Botnet Infection: Effects of First Party Infection
We’ve all heard the stories, or have been victims, of an unwanted third party compromise. You, as a diligent consumer or dutiful purveyor of services, open an online account, and now malicious hackers attack that organization. The company has now become the victim of a data breach and you, through no fault of your own, are an innocent victim. You’re informed that your online account credentials are exposed and your personal identifiable information (PII) is compromised. Then the clean up begins. You update your passwords, monitor your credit report for malicious activity, consider just using cash for transactions…oh, the humanity!
Chances are, that breached site is not the only one where you used that now-compromised password. So although only one site was breached, you now need to get a bit more savvy about both remembering, and subsequently changing, your credentials. This scenario is not rare but the risk is relatively limited on a personal level.
The risk to corporate entities in this scenario, however, cannot be overstated. When access to corporate assets is in the wrong hands or, worse, publicly released, threat actors can obtain seemingly legitimate access and engage in any number of nefarious activities. For example, bad actors may gain corporate asset access and execute internal spear phishing, lateral movement, data exfiltration, and more.
The Real Risk of Botnet Infection to Businesses
Third party exposure can certainly create enterprise risk via peripheral user access. However, a far more potent threat exists when the user accesses corporate assets from a compromised device. Whether a personal device (such as a smartphone, tablet, personal computer, etc.) or a multi-user public device, if an infection exists (i.e. keylogging malware has been distributed and executed on that device), then user login credentials for every accessed account are harvested and delivered to the threat actor who manages that malicious software and the network of connected computers (or botnet).
More common than we want to believe, device compromises and botnet infections present tremendous corporate risk for account takeover (ATO), including financial impacts, data/asset exposures, and reputational damage. Every session log captured from that device, login to a third-party site (like a banking app or site, insurance, shopping/retail, blog, news, streaming services, social media accounts, etc.), is captured and sent back to the bot master who can devise any number of ways to leverage access for their own personal gain, at the expense of the corporation or individual. Data and consumer impacts can be significant but the cyber impacts associated with device exposure can also create havoc. For example, the machine can then be used as a zombie bot for further distribution of malware, ransomware or launching DDoS attacks, sending trojans to a trusted network, or simply surveilling specific activity for further exposure.
Further, if a member of the corporation’s consumer population is compromised, the damage can be far reaching. Whether through fraud mitigation or reputational clean-up, these issues are time consuming and create massive inefficiency within your organization.
Many security precautions fall short in the face of a botnet infection. With the rise of remote work, there has been a tremendous increase in bring-your-own-device (BYOD) policies. Additionally, using personal smartphones for corporate access and immediate response to client service issues comes with its own set of security challenges. The advantages are convenience and speed of response, but cumbersome security practices like enabling multi-factor authentication (MFA) or using hardware tokens/keys undermine that convenience. Further, when corporate resources are accessed from personal devices where family members may be doing homework, connecting to school networks, or gaming, there’s a strong likelihood that someone may do something wrong by mistake (like clicking an infected link or malicious banner ad).
Most problematic is the fact that if a machine does get infected, traditional security actions don’t apply. Changing passwords simply delivers new access credentials to the threat actor. The only solution is to quarantine and cleanse the machine, removing the malware, potentially reformatting discs, reloading operating systems, etc. This creates a very unique corporate challenge because unless the infected device is a corporate controlled asset, the ability to manage the specific device or remediate the situation may be limited.
Botnets in Business: The Solution to Infected Assets
As in most recovery programs, recognizing that one has a problem is the first step. Monitoring for nefarious activity is critical, as is alerting when an infection is detected.
Unfortunately, once an infection is detected, quarantining and cleansing the machine is the only solution. As previously mentioned, this may require reloading operating systems, working from backups or, in the worst cases, replacing machines.
All of this can seem overwhelming; so, let’s start with step one: problem identification. How does an entity even know if a compromised device is accessing your corporate network?
Through botnet threat intelligence.
Botnet Threat Intelligence the ZeroFox Way
ZeroFox Botnet Threat Intelligence enables unique visibility into this specific problem.
Understanding that there is an issue means that issue can then be isolated and resolved. ZeroFox engages with bot operators, in their underground communities and ecosystems, and aggregates exposed session logs (in some cases, hundreds of logins from a single device). This is exclusive content that is not available from most traditional Threat Intelligence providers.
ZeroFox doesn’t just provide a standard list of botnet IPs and malicious host IOCs. ZeroFox Botnet Threat Intelligence provides session log context and early warning to both consumers and corporate interests with large user populations where accounts at risk for ATO can be flagged and monitored for high risk activity, suspended, or quarantined as appropriate.
So, how does ZeroFox present an effective solution?
- Monitors for activity/detection, based on device IP, user credentials or accessed URL
- Alerts as soon as the infection is detected – key to both exposure mitigation and recovery
- Offers training for employees or family members around the importance of good online security behaviors & hygiene
Further actions that the corporation can take:
- Limit the devices that can be used for remote corporate login
- Isolate personal and professional machines
- Ensure endpoint protection is up to date as an edge-based line of defense
Implementing an early warning solution with extensive monitoring of the deep and dark web is the best way to protect yourself, your family, your personal data, and your business. Threat actors are continuously developing new ways to infiltrate personal systems. Maintaining good cyber-hygiene and having an endpoint solution in place are important but insufficient. ZeroFox provides early notification if your PII, credentials or sensitive information appears on the dark web, so you can take immediate action to prevent the attack.
ZeroFox botnet intelligence is critical for providing protection, early warning for high risk of ATO activity (large population monitoring) for enterprise applications. It can be leveraged by any agency, institution, enterprise or individual. Talk to a Fox today to discuss potential use cases and specific applications.
Tags: Breaches , Deep & Dark Web , Threat Intelligence