Botnets contain various types of Internet-connected devices, such as clients, servers, mobile devices and Internet of Things (IoT) devices that have been infected by a common type of malware. They are remotely controlled by the operators of the botnet and used for their specific purposes, from sending spam to generating traffic for DDoS attacks to mining cryptocurrencies. Devices that belong to a botnet receive their commands from command and control servers (C&C) that they connect to.
Since they are distributed and grow quickly, it is extremely difficult to disrupt botnets. In the past, they could only be shut down by authorities tracking botnet communications to the C&C servers and forcing the service provider to take them offline.
One of the tricky things with botnets is that users are often do not realize that their devices are part of such a system. The wide variety of possible uses and setups of botnets also makes them particularly difficult to detect. The problem is you don’t know what you are looking for.
Administrators can monitor suspicious activities in network behavior with the reporting system of cognitix Threat Defender for and then investigate it further. For example, if multiple devices in the network suddenly talk to the same previously unknown server, this may indicate that it is a C&C server controlling a botnet. Also, using Threat Defender administrators can quickly find out if clients contact cryptocurrency services by simply checking destination addresses of traffic flows. As soon as the suspicion has been confirmed, the concerned devices can quickly be isolated, blocking any further communication with the botnet. Using dynamic network objects, Threat Defender can even be set up to automatically isolate devices, when suspicious behavior is detected.
Threat Defender also detects other kinds of suspicious behavior in the network. If for instance a device suddenly starts initiating connections to an excess number of other clients or servers, this may indicate that it is misused for email spam distribution. If that is the case, Threat Defender will quickly identify the device that creates too many outgoing SMTP connections and automatically blocks the transmissions and isolates the device from the rest of the network.
Using the reporting system, administrators can also see if clients send a large number of requests or a large amount of traffic to an individual external device. This may indicate that they have been hijacked to run a DDoS attack against this device. Again, Threat Defender can be set up to block their transmissions and to isolate them from the network.
If possible, the GeoIP feature can also be used to detect the source and destination countries of network traffic. This makes it possible to limit the incoming and outgoing traffic of countries with which the organization normally doesn’t communicate. However, this solution can only be implemented if the range of usual communication can be narrowed down to certain countries.
Finally, Threat Defender’s IPS feature that also integrates indicators of compromise can be used to identify and block known threats, helping to protect devices from being added to botnets in the first place.