SlideShare a Scribd company logo

Botnet Detection: Defending Against the Zombie Army

AlienVault
AlienVault

The modern botnet, also referred to as a zombie army, is a collection of compromised workstations and servers distributed over the public Internet, which jointly serve the agenda of a malicious or criminal entity. Attackers use botnets for a range of nefarious tasks including distributed denial of service (DDoS) attacks, spam-marketing, collecting sensitive credit card/financial data and more. In this white paper, you’ll learn: • How botnets operate • How to detect signs and symptoms of botnet infiltration • Advantages of host and network botnet detection • Differences between static and behavioral botnet detection • Tactics for detecting communications with command and control servers

Technology
1 of 23
Download to read offline
Botnet Detection DEFENDING AGAINST THE ZOMBIE ARMY www.alienvault.com
Traditional wars were fought and largely won based on the size of the army. Similarly, modern day cyber criminals also have the need to build huge armies that can pursue computationally challenging tasks. They achieve this by leveraging the untapped processing power of a very large number of everyday endpoints. This is the idea behind the modern botnet (also referred to as the Zombie Army): A collection of compromised workstations and servers distributed over the public Internet, which jointly serve the agenda of a malicious or criminal entity. In this paper, we’ll go over what botnets are and tactics for better botnet detection. Botnet Detection
How Botnets Operate... Attackers infiltrate systems with malware in a variety of ways (phishing, watering holes, etc) to build their botnet. Once infiltrated, these compromised systems (“bots”) typically link back to a command and control (C&C) server and wait for instructions. The botnet can then be used for tasks ranging from distributed denial of service (DDoS) and DDoS-as-a-Service attacks, to spam- marketing on a mass scale, to collecting sensitive credit card/financial data… leading in short order to identity theft and fraud. Want an example? The Gameover ZeuS botnet malware package that runs on Microsoft OS, originally discovered in 2007, operated for over three years in just this fashion, eventually leading to an estimated $70 million in stolen funds and the arrest of over a hundred individuals by the FBI in 2010. And it wasn’t until March 2012 that Microsoft announced it had succeeded in shutting down the “majority” of C&C servers. As you might guess from the length of Gameover ZeuS’ tenure — still ongoing! — organizations that own compromised workstations often aren’t even aware this is happening until considerable damage has been done. And of course over time the number of botnets has grown significantly in number and value while becoming more sophisticated in their targets, infiltration, anti-detection, and attack techniques. So today, it’s increasingly important for IT professionals to be well-versed in botnet detection techniques and tools.
Botnet Detection: Ferreting out one or more bots on your network
Initial signs and symptoms There are several symptoms that often manifest shortly after botnet infiltration as the compromised machine begins executing its instructions. Awareness of these symptoms can aid in early botnet detection. They include: • Linking to established C&C servers for instructions • Generating Internet Relay Chat (IRC) traffic via a specific range of ports • Generating simultaneous identical domain name system (DNS) requests • Generating Simple Mail Transfer Protocol (SMTP) traffic/e-mails • Reducing workstation performance/Internet access to the point it’s • obvious to end users As you can see, these issues manifest both at the level of individual, compromised workstations and the network as a whole. For network managers, that means there are different botnet detection tactics that can be used at both of these levels.
Botnet detection at the endpoint Host-based botnet detection begins with client-side anti-viral solutions, since the infiltration itself nearly always happens via malware. Unfortunately, antiviral technology often simply fails to spot an infection, so administrators should also be on the lookout for additional issues. Host-based botnet detection includes things like rootkit installations, unexpected popups while browsing over HTTP (though this may simply be spyware), or any sudden change to the Windows Hosts file, which can be used (or abused) to restrict outbound server access. Also, of course, if the default DNS servers have been modified, that’s likely a sign that traffic is going places the organization doesn’t want it to go.
Botnet detection on the network Network-based botnet detection is a bit more complex. One approach lies in detecting and monitoring Internet Relay Chat (IRC) traffic, which probably shouldn’t exist on a company network at all. IRC traffic is also sent unencrypted, meaning keywords can be detected with a packet sniffer. The default IRC port is 6667, but the entire port range (from 6660-6669 & 7000) might be utilized by bots. As suggested earlier, if many endpoints are suddenly and simultaneously hitting one or more external sites, that’s a sign that a botnet-driven DDOS attack is being launched from your network. Similarly, mass outbound traffic happening over SMTP indicates spam-mailing may be an issue. Include rules for these symptoms in your network-based security tools to tune them for botnet detection.
Botnet detection via honeypot Especially ambitious security professionals may consider creating a honeypot (false infiltration opportunity) and seeing if it, indeed, becomes infiltrated — and if so, how. If you use Suricata, the free open-source intrusion detection solution, you may be able get a list of botnet recognition signatures for it. And, of course, always look for any attempt to connect to known C&C servers.
BEST PRACTICE Deploy both host- and network-based botnet detection tools, neither will find every instance every time by themselves. Ensure your host-based IDS or an anti-malware solution is capable of detecting the common endpoint signs of botnet infection and is frequently updated with the last known C&C server information. Not catching the easy, obvious infections can be used as a sign of negligence. Implement a honeypot (or several) if you are protecting reasonably valuable information, have a lot of brand equity in your company’s name, or make for a particularly juicy target for a lawsuit by a victim of a botnet- based attack originating from your network. # 1 2 3 YOUR STATUS Host vs. Network BOTNET DETECTION BEST PRACTICES CHECKLIST
