ISSA
DEVELOPING AND CONNECTING
CYBERSECURITY LEADERS GLOBALLY
Practical Defense-in-Depth
Protection against Botnets
By Mariusz Stawowski – ISSA Senior Member, Poland Chapter
)V[UL[ZHYLHWYPTHY`YPZRMVY[OLTHQVYP[`VMJVTWHUPLZ;OL`\ZLT\S[PWSLH[[HJR]LJ[VYZHZ
^LSSHZUL^ZVWOPZ[PJH[LKL]HZPVU[LJOUPX\LZ;OPZHY[PJSL^PