To take on evolving enterprise defense mechanisms, attackers look for weak spots, and have begun using smaller, less noticeable botnets to evade enterprise safeguards. In this tip, we'll discuss why these so-called micro-botnets are proving successful, and how to identify and prevent them from doing damage.
Why smaller botnets are better
Large botnets are frequently used to launch denial-of-service (DoS) attacks. To bring down an e-commerce website or to prevent an organization from accessing the Web, these attacks require resources -- namely a botnet army. Much like sending thousands of soldiers to overwhelm an enemy in battle, attackers use the pooled resources of many computers to overwhelm a victim server or network. When an attacker wants to launch a DoS attack against an organization, he'll send commands to his dispersed botnet army to focus on his victim. Because this creates multiple connections within the target environment, it draws nearly all the attention (and resources) of host and perimeter protection systems, often rendering the victim helpless or even knocking its systems offline entirely.
Unlike large botnets flooding a network to deny service, micro-botnets are less likely to be detected. Because they utilize fewer slave computers, and in turn send fewer data packets, they are superior at evading traditional botnet-detection capabilities in firewalls and intrusion detection systems. To further avoid detection, a botnet controller can configure his or her micro-botnet to disable antivirus software (while the software still appears to be working properly), lie dormant for long periods, or call home for new commands at irregular intervals. Without a signature in place to detect them and no pattern of abnormal behavior, micro-botnets can make it difficult for even a state-of-the-art behavior-based intrusion prevention system to notice them.
Why micro-botnets are successful
To get inside the enterprise, past firewalls and IPSes, attackers often target users.
Using social engineering attacks to target users is one of the easiest ways to infiltrate an enterprise. It's relatively easy to find information on an organization and its employees, and then incorporate that info into a crafty phishing email with a malware-laden attachment. Probing and footprinting a network for weaknesses, also popular tactics for micro-botnet herders, takes much longer than sending a simple email. Once a machine is compromised, the attacker can either send their malware additional commands to compromise other hosts and further expand the botnet, extract target data from the victim network, or simply sell the botnet to someone else and move on to the next victim.
Worse yet, once they compromise a network, micro-botnets can lie dormant for a period of time, waiting on further commands or a specific "trigger" event. Unlike large botnets that require better command and control and may result in bots not responding properly or being discovered, a smaller botnet is more precise and best suited for targeted attacks, especially in an effort to pilfer specific data.
Micro-botnets can ferret out data much more efficiently than traditional botnets. Micro-botnets often use blended methods to access sensitive data. They can discreetly probe networks a few packets at a time, search for trade secrets using hijacked accounts, and disable antivirus by removing critical software files. A micro-botnet will attempt to perform these and other blended attacks while quietly traversing the network alongside normal traffic.
Practices to help find and stop micro-botnets
It's obvious that the human element is an issue, and that botnets are evading traditional defenses to break into enterprise environments. To protect itself against micro-botnets, an organization must begin allocating more resources toward detecting botnets rather than focusing solely on preventing them. As discussed above, the sophistication of botnets has enabled them to get inside more often -- simply put, traditional defenses don't always work. Not to say that prevention isn't needed, but detection of botnets already inside the enterprise, or one mouse click away, must take precedence. The mentality that a firewall, IDS, or malware protection software will take care of attacks creates an environment with a false sense of security. Organizations must do more to understand what's happening within their networks.
Knowing and understanding network activity will enable earlier identification and better responses to attacks. However, this goes beyond asset management and encompasses the understanding of all running processes on hosts, where those hosts reside, and the ports they use. It includes mapping the environment and maintaining up-to-date configuration details around client-side software.
If and when micro-botnets begin to show themselves, however subtly, you need to notice the abnormal spikes in network traffic, weird open ports, and accounts suddenly gaining elevated permissions. If you're using a pattern scanner, turn up the sensitivity level and spend a little extra time determining what is or is not a false positive. It's good network hygiene to exercise log analysis to know what's really happening on the network. To help automate much of the log analysis, look for products such as those offered by LogLogic Inc., ArcSight Inc. or Tenable Network Security Inc.
Finally, training and educating users can't be taken lightly. Users must understand how to identify and report abnormal network behavior, and avoid falling victim to social engineering and phishing attacks. Training must be fun in order to gain users' attention, and it should include a process to validate that the users understand the lessons. To look out for and thwart micro-botnets, organizations must integrate better training with the above measures into their enterprise security strategies.About the author
Marcos Christodonte II, MBA, CISSP, is an information security professional working for a consulting firm. He maintains an information security blog at http://www.christodonte.com.
This was first published in December 2009