Static vs. Behavioral Botnet Detection Botnet detection falls into two categories: Static Analysis & Behavioral Analysis. Static analyses are simplistic, fast, and resource friendly. Behavioral analyses are more thorough but also more resource intensive.
Static analysis in botnet detection: your first line of defense Static techniques — basically, looking for a highly specific match to something like a malware signature or specific executable or C&C connection address (see above) — are fast and, when they work, effective. Unfortunately, they simply don’t always work; botnet managers (“herders”) are getting increasingly sophisticated about evading such simple giveaways, using counters such as file polymorphism to alter the executables in unpredictable ways, URL obfuscation to hide the targets of DDOS attacks, server proxies, and even rapidly changing the IP addresses of their own C&C servers. Botnet detection via Static Analysis alone simply isn’t enough.
Add behavioral analysis to your botnet detection arsenal to be sure That’s why behavioral analysis is virtually always an essential approach to botnet detection as well. For instance, the timing of attacks is often a dead giveaway; a C&C server usually issues blanket orders for bots to take specific actions, generating enormous network activity at one point in time (usually, of the types described above under network-based detection). The average interval of time between an endpoint connecting to different outbound servers will generally be low for bots simply because there isn’t a human driving that network activity. There will be more failed connection attempts for the same reason and those connection attempts are more likely to involve numerical IP addresses than server names.
And, of course, port-scanning the local network for new infiltration opportunities is classic behavior for a bot. All of these behaviors can be detected with SIEM / Network IDS rules to expand an organization’s botnet detection capabilities. One slightly newer wrinkle for botnets is a P2P management architecture. This works in a decentralized way, such that there is no central C&C server and commands are issued from peers. Such a botnet is harder to detect, though infected bots will usually act in much the same ways otherwise because the bot herder has the same goals. Also, botnets are now being designed to go after targets considered “not worth it” in the past – Linux systems, including embedded systems like WiFi routers, CCTV cameras, and more.
BEST PRACTICE Use static analysis at a minimum, but organizations should focus botnet detection on behavioral analysis if at all possible, as it is much more effective. Talk to in-house and external experts about P2P botnet detection techniques. Ensure the rules for your behavioral, network-based botnet detection systems take into account less common systems. # 1 2 3 YOUR STATUS Static vs. Behavioral Analysis BOTNET DETECTION BEST PRACTICES CHECKLIST
Lately, botnet creators and admins (“herders”) have become more sophisticated about how C&C commands are issued to malware-compromised workstations, but the most basic system works like this: 1. 2. 3. One command and control server The C&C server communicates with a theoretically infinite botnet via IRC (Internet Relay Chat) commands The command and control network then carries out scheduled activity (denial of service attacks, data theft, identity theft, etc.) Command & Control Server Detection
C&C STRUCTURES ARE EVOLVING Command & control server detection must evolve too That list above looks simple, right? Well, today, botnet commands most often emerge from multiple servers, and take many forms — some, remarkably subtle. This of course makes command and control server detection remarkably difficult. Command and control malware activity routinely takes hidden forms such as: • • • • • • Tor network traffic. The Tor browser utilizes a special network of worldwide servers to deliver exceptionally private browsing that’s very hard to trace to its original source. Unfortunately, that same design makes botnet commands hard to trace. Peer to peer (P2P) services. Thanks to the distributed nature of P2P, commands are distributed globally, in unpredictable ways, by an ever-changing network. Social media. A public Facebook page or Twitter feed can be used to issue botnet commands — and that kind of traffic can be very hard to distinguish from genuine traffic. Domain generation algorithms. Today, herders use specialized algorithms to distribute botnet traffic so that it’s coming from random domains, effectively disguising the source. Multi-level command and control servers. Sometimes herders issue commands to server A, which issues them to server B, which issues them to the botnet. Even if server B is somehow blocked, A will keep working and can send them to a new server, C – mimicking the way scalable, highly stable enterprise software is architected. DNS responses. Because DNS traffic is not inspected by most IDS, it can easily move across the network.
COMBINE YOUR TACTICS For command and control server detection What to do? There’s no single best way to perform command and control server detection and handle botnets, but a combination of tactics can prove effective. Among others, here are some recommendations: • • Track suspicious network activity with NetFlow, network and behavioral monitoring as well as web filtering. Beyond simply blocking IRC, admins can look for dubious outbound connection attempts in a much broader sense, and create/update service blacklists to deal with suspicious cases. Example: If a thousand users are all suddenly following a particular Twitter feed, and that feed’s content obviously isn’t meant for a human audience, that’s a clear sign of botnet activity. Tweak firewalls and intrusion prevention/detection (IPS/IDS) systems in context-specific ways. Many times, it’s possible to mitigate the problem for a given class of endpoint by limiting network access to the tasks/ports that are directly relevant to that endpoint. For instance, given a DNS server, you might consider blocking everything except UDP and TCP port 53. Also, for certain freeware IDS solutions such as Snort, there are downloadable rules that can help you automatically detect and block dubious activity on IRC and other ports, no matter where it originates on the network.
