How to Tell if Your Devices are Part of a Botnet
The past several years have seen some botnets large enough to take down major data centers. The problem can be tied to poor security on IoT endpoints, which are making their way into the corporate world en masse. You need to be cognizant of that because if you aren’t, you’re part of the problem.
Botnets have grown bigger and badder than ever. I’m not going to bother retreading old ground by describing any of the recent DDoS attacks for which they’ve been responsible. You probably already know of them and you’re likely waiting nervously for the next one, hoping that your organization isn’t in its crosshairs.
The cause can be traced directly back to the internet of things (IoT). There are now more connected endpoints and devices than at any other point in history. Which means we’re now looking at a massive threat surface, most of which isn’t exactly well-secured.
It’s basically a gold mine for criminals.
What that means for you is that, aside from air-gapping consumer IoT devices, you must also ensure none of them are compromised in any way. You need to take measures to ensure there are no zombies on your network whatsoever.
Here’s how.
Pay Attention to Functionality
If your network has suffered any sort of infiltration recently, whether ransomware or something else entirely, be wary. There’s a very good chance that even if you’ve cleared up the initial infection, there could still be botnet software lurking somewhere.
Ensure your users know what to look for: Performance issues, unusual pop-ups or redirects. IT can only do so much without educating the end user.
Keep an Eye Out For Unusual Network Traffic
The surest sign that you’ve got a zombie problem is the emergence of abnormal network traffic. In some cases, this might be obvious. An endpoint might start commanding an unusually high volume of network resources, making a series of identical DNS requests or attempting to send traffic through ports it ordinarily wouldn’t access.
The bad news is that the above techniques are only feasible in certain scenarios. Plenty of botnets are designed specifically to obfuscate common detection techniques, using a P2P architecture that requires no central command server and going after devices that aren’t commonly monitored or aren’t as well-secured. In such cases, the best advice I can offer is to install botnet detection software.
If you don’t have resources to dedicate to detection, a static-based solution is probably your best bet. Though relatively simplistic, it’s also incredibly resource-light. Static detection basically involves monitoring your network for malware signature matches, specific executables and known botnet addresses.
Behavioral detection and analysis is probably the best route to take. Network monitoring tools will allow you to gather the necessary data, which can then be fed into an algorithm designed to detect clustering and other behaviors typical of botnets. Ideally, you’ll want to use both static and behavioral, but if you can only choose one, I’d recommend the latter.
Good Luck Hunting Botnets
Botnets have remained a threat since the dawn of the web. It’s only recently that they’ve seen such a resurgence. It’s up to all of us to do our part to curb the tide. Otherwise, DDoS attacks are only going to keep getting bigger.
