hands into the crime, billions of unsuspecting computer users are at a greater risk of the effects of botnet attacks.
The Cisco research team, in their research, aimed at understanding the various techniques botmasters are using to compromise machines. Here are a few things that their efforts helped to discover:
Beware of Internet Relay Chat (IRC) traffic
The majority of botnets use Internet Relay Chat (IRC) as a command-and-control framework. Source code for IRC is readily available. Thus, new and inexperienced botmasters use IRC traffic to spread simple botnets.
Many unsuspecting users don't understand the potential risks of joining a chat network, especially when their machine is not protected against exploits by some form of Intrusion Prevention System.
Importance of an intrusion detection system
An intrusion detection system is an integral part of a network. It keeps a history of alerts from a deployed internet security management tool and allows for the remediation of a computer system that has suffered a botnet attack. The detection system enables the security researcher to know what the botnet was doing. It also helps to determine what information has been compromised.
All botmasters are not computer geeks
Contrary to the assumption of many, running a botnet doesn't require advanced computer experience or expert knowledge of coding and networking. There are botmasters who are really savvy at their activities, but others are simply amateurs. Consequently, some bots are created with more proficiency than others. It's important to keep both types of attackers in mind when designing defenses for a network. But for all of them, the prime motivator is getting easy money with minimal effort. If a network or machine takes too long to compromise, a botmaster moves on to the next target.
Education importance to network security
Security efforts are only effective with user education. System administrators usually patch exposed machines or deploy an IPS to protect the machine from exploits. However, if the user is not well informed on the various ways of avoiding security threats such as botnets, the effectiveness of even the latest security tools is limited.
The user needs to be constantly educated about safe behavior. This means a business has to increase its budget on user education if it is to reduce its vulnerability to hosting spam servers, data theft, and other cyber threats.
Botnets often occur as oddities in a network. If traffic from one or several machines in a network stands out from the others, the machine(s) could be compromised. With an IPS, it's easy to detect botnet vulnerabilities, but it's important for the user to know how to detect alerts yielded by security systems such as the IPS. Security researchers should also stay alert to notice machines that share a certain odd behavior.