COMBINE YOUR TACTICS For command and control server detection • • The idea should be to treat each of these approaches as a tool, and combine the tools as needed to yield a customized strategy that matches your local context and security requirements. Harden workstations against the initial malware infection that creates a bot. In addition to maintaining and upgrading basic antivirus solutions, administrators can run regular system integrity checks, vulnerability scans, minimize root privileges, and install client-side firewalls (especially effective if they support outbound packet rules, not just inbound). The fewer compromised machines you have, the less you need to worry about command and control server detection itself. Try to break down the malware code to see how it works. Not all IT professionals can do this, but even knowing and applying the basics can yield good results. For instance, it’s sometimes possible to find command and control server detection information by disassembling the compiled code or even just by using a sector analysis tool that converts hexadecimal to ASCII. (However, since herders are increasingly turning to integrated encryption, don’t expect this to work in every case.)
HOW TO TAKE DOWN Command & Control server networks This, of course, is the best possible fix, but it’s no easy feat. Actually bringing down command and control networks, wherever they exist, will almost always require collaborating with law enforcement professionals, and many times inter-country cooperation, to take action on a case-by-case basis. And it is extremely difficult to take down an entire command and control server list. Examples include: • • • The bottom line is that while command and control server detection is hard and getting harder by the day, there are many steps IT professionals can take to mitigate and even eliminate the problem — up to and including getting law enforcement involved, if sufficient forensic evidence is provided. The idea should be to treat each of these approaches as a tool, and combine the tools as needed to yield a customized strategy that matches your local context and security requirements. Working with a provider to remove/clean problematic servers or even confiscate specific physical hosts Revoking domain name service for exceptionally problematic domains Taking an entire hosting provider offline (this has happened in notorious cases such as McColo, a San Jose provider)
SummaryFocus on your network activity, not command & control server detection For the typical security professional, taking down a command and control server infrastructure is nearly impossible, and your time is honestly better spent elsewhere. Rely on trusted security solution providers to assist you in blacklisting known command and control networks with frequent updates to their command and control server list, and automating detection of suspicious activity inside your firewall. This frees you up to focus on preventing command & control malware infections and ensuring your endpoints are not being used in an attack on your infrastructure or on someone else’s.
Botnet tools and the future of botnet detection The news isn’t all bad. As botnets have evolved, so have the tools to detect and eradicate them. Today, focused open- source solutions like Snort and more comprehensive, integrated security intelligence offerings like AlienVault Unified Security Management (USM) are available to: • Determine when network activity is unusual in predefined ways • Identify its network origin • Analyze its nature and impact • Directly quarantine, limit, or eradicate local bots And going forward, such solutions are only getting smarter — fast. This is happening in a variety of ways, some tech-centric (such as machine learning as implemented for botnet detection via pattern recognition), some human-centric and some that combine the two.
AlienVault Labs & Unified Security Management (USM) AlienVault Unified Security Management (USM) combines 5 key security capabilities – asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring and SIEM - with real-time threat intelligence from the AlienVault Labs security research team to help customers identify threats. USM also incorporates threat data from the Open Threat Exchange (OTX) the world’s first truly open threat intelligence community. The AlienVault Labs team regularly delivers threat intelligence as a coordinated set of updates to the USM platform, which accelerates and simplifies threat detection, prioritization, and response: • Correlation directives – translates raw events into actionable remediation tasks • Network and host IDS signatures – detects the latest threats in your environment • Asset discovery signatures – identifies the latest OSs, applications and device types • Vulnerability assessment signatures – finds the latest vulnerabilities on all your systems • Reporting modules – provides new ways of viewing data about your environment and/or meeting compliance reqs • Dynamic incident response templates – delivers customized guidance on how to respond to each alert • Newly supported data source plug-ins – expands your monitoring footprint AlienVault OTX enables collaborative defense with actionable, community-powered threat data to provide global insight into attack trends and bad actors. OTX pulses provide users with a summary of the threat, a view into the software targeted, and the related indicators of compromise (IoC) that they can use to detect the threats. OTX pulses are integrated with AlienVault USM so that threat detection capabilities stay up to date with the latest threats reported by the community, and vetted by the AlienVault Labs team.
Next Steps: Play, share, enjoy! www.alienvault.com • Learn more about threat management with AlienVault USM • Create a personalized demo • Start detecting threats today with a free 30-day trial • Join the Open Threat Exchange (OTX)

Recommended

Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...AlienVault
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection TechniquesTeam Firefly
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienVault
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmAlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMAlienVault
 
Botnet
Botnet Botnet
Botnet PriyanKa Harjai
 

Recommended

Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...AlienVault
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection TechniquesTeam Firefly
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienVault
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmAlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMAlienVault
 
Botnet
Botnet Botnet
Botnet PriyanKa Harjai
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than EverAlienVault
 
Botnets
BotnetsBotnets
BotnetsKavisha Miyan
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Nmap.potosim
Nmap.potosimNmap.potosim
Nmap.potosimgh02
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlienVault
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet ArchitectureBhagath Singh Jayaprakasam
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesAlienVault
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmAlienVault
 
BotNet Attacks
BotNet AttacksBotNet Attacks
BotNet AttacksRangana lakmal
 
BOTNET
BOTNETBOTNET
BOTNETArjo Ghosh
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverAlienVault
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsAlienVault
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?AlienVault
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultAlienVault
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideAlienVault
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICAlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides finalAlienVault
 
How Malware Works
How Malware WorksHow Malware Works
How Malware WorksAlienVault
 

More Related Content

Viewers also liked

New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than EverAlienVault
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Nmap.potosim
Nmap.potosimNmap.potosim
Nmap.potosimgh02
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlienVault
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesAlienVault
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmAlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverAlienVault
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 

Viewers also liked (15)

New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
 
Botnets
BotnetsBotnets
Botnets
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
 
