Building Resilience Against Distributed Threats

Beware the botnet. A botnet is a collection of Internet-connected devices, including PCs, servers, mobile devices, and Internet of Things devices, like sensors and home appliances, that are infected and controlled by malware. Owners and users of the Internet-connected devices are usually unaware of a botnet infecting their devices.

The botnet can be used for a distributed denial-of-service (DDoS) attack. The collection of devices, as part of the botnet, consume the bandwidth or resources of a targeted system such as Web servers.

Protection against botnets has become an international issue. Vendors create the products that are susceptible to botnets, and enterprises don't do enough to combat the problems.

Report to the President

I read the draft, "A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats," by The Secretary of Commerce and The Secretary of Homeland Security. The draft report, posted on January 5, 2018, included some thoughts that are worth reviewing for the enterprise.

The Departments of Commerce and Homeland Security pursued three

Approaches: hosting a workshop, publishing a request for comment (the report mentioned above), and initiating an inquiry through the President's National Security Telecommunications Advisory Committee (NSTAC). This is aimed at collecting input from experts and stakeholders, private industry, academia, and civil society. The final draft will be based on the received comments before submission, due to the President on May 11, 2018.

Opportunities and Challenges

The draft report highlights the efforts needed to reduce the threats from automated distributed attacks. One of my conclusions is that the time-to-market vendor mentality produces the opportunities for botnet creation. The efforts are divided into six areas:

  • Automated, distributed attacks are a global problem. Most infected devices in recent botnets have been located outside the United States.
  • Effective tools exist, but are not widely used. The tools are available, but they are not part of common practices in product development and deployment. Both product developers and enterprises need to invest more and increase their awareness of the problems.
  • Products should be secured during all stages of the lifecycle, not as an afterthought. Devices are vulnerable at time of deployment. The lack of methods and procedures to patch vulnerabilities after discovery are the fault of the device vendors as well as the enterprises that own the devices.
  • Education and awareness are needed. Knowledge gaps in home and enterprise customers, product developers, manufacturers, and infrastructure operators impede the deployment of the tools, processes, and practices that would create more resiliency.
  • Market incentives are misaligned and are not driven to fully address the botnet threats.
  • Automated, distributed attacks are an ecosystem-wide challenge. There is no single party, vendor, government, academia, or enterprise that can alone mitigate the botnet problems.

The Enterprise Perspective

Enterprise networks, whether they are business, government, or academic institutions, are routinely connected to the Internet. These networks are complex, enterprise owned, and include a number of devices that can be used in the support of botnets. This also includes cloud-based services. These devices can be anything from simple PCs, servers, and mobile, to IoT devices. These enterprise networks can simultaneously be a victim of a botnet or be part of a botnet. Besides the DDoS attacks, botnets can be part of ransomware attacks.

The report envisions the enterprise application of the NIST Cybersecurity Framework. The report postulates that there are five concurrent and continuous functions that need to be applied:

  1. Identify and locate devices that cannot be secured. Enterprises should remove and retire these high-risk devices and replace them with inherently secure devices or those that can be secured.
  2. Protect the system and network architectures to provide additional layers of protection for any remaining high-risk devices and deploy DDoS mitigation services.
  3. Detect using a combination of ISP-based detection services and enterprise-operated network monitoring for both inbound and outbound malicious traffic, and identify infected devices in near real-time.
  4. Respond to attacks by creating policies and procedures to address detected infected devices. Enterprises should have processes and procedures to contact their ISPs and anti-DDoS service providers when attacks are detected.
  5. Recover the enterprises ability to reestablish infected systems instead paying ransomware to resume operations.

A Possible Remedy

My last blog, "Compliance: A Cost or Savings?," dealt with existing IT and data compliance requirements. No one likes compliance, as compliance regulations demand a number of security functions and implementations. However, compliance regulations can create positive incentives.

My thought is that if there were some government-imposed security compliance requirements for endpoint devices connected to the Internet, that significant fines and penalties could be possible. Those harmed by botnets could sue the botnet creators and those who allow their devices to be used in the botnet. Penalties could be levied. This may go a long way toward creating incentives for vendors and enterprises to select and install devices to improve the resilience against botnets. Setting goals or acknowledging the botnet problems will not stop the botnets.

Learn more about Security/Compliance at Enterprise Connect 2018, March 12 to 15, in Orlando, Fla. Register now using the code NOJITTER to save an additional $200 off the Early Bird Pricing or get a free Expo Plus pass.