Breaking the bot chain of command

Think you don’t need to worry about bots?  Think again: recent research suggests that up to 75% of organizations globally were infected by these stealthy malicious agents last year. And just last week nearly 1 million routers used to access Deutsche Telekom internet services in Germany were infected by the Mirai malware, with the aim of enlisting the routers into a massive, remote-controlled botnet army.

Bots continue to be a major weapon for cybercriminals:  once inside an organization’s network, they communicate out to their external ‘command and control’ server around 60 times per hour on average to receive instructions, and then execute a variety of automated tasks for attackers.  These include replicating themselves onto adjacent networks and devices to locate and exfiltrate sensitive data; sending spam emails; or participating in denial-of-service and other types of attacks.

Bots are designed to be insidious and operate below the radar of IT teams:  in 2015, 44% of bot infections were active on enterprise networks for over 4 weeks before being discovered.  However, disabling bots and nullifying their threat to your organization can be done quite simply and effectively.  To understand how, let’s take a closer look at how bots operate.

They work in two distinct phases:  infection, which is when an individual within your organization unwittingly clicks on a link to an infected website in a phishing email, or opens an infected attachment.  This allows the bot onto the user’s machine.  The second phase is activation:  once the bot has infected a host machine, it attempts to initiate outbound communication to its command and control server, to receive instructions on the malicious tasks it is to perform.

It’s challenging to stop the first phase of bot operations:  even up-to-date anti-malware tools can never be 100% effective in blocking new infections, because criminals are continually making changes to the bots’ code to enable them to bypass conventional defences and reach corporate networks.  And while security awareness training for employees is useful in reducing social engineering risks, it’s far from infallible.

But bot activity can be neutralized by cutting off the communication path to their external controllers.  Once this link has been severed, the bot is rendered harmless because it can no longer be controlled, and so cannot perform any harmful actions.  In effect, it’s locked in solitary confinement, for life.

Breaking the bot chain of command

There are several methods you can use to cut off bot communications.  For example, a next-generation firewall (NGFW) can inspect and filter outbound network traffic, to identify malicious or undesirable traffic and block it.  If web browsing in your organization goes through a proxy, or scrubbing filter, then these too can be used to block outbound traffic intended for unknown IP addresses, or addresses that are known to be compromised by hackers.

Network segmentation also reduces your networks’ attack surface and mitigates risks.  To briefly recap, this means defining and segmenting networks into internal zones, placing firewalls to filter traffic between those zones, and enforcing restrictive security policies.  In particular, it’s good practice to place all of your organization’s desktop and laptop PCs in a separate network zone from other business systems, protected by a firewall.  These machines are the most likely entry point for new bot infections, which the firewall can immediately block, preventing them from spreading or communicating externally.

Ransomware resistance

These security measures are also effective against many types of ransomware attacks.  As with bots, these often involve a two-phase attack method involving initial infection, then post-infection activation.  It is the ransomware activation phase which causes the real damage within organizations:  the infectious agent communicates out to an external server to download its malicious payload, and then starts to encrypt files and attempts to move laterally on the network in order to hijack more computers.  And it’s here that these same principles of blocking unauthorized outbound traffic and network segmentation can stop your critical business data being held hostage.

Of course, some organizations have systems which are more critical than others. Recently the San Francisco Muni Metro was hit by a ransomware attack which forced it to shut down its ticket machines – meaning its passengers rode for free– and locked up the computers of 900 employees. In this case Muni refused to pay up and spent the Thanksgiving weekend to deploying their backup systems. For organizations with these types of business-critical, high-risk targets, careful network segmentation should also be considered essential to silo off vital systems and applications from employees’ PCs, which are the primary entry points for ransomware.

While it’s unlikely that you will be able to prevent bots and ransomware from entering your networks in the first place, by using the appropriate traffic filtering and blocking tools, and segmenting networks intelligently and securely, you can lock up and neutralize those infections before they can cause any damage.