Fighting Hackers with Next-Gen Technologies How to Prevent Becoming Part of a Botnet. Botnets are hidden groups of compromised network computers and devices (called bots) that have been infiltrated by malware to enable external control by cybercriminals. Botnets are built and controlled by hackers: the result is powerful dark cloud computing networks through which criminal cyberattacks are executed.
The recent DDoS attack on the popular domain name service (DNS) provider Dyn was carried out via such a type of botnet. This attack crippled a number of busy websites for several hours, as well as large parts of the entire Internet. In fact, it's relatively easy to shield computers and devices from botnet attacks.
To understand how to identify and stop botnets, you first need to familiarize yourself with how they work - how do botnets get started, how do they spread, and how do they operate?
Like any other malware, botnets get their start by gaining access to your network through a number of conventional methods, such as email attachments, websites, IoT devices, or USB sticks. The malware used to infiltrate your business can be extremely sophisticated and evasive. At Sophos, we observe that 70% of all malware samples we receive are specifically designed for a particular organization. Furthermore, such sophisticated malware is constantly being modified. This new generation of targeted malware puts protection to a new test and requires behavioral analysis in addition to traditional signatures. In other cases, malware designed to exploit IoT devices can also be quite simple and simply perform large-scale port scans of wide swaths of the Internet - looking for access points and exploiting default credentials or brute-force hacking to gain access. Such malware is much easier to defend against, requiring only proper firewall configuration and protection measures.
Once malware has gained a foothold in your organization, it typically establishes a call-home communication link to the hacker's "command-and-control" (C&C) server to report its success and take further instructions. In some cases, the malware is instructed to remain inconspicuous and wait, move sideways on the network to infect more devices, or participate in an attack. These call-home attempts are an ideal opportunity to detect infected systems on your network that are part of a botnet. However, to make this detection effective, the right technology is required. Call-home communications aside, it can be very difficult to detect bots on your network. In most cases, the device will continue to run normally. It may be that performance is slightly affected, but this can be due to many other factors and therefore does not seem suspicious.
For effective protection against botnets, your network firewall plays a key role. To ensure you get the best possible protection, be sure to look for the following components when choosing a next-gen firewall:
Advanced Threat Protection
Advanced Threat Protection can identify botnets that are already active on your network. Make sure your firewall has Malicious Traffic Detection, Botnet Detection and Command and Control (C&C) Call-Home Traffic Detection. The firewall should use a layered approach that combines IPS, DNS and Web to detect call-home traffic and immediately identify not only the infected host, but also the user and process. Ideally, the firewall should also block or isolate the infected system until it can be inspected.
IPS can detect hackers trying to misappropriate your network resources. Make sure your firewall has a next-gen intrusion prevention system (IPS) capable of identifying complex attack patterns in your network traffic. This will help you detect hacking attempts and malware that travels laterally across network segments. Also, consider blocking entire geo-IP ranges for regions where your organization does not operate. This can further reduce your attack surface.
Sandboxing can stop even the latest evasive malware before it reaches your computers. Make sure your firewall has a powerful sandboxing feature that can identify suspicious web or email files and run them in a secure sandbox environment. This allows you to analyze the behavior of files before they gain access to your network.
Web and Email Protection
Web application firewall
A WAF can protect your servers, devices and business applications from hacks. Make sure your firewall provides WAF protection for all systems on your network that require remote access from the Internet. A Web application firewall provides reverse proxy and offload authentication, and also hardens systems against hacking attempts.