Although there is no silver bullet solution for mitigating the risk of botnets, there are a number of helpful best practices.
“When deploying an IoT device of any type, the three most important questions need to be: Have we configured strong credential access? What is our update strategy for firmware changes? What URLs and IP address does the device need for its operation?” says Tim Mackey, senior technical evangelist at Synopsys.
“When IoT devices are deployed within a business environment, best practice dictates that a separate network segment known as a VLAN should be used. This then allows for IT teams to monitor for both known and unknown traffic impacting the devices. It also allows teams to ensure that network traffic originates from known locations.
“For example, if a conference room projector is accessible via Wi-Fi, the network the device uses should be restricted to only internal and authenticated users. Public access to the device should always be restricted. Following this model, exploitation of the device would then require a malicious actor to first compromise a computer belonging to an authenticated user.”
Mackey says regular IT audits of IoT networks should then be performed to ensure only known devices are present, with the device identification mapped back to an asset inventory containing a current list of firmware versions and a list of open source components used within that firmware.
“This open source inventory can then be used to understand when an open source vulnerability impacting a library used within the firmware has a published vulnerability,” he says. “Armed with this information, a proactive update and patching model can be created for corporate IoT devices.
“Also, inspection of the firmware should identify what external APIs (application programming interfaces), URLs and services the firmware is configured to operate against.
“These endpoints should be confirmed with the supplier as legitimate with confirmation of their function. Once confirmed, the IoT network that the device associated with the firmware is configured for can then have firewall restrictions defined, allowing the IoT devices access only to their known API dependencies. These tasks should be considered part of an overall device access model consistent with the principles of zero trust.”
Spencer Young, regional vice-president for Europe, the Middle East and Africa at security firm Imperva, says the best way to discover and mitigate a botnet is to find its command and control (CnC) server. “The most effective way is to look into the communication between the CnC and its bots,” he says. “Once you start searching for exploit attempts, you can start to pick up possible indicators of a botnet.
“For example, if the same IPs attack the same sites at the same time whille simultaneously using the same payloads and attack pattern, it is fairly likely that they’re part of the same botnet.
“However, all initiatives to combat the growth of botnets through industry standards and legislation are likely to continue to occur only on a regional or country level. As far as industry-wide efforts go, it is hard to imagine a scenario in which a global security standard for botnet detection and defence could be agreed upon, applied and enforced.”
Given the regulatory challenges and continued rise in the number of connected devices, botnet attacks are likely to keep increasing. Young says that as our devices evolve, both in terms of sophistication and connectivity, so will botnets. This, he believes, will mean that operators will be provided with more capacity and new, more advanced attack options.
So preparation is key, says Young. “To mitigate future attacks, all businesses must be prepared to defend against an attack when it arises,” he says. “Investing in the ability to parse your cyber threatscape, successfully identify botnet attacks and build an intelligent defence is not just a security concern – it’s a frontline business issue.”
If one thing is certain, it is that the threat of botnets will only increase as the connected ecosystem rapidly expands and new connected technologies enter the market. And while attackers will continue to find new ways to take control of networks and leverage botnets, there are clear ways in which IT practitioners and organisations can mitigate the risk here – most notably the issue of improving weak security mechanisms.
It may be that attackers are often one step ahead, but by being more proactive, security teams can also leapfrog ahead on occasions.