Botnets are not a new security threat. They've been around for over a decade, but they continue to grow and prosper as the black market continues to find profitable uses for stolen computing power and network bandwidth. Botnets deliver most of the world's spam, serve as the foot soldiers in distributed denial-of-service attacks, mine Bitcoin and other cryptocurrency, and perform many other tasks that are only profitable when taking advantage of stolen computing resources.
What botnet protection is
Botnets consume network bandwidth, slow down systems and jeopardize sensitive information stored on systems under their control. For these reasons, security professionals seek to protect their organizations against infiltration of botnets, just as they would protect against any other type of malicious software.
Botnet protection strategies seek to build a layered set of defenses that protect the organization against the infiltration of botnets, detect those that might slip through the first lines of defense and disrupt the activity of botnets present on their networks. The complexity of botnets means that there is no silver bullet that will completely protect an organization against botnet activity. Instead, organizations should deploy a layered set of defenses that seek to disrupt malicious activity.
How botnet protection works
Before we can discuss how botnet protection strategies work, we first must have an understanding of how botnets themselves function. Botnets work in two stages: accumulation and production. First, the individual assembling the botnet, known as the bot herder, seeks to build the botnet's membership to include as many systems as possible. Security researchers estimate that recent botnets include hundreds of thousands of systems, with some reaching into the millions. Once the botnet reaches a critical mass, it enters the production phase where the botnet herder sends commands to the compromised systems, instructing them to send spam, mine cryptocurrency, disrupt network activity or perform some other unauthorized activity.
Protecting against botnets requires a two-pronged approach that targets each of these stages of activity. First, security professionals must implement a set of controls that prevent the installation of botnet software on client systems, blocking botnets from gaining a foothold on the network. Second, botnet protection strategies must assume that some botnets will successfully penetrate the first line of defense and assume control of systems on the network. Therefore, security professionals must also deploy controls that detect and disrupt production botnet activity on their networks.
Features to look for and to avoid
Botnets are a complex problem and require a complex solution. Organizations should avoid products billed as comprehensive botnet tools because a single product that comprehensively battles both prongs of botnet activity simply doesn't exist. The good news, however, is that botnet protection generally does not require the purchase of new technology. Rather, protection strategies should use components of an organization's existing security infrastructure. If there are gaps in your organization's defenses, consider filling them with tools that provide broader protection than simply defending against botnet activity.
Let's examine the core components of a botnet protection strategy by looking at controls that work in the two stages of botnet activity: accumulation and production.
Protecting against botnet accumulation
Botnets are malicious software. They compromise individual systems using the same techniques deployed by viruses, worms and other types of malicious software, so organizations can defend themselves against this threat using the same controls. This includes a thorough approach to malware management: deploying antimalware software that protects endpoints and servers, performing malware filtering on inbound email messages, and using content filtering products to prevent users from inadvertently visiting websites that might contain malicious code. In addition to preventing initial botnet infections, antimalware software also has the ability to detect existing botnet clients and either automatically remove the infection or alert administrators that the situation requires manual intervention.
While antimalware controls do an admirable job protecting against known threats, some botnets use zero-day malware that antimalware products find themselves unable to block. In those cases, whitelist-based application security controls may prove effective. These products maintain a list of all authorized sources for approved application code, including authorized software binaries, and prevent the installation of software, such as a botnet client, that is not on the preapproved list.
While some botnets depend upon inadvertent user activity -- for example, click-fraud botnets, which are both pervasive and highly lucrative -- to compromise a system, others spread on their own, exploiting vulnerabilities in operating systems and applications. Antimalware and application security controls should prevent their installation on endpoints, but a defense-in-depth approach to security requires maintaining patch management tools that ensure operating systems and applications throughout the enterprise are maintained at a current patch level. Patch-management software ensures that all enterprise systems receive the latest vendor security updates in a prompt manner.
Detecting and disrupting production botnets
In addition to preventing the installation of botnets on a network, security professionals should always assume that compromised systems exist on their networks and deploy controls to detect and disrupt their activity. These compromised systems may occur as the result of a failure of an organization's internal security controls, or they may arrive on the network already compromised.
Detecting and disrupting production botnets requires a different set of controls than those used to prevent initial botnet infection. Security professionals should deploy intrusion detection and prevention tools that may monitor the network for signs of botnet activity, including the command-and-control traffic sent between a bot herder and compromised systems. In addition, security teams should obtain current threat intelligence from one or more reliable sources. Threat intelligence not only educates the team about emerging threats, but it also includes automated feeds of network addresses associated with botnet activity. These feeds may be used to update firewall and intrusion prevention system rules on a real-time basis.
The bottom line when it comes to botnet protection is simple: don't be fooled by the hype. You don't need to purchase a single tool because a comprehensive solution simply doesn't exist in one package. Instead, organizations seeking to protect themselves against botnets should deploy a comprehensive set of security controls that take a defense-in-depth approach to network and endpoint security. Organizations adopting this approach will find themselves well-prepared to defend not only against botnets, but also a wide variety of cybersecurity threats.