Using Timely Threat Intelligence to Stop Botnets at the Source

In our daily digital lives, the inconveniences caused by Botnets are all too common. When you’re not able to access a website, or frustrated with how long it takes to respond, it’s probably not due to scheduled maintenance - it’s most likely due to a Botnet-generated DDoS attack. If you’re a ChatGPT user, you may have received the message “The service is at capacity” in response to your prompt at some point of the past few weeks, which was likely due to a DDoS attack by the Russia-linked group Anonymous Sudan. 

And, you’ve no doubt long since abandoned the act of scanning your spam folder on the off chance it’s mistakenly snared a legitimate email you were expecting. There’s entirely way too much spam sent your way, and finding the proverbial needle in the haystack just isn’t worth the effort. Occasionally, one of those unwanted emails is after your PII, login credentials, or credit card data. Recent surveys by cybersecurity vendors show that for every 100 phishing emails sent, approximately 15 to 25 recipients will click a link; so for them - it’s also a volume problem. Criminals are nothing if not industrious, and they’re now leveraging Botnets, with millions of computers secretly being called into the service of criminals in order to make the process of creating and sending spam messages easier.

And while Botnets are not new for security teams, they are particularly challenging to defend against since they pose a threat to so many different facets of an organization’s external AND internal attack surface; here’s just a few ways Botnets inflict pain on society:

• Sending spam
• DDoS attacks
• Carding attacks
• Ad click-fraud
• Crypto mining
• Brute force attacks
• Credential and PII theft 
• Infecting other network endpoints

How Widespread is the Problem?

The recent news of the dismantling of the Qakbot malware operation by U.S. government agencies brought to light that over 700,000 devices were unknowingly being controlled as part of its network. Mobile devices are not immune either, as evidenced by heavy activity seen recently on dark web marketplace “Russian Market” for log files captured from Android devices. Further, the rise of connected internet of everything (IoT) devices also made them an attractive target for remote controlled mayhem, and the Mirai malware was developed for just that purpose.

Once a computer, mobile, or IoT device has been infected, the threat actor controlling the “zombie network” can literally see every keystroke that’s typed by the user. Every day, these cyber-victims unknowingly divulge usernames, passwords, bank account information, company confidential information, PII and health information, and more. If it’s an IoT camera, attackers can also see what it sees and hear what it hears. This is a serious problem for consumers and businesses alike, and it continues to grow.

Botnet Malware Authors Continue to Innovate

The disclosure of the new Rapid Reset DDoS attack last month by Cloudflare (link) showed how threat actors continue to push the bounds of what’s possible. The attack was approximately three times larger than any previously documented DDoS attack, with Google reporting that it tracked over 398 million requests-per-second at its peak. While this type of attack doesn’t permit attackers to remotely take control of a server or exfiltrate data, it does cause major business interruptions which have widespread impacts to both B2B and B2C commerce, and also critical infrastructure and essential services that we all rely on.

Attackers will continue to develop adaptive DDoS attack strategies to evade traditional mitigation techniques. Using what they know about some of the market-leading web application security tools, they tailor each attack to bypass several layers of DDoS mitigation for both web app and API-based attacks.

Protecting Web Applications and APIs from Botnets with Timely Threat Intelligence

The key concern in mitigating a DDoS attack is differentiating between attack traffic and normal traffic. For example, if a new product announcement has a company’s website swamped with eager customers, blocking all traffic is a mistake. If that company suddenly has a surge in traffic from known attacker infrastructure, efforts to alleviate an attack are probably necessary. The difficulty lies in telling the real customers apart from the attack traffic.

Generally speaking, the more complex the attack, the more likely it is that the attack traffic will be difficult to separate from normal traffic - the goal of the attacker is to blend in as much as possible, making mitigation efforts as inefficient as possible. A defender’s goal is to see through the smokescreens and misdirection, which can be made easier with timely intelligence on Botnets.

ZeroFox, a Leader in Botnet Threat Intelligence

In order to overcome increasingly complex attempts at disrupting traditional security measures, a solution that’s based on timely botnet threat intelligence will provide the maximum defensive benefit. Integrating this intelligence into your firewall, EDR/XDR, SIEM, and SOAR is straightforward and can be implemented and enabled quickly. ZeroFox utilizes a combination of automated and human-powered collection to surface the following types of intelligence:

• Botnet malware signatures
• Botnet malware profiles
• Botnet C2 domains/IPs
• Botnet infected computer IPs
• Botnet user and employee compromised account credentials
• Botnet pre-attack chatter on Dark Web forums and Telegram
• Botnet breach package marketing on Dark Web marketplaces

ZeroFox is committed to providing customers with timely Botnet threat intelligence, along with on-demand RFI support to answer any of your intelligence requirements. For more information, please book a demo or contact us today.