Nmap.potosim
Nmap.potosimNmap.potosim
Nmap.potosim
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligence
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet Architecture
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation Directives
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
BotNet Attacks
BotNet AttacksBotNet Attacks
BotNet Attacks
 
BOTNET
BOTNETBOTNET
BOTNET
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 

More from AlienVault

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsAlienVault
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?AlienVault
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultAlienVault
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideAlienVault
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICAlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides finalAlienVault
 
How Malware Works
How Malware WorksHow Malware Works
How Malware WorksAlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMAlienVault
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSAlienVault
 
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMInsider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMAlienVault
 
Security by Collaboration: Rethinking Red Teams versus Blue Teams
Security by Collaboration: Rethinking Red Teams versus Blue TeamsSecurity by Collaboration: Rethinking Red Teams versus Blue Teams
Security by Collaboration: Rethinking Red Teams versus Blue TeamsAlienVault
 
Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”
Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”
Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”AlienVault
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMAlienVault
 
Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown AlienVault
 
Demo how to detect ransomware with alien vault usm_gg
Demo how to detect ransomware with alien vault usm_ggDemo how to detect ransomware with alien vault usm_gg
Demo how to detect ransomware with alien vault usm_ggAlienVault
 

More from AlienVault (16)

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
 
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMInsider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
 
Security by Collaboration: Rethinking Red Teams versus Blue Teams
Security by Collaboration: Rethinking Red Teams versus Blue TeamsSecurity by Collaboration: Rethinking Red Teams versus Blue Teams
Security by Collaboration: Rethinking Red Teams versus Blue Teams
 
Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”
Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”
Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
 
Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown
 
Demo how to detect ransomware with alien vault usm_gg
Demo how to detect ransomware with alien vault usm_ggDemo how to detect ransomware with alien vault usm_gg
Demo how to detect ransomware with alien vault usm_gg
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Botnet Detection: Defending Against the Zombie Army

  • 1. Botnet Detection DEFENDING AGAINST THE ZOMBIE ARMY www.alienvault.com
  • 2. Traditional wars were fought and largely won based on the size of the army. Similarly, modern day cyber criminals also have the need to build huge armies that can pursue computationally challenging tasks. They achieve this by leveraging the untapped processing power of a very large number of everyday endpoints. This is the idea behind the modern botnet (also referred to as the Zombie Army): A collection of compromised workstations and servers distributed over the public Internet, which jointly serve the agenda of a malicious or criminal entity. In this paper, we’ll go over what botnets are and tactics for better botnet detection. Botnet Detection
  • 3. How Botnets Operate... Attackers infiltrate systems with malware in a variety of ways (phishing, watering holes, etc) to build their botnet. Once infiltrated, these compromised systems (“bots”) typically link back to a command and control (C&C) server and wait for instructions. The botnet can then be used for tasks ranging from distributed denial of service (DDoS) and DDoS-as-a-Service attacks, to spam- marketing on a mass scale, to collecting sensitive credit card/financial data… leading in short order to identity theft and fraud. Want an example? The Gameover ZeuS botnet malware package that runs on Microsoft OS, originally discovered in 2007, operated for over three years in just this fashion, eventually leading to an estimated $70 million in stolen funds and the arrest of over a hundred individuals by the FBI in 2010. And it wasn’t until March 2012 that Microsoft announced it had succeeded in shutting down the “majority” of C&C servers. As you might guess from the length of Gameover ZeuS’ tenure — still ongoing! — organizations that own compromised workstations often aren’t even aware this is happening until considerable damage has been done. And of course over time the number of botnets has grown significantly in number and value while becoming more sophisticated in their targets, infiltration, anti-detection, and attack techniques. So today, it’s increasingly important for IT professionals to be well-versed in botnet detection techniques and tools.
  • 4. Botnet Detection: Ferreting out one or more bots on your network
  • 5. Initial signs and symptoms There are several symptoms that often manifest shortly after botnet infiltration as the compromised machine begins executing its instructions. Awareness of these symptoms can aid in early botnet detection. They include: • Linking to established C&C servers for instructions • Generating Internet Relay Chat (IRC) traffic via a specific range of ports • Generating simultaneous identical domain name system (DNS) requests • Generating Simple Mail Transfer Protocol (SMTP) traffic/e-mails • Reducing workstation performance/Internet access to the point it’s • obvious to end users As you can see, these issues manifest both at the level of individual, compromised workstations and the network as a whole. For network managers, that means there are different botnet detection tactics that can be used at both of these levels.
  • 6. Botnet detection at the endpoint Host-based botnet detection begins with client-side anti-viral solutions, since the infiltration itself nearly always happens via malware. Unfortunately, antiviral technology often simply fails to spot an infection, so administrators should also be on the lookout for additional issues. Host-based botnet detection includes things like rootkit installations, unexpected popups while browsing over HTTP (though this may simply be spyware), or any sudden change to the Windows Hosts file, which can be used (or abused) to restrict outbound server access. Also, of course, if the default DNS servers have been modified, that’s likely a sign that traffic is going places the organization doesn’t want it to go.
  • 7. Botnet detection on the network Network-based botnet detection is a bit more complex. One approach lies in detecting and monitoring Internet Relay Chat (IRC) traffic, which probably shouldn’t exist on a company network at all. IRC traffic is also sent unencrypted, meaning keywords can be detected with a packet sniffer. The default IRC port is 6667, but the entire port range (from 6660-6669 & 7000) might be utilized by bots. As suggested earlier, if many endpoints are suddenly and simultaneously hitting one or more external sites, that’s a sign that a botnet-driven DDOS attack is being launched from your network. Similarly, mass outbound traffic happening over SMTP indicates spam-mailing may be an issue. Include rules for these symptoms in your network-based security tools to tune them for botnet detection.
  • 8. Botnet detection via honeypot Especially ambitious security professionals may consider creating a honeypot (false infiltration opportunity) and seeing if it, indeed, becomes infiltrated — and if so, how. If you use Suricata, the free open-source intrusion detection solution, you may be able get a list of botnet recognition signatures for it. And, of course, always look for any attempt to connect to known C&C servers.
  • 9. BEST PRACTICE Deploy both host- and network-based botnet detection tools, neither will find every instance every time by themselves. Ensure your host-based IDS or an anti-malware solution is capable of detecting the common endpoint signs of botnet infection and is frequently updated with the last known C&C server information. Not catching the easy, obvious infections can be used as a sign of negligence. Implement a honeypot (or several) if you are protecting reasonably valuable information, have a lot of brand equity in your company’s name, or make for a particularly juicy target for a lawsuit by a victim of a botnet- based attack originating from your network. # 1 2 3 YOUR STATUS Host vs. Network BOTNET DETECTION BEST PRACTICES CHECKLIST
  • 10. Static vs. Behavioral Botnet Detection Botnet detection falls into two categories: Static Analysis & Behavioral Analysis. Static analyses are simplistic, fast, and resource friendly. Behavioral analyses are more thorough but also more resource intensive.
  • 11. Static analysis in botnet detection: your first line of defense Static techniques — basically, looking for a highly specific match to something like a malware signature or specific executable or C&C connection address (see above) — are fast and, when they work, effective. Unfortunately, they simply don’t always work; botnet managers (“herders”) are getting increasingly sophisticated about evading such simple giveaways, using counters such as file polymorphism to alter the executables in unpredictable ways, URL obfuscation to hide the targets of DDOS attacks, server proxies, and even rapidly changing the IP addresses of their own C&C servers. Botnet detection via Static Analysis alone simply isn’t enough.
  • 12. Add behavioral analysis to your botnet detection arsenal to be sure That’s why behavioral analysis is virtually always an essential approach to botnet detection as well. For instance, the timing of attacks is often a dead giveaway; a C&C server usually issues blanket orders for bots to take specific actions, generating enormous network activity at one point in time (usually, of the types described above under network-based detection). The average interval of time between an endpoint connecting to different outbound servers will generally be low for bots simply because there isn’t a human driving that network activity. There will be more failed connection attempts for the same reason and those connection attempts are more likely to involve numerical IP addresses than server names.
  • 13. And, of course, port-scanning the local network for new infiltration opportunities is classic behavior for a bot. All of these behaviors can be detected with SIEM / Network IDS rules to expand an organization’s botnet detection capabilities. One slightly newer wrinkle for botnets is a P2P management architecture. This works in a decentralized way, such that there is no central C&C server and commands are issued from peers. Such a botnet is harder to detect, though infected bots will usually act in much the same ways otherwise because the bot herder has the same goals. Also, botnets are now being designed to go after targets considered “not worth it” in the past – Linux systems, including embedded systems like WiFi routers, CCTV cameras, and more.
  • 14. BEST PRACTICE Use static analysis at a minimum, but organizations should focus botnet detection on behavioral analysis if at all possible, as it is much more effective. Talk to in-house and external experts about P2P botnet detection techniques. Ensure the rules for your behavioral, network-based botnet detection systems take into account less common systems. # 1 2 3 YOUR STATUS Static vs. Behavioral Analysis BOTNET DETECTION BEST PRACTICES CHECKLIST
  • 15. Lately, botnet creators and admins (“herders”) have become more sophisticated about how C&C commands are issued to malware-compromised workstations, but the most basic system works like this: 1. 2. 3. One command and control server The C&C server communicates with a theoretically infinite botnet via IRC (Internet Relay Chat) commands The command and control network then carries out scheduled activity (denial of service attacks, data theft, identity theft, etc.) Command & Control Server Detection
  • 16. C&C STRUCTURES ARE EVOLVING Command & control server detection must evolve too That list above looks simple, right? Well, today, botnet commands most often emerge from multiple servers, and take many forms — some, remarkably subtle. This of course makes command and control server detection remarkably difficult. Command and control malware activity routinely takes hidden forms such as: • • • • • • Tor network traffic. The Tor browser utilizes a special network of worldwide servers to deliver exceptionally private browsing that’s very hard to trace to its original source. Unfortunately, that same design makes botnet commands hard to trace. Peer to peer (P2P) services. Thanks to the distributed nature of P2P, commands are distributed globally, in unpredictable ways, by an ever-changing network. Social media. A public Facebook page or Twitter feed can be used to issue botnet commands — and that kind of traffic can be very hard to distinguish from genuine traffic. Domain generation algorithms. Today, herders use specialized algorithms to distribute botnet traffic so that it’s coming from random domains, effectively disguising the source. Multi-level command and control servers. Sometimes herders issue commands to server A, which issues them to server B, which issues them to the botnet. Even if server B is somehow blocked, A will keep working and can send them to a new server, C – mimicking the way scalable, highly stable enterprise software is architected. DNS responses. Because DNS traffic is not inspected by most IDS, it can easily move across the network.
  • 17. COMBINE YOUR TACTICS For command and control server detection What to do? There’s no single best way to perform command and control server detection and handle botnets, but a combination of tactics can prove effective. Among others, here are some recommendations: • • Track suspicious network activity with NetFlow, network and behavioral monitoring as well as web filtering. Beyond simply blocking IRC, admins can look for dubious outbound connection attempts in a much broader sense, and create/update service blacklists to deal with suspicious cases. Example: If a thousand users are all suddenly following a particular Twitter feed, and that feed’s content obviously isn’t meant for a human audience, that’s a clear sign of botnet activity. Tweak firewalls and intrusion prevention/detection (IPS/IDS) systems in context-specific ways. Many times, it’s possible to mitigate the problem for a given class of endpoint by limiting network access to the tasks/ports that are directly relevant to that endpoint. For instance, given a DNS server, you might consider blocking everything except UDP and TCP port 53. Also, for certain freeware IDS solutions such as Snort, there are downloadable rules that can help you automatically detect and block dubious activity on IRC and other ports, no matter where it originates on the network.
  • 18. COMBINE YOUR TACTICS For command and control server detection • • The idea should be to treat each of these approaches as a tool, and combine the tools as needed to yield a customized strategy that matches your local context and security requirements. Harden workstations against the initial malware infection that creates a bot. In addition to maintaining and upgrading basic antivirus solutions, administrators can run regular system integrity checks, vulnerability scans, minimize root privileges, and install client-side firewalls (especially effective if they support outbound packet rules, not just inbound). The fewer compromised machines you have, the less you need to worry about command and control server detection itself. Try to break down the malware code to see how it works. Not all IT professionals can do this, but even knowing and applying the basics can yield good results. For instance, it’s sometimes possible to find command and control server detection information by disassembling the compiled code or even just by using a sector analysis tool that converts hexadecimal to ASCII. (However, since herders are increasingly turning to integrated encryption, don’t expect this to work in every case.)
  • 19. HOW TO TAKE DOWN Command & Control server networks This, of course, is the best possible fix, but it’s no easy feat. Actually bringing down command and control networks, wherever they exist, will almost always require collaborating with law enforcement professionals, and many times inter-country cooperation, to take action on a case-by-case basis. And it is extremely difficult to take down an entire command and control server list. Examples include: • • • The bottom line is that while command and control server detection is hard and getting harder by the day, there are many steps IT professionals can take to mitigate and even eliminate the problem — up to and including getting law enforcement involved, if sufficient forensic evidence is provided. The idea should be to treat each of these approaches as a tool, and combine the tools as needed to yield a customized strategy that matches your local context and security requirements. Working with a provider to remove/clean problematic servers or even confiscate specific physical hosts Revoking domain name service for exceptionally problematic domains Taking an entire hosting provider offline (this has happened in notorious cases such as McColo, a San Jose provider)
  • 20. SummaryFocus on your network activity, not command & control server detection For the typical security professional, taking down a command and control server infrastructure is nearly impossible, and your time is honestly better spent elsewhere. Rely on trusted security solution providers to assist you in blacklisting known command and control networks with frequent updates to their command and control server list, and automating detection of suspicious activity inside your firewall. This frees you up to focus on preventing command & control malware infections and ensuring your endpoints are not being used in an attack on your infrastructure or on someone else’s.
  • 21. Botnet tools and the future of botnet detection The news isn’t all bad. As botnets have evolved, so have the tools to detect and eradicate them. Today, focused open- source solutions like Snort and more comprehensive, integrated security intelligence offerings like AlienVault Unified Security Management (USM) are available to: • Determine when network activity is unusual in predefined ways • Identify its network origin • Analyze its nature and impact • Directly quarantine, limit, or eradicate local bots And going forward, such solutions are only getting smarter — fast. This is happening in a variety of ways, some tech-centric (such as machine learning as implemented for botnet detection via pattern recognition), some human-centric and some that combine the two.
  • 22. AlienVault Labs & Unified Security Management (USM) AlienVault Unified Security Management (USM) combines 5 key security capabilities – asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring and SIEM - with real-time threat intelligence from the AlienVault Labs security research team to help customers identify threats. USM also incorporates threat data from the Open Threat Exchange (OTX) the world’s first truly open threat intelligence community. The AlienVault Labs team regularly delivers threat intelligence as a coordinated set of updates to the USM platform, which accelerates and simplifies threat detection, prioritization, and response: • Correlation directives – translates raw events into actionable remediation tasks • Network and host IDS signatures – detects the latest threats in your environment • Asset discovery signatures – identifies the latest OSs, applications and device types • Vulnerability assessment signatures – finds the latest vulnerabilities on all your systems • Reporting modules – provides new ways of viewing data about your environment and/or meeting compliance reqs • Dynamic incident response templates – delivers customized guidance on how to respond to each alert • Newly supported data source plug-ins – expands your monitoring footprint AlienVault OTX enables collaborative defense with actionable, community-powered threat data to provide global insight into attack trends and bad actors. OTX pulses provide users with a summary of the threat, a view into the software targeted, and the related indicators of compromise (IoC) that they can use to detect the threats. OTX pulses are integrated with AlienVault USM so that threat detection capabilities stay up to date with the latest threats reported by the community, and vetted by the AlienVault Labs team.
  • 23. Next Steps: Play, share, enjoy! www.alienvault.com • Learn more about threat management with AlienVault USM • Create a personalized demo • Start detecting threats today with a free 30-day trial • Join the Open Threat Exchange (OTX)