Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Beating Back the Botnets

Why Organizations Should be Utilizing Security Information and Event Management (SIEM) Systems to Ferret Out Botnet Infections.

Botnets are insidious. They spread like digital weeds and infect thousands to tens of thousands of machines at a time. Their only purpose is to enrich and empower the botnet owners as they infiltrate endpoints on consumer systems, colleges, and enterprises around the world. These botnets are used to send spam, launch denial of service attacks, and – increasingly – to snoop on corporate systems.

Why Organizations Should be Utilizing Security Information and Event Management (SIEM) Systems to Ferret Out Botnet Infections.

Botnets are insidious. They spread like digital weeds and infect thousands to tens of thousands of machines at a time. Their only purpose is to enrich and empower the botnet owners as they infiltrate endpoints on consumer systems, colleges, and enterprises around the world. These botnets are used to send spam, launch denial of service attacks, and – increasingly – to snoop on corporate systems.

Discovering Botnet Infections in Corporate NetworksThese botnets, vast networks of infected systems under the control and command of criminals, are everyone’s problem – and it’s time we all did more to eliminate them from the Internet and our networks. One of the challenges in combating botnets, however, is the ease of infecting endpoints. Within the time it takes to view a web page, open an attachment, or load a picture, a user can get infected. Attackers are using vulnerabilities in web browsers and traditional client systems to infect users – who don’t even know they’ve been infected.

When it comes to infection and botnets, what does that mean? It means that the attacker managed to turn the endpoint into a zombie. These zombies are called such because they don’t do anything until they are so ordered by their remote commander. Once an attacker has infected enough systems, it then will use those zombies to send spam or kill the availability of unsuspecting web servers. Many botnets also are designed to steal end user authentication data, such as those used to log onto financial services and web sites.

Some of the more infamous botnets are BredoLab, which is estimated to have 30 million infected hosts, Mariposa (12 million), Conficker (10.5 million), and Zeus (3.6 million). Each of these botnets is capable of sending billions of spam messages every day. Many believe these botnets are a consumer security problem. That’s a bad assumption.

Increasingly, according to a 2009 DarkReading story, botnet operators have been crafting smaller botnets designed to target specific businesses and people.

That’s troubling news for enterprises that don’t have the right defenses in place. For instance, botnets easily can be designed to avoid anti-virus, spyware, intrusion detection systems, and many other anti-malware technologies. The good news is that there are ways to spot zombie-infected systems on enterprise networks if you know how to look. For instance, botnets often try to obfuscate the data they’re collecting as well as their connections to the controlling hosts. But by using the appropriate monitoring software and integrating that with a security event monitor, it’s possible to spot this malicious traffic and identify infected systems.

What’s needed is a way to see the patterns of infected systems spewing spam, collecting information, and/or trying to relay information or accept commands from its master. Some of the data you need may lie within e-mail servers, system server logs, server and endpoint firewalls, and even domain name server requests to countries where your business may not be engaged.

Clues to botnet infection can reside in any of these places. Finding the clues and putting together the picture they make is the challenge. In fact, it can be almost impossible to do manually. There is just too much information to have to sort through. That’s where a Security Information and Event Management (SIEM) system can help to ferret out botnet infections.

Advertisement. Scroll to continue reading.

When SIEMs scour logs, they don’t get bored or distracted. They help organizations to make sense of the volumes of data that all of their systems generate. SIEMs can perform highly sophisticated analysis so IT teams quickly can recognize new trends and attacks – and this is exactly what is needed to find clandestine botnets communicating on busy networks.

One way they can work is by correlating user identities with the actions of the systems they’re using. For example, an endpoint used by an executive assistant shouldn’t (typically) be sending e-mail all day that appears to be coming from some Eastern bloc nation. It also would be unusual for someone in accounting to be sending thousands of requests to the same web server all day.

Those are two good examples of how botnets act. And, by having the ability to spot anomalous behavior provided by a SIEM, enterprises will be leveraging one of the most powerful tools in their information security toolbox to stomp out botnet infections.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.