Tom Olzak

Small botnets more effective at stealing your data?

In Business Continuity, Cybercrime, Data Security on April 1, 2009 at 11:35

Botnets are often viewed as large networks of infected computers, with thousands or millions of compromised systems, across multiple locations, responding to commands from a central command From Politech Blogcenter.  These massive nets still exist, but it might be their smaller cousins you should be more interested in.

Many organizations have gotten smarter about preventing large amounts of information from moving out of their networks.  Anomalous behavior associated with such activities are reasonably easy to see and respond to.  Further, database servers and other devices in the data center are typically hardened and located behind layers of security controls.  So attackers need a better way to steal your data.

Infecting a workstation is not as hard as compromising a server.  After all, many users still help attackers by clicking on links, opening attachments, or downloading free—or pirated—applications.  If the right malware is placed on a computer, it is then a platform which be used to filter for and capture pieces of information as they pass through.  It can also send smaller uploads to the attacker’s system which might easily make it under security’s radar.  Recruiting hundreds of systems like this in an organization can result in a breach on a large scale.

But why use a botnet instead of an old-fashioned hack in a targeted attack? “A botnet is a resilient foothold for a criminal to get inside the company — it’s persistent,” Damballa’s Cox says. “It’s a way to distribute updates, activate new capabilities, and harvest information without having to copy information out of the network. If you think about data leakage protection, you can imagine a botnet enables you to search internally without extracting the document.”

Steven Adair, a researcher with the Shadowserver Foundation, says his organization has seen targeted botnet attacks that have used anywhere from dozens to hundreds or more machines. “They are often a lot smaller than the spamming and DDoS botnets due to their target selection,” Adair says.

These targeted botnet attacks often use spear-phishing email attacks, using malicious PDF attachments or links that appear legitimate because they contain information familiar to the user. Shadowserver has also seen mini-botnets infect Websites that cater to a specific group of users, Adair says. “The sites were specifically chosen due to their audience,” he says.

Source: Attack Of The Mini-Botnets, Kelly Jackson Higgins, DarkReading, 31 March 2009

Protecting your organization from these new threats should be easy if you already have some basic controls in place, including:

  • Removal of local admin access unless it is absolutely necessary;
  • An aggressive patch management process;
  • Implementation and management of anti-malware software;
  • Implementation of host-based firewalls with a strong external session configuration policy;
  • Monitoring of all incoming and outgoing traffic with network-level IPS/IDS; and
  • Firewalls, log management, and other devices tuned to detect extrusions as well as intrusions.

If these controls are not already implemented, you have some work to do.

%d bloggers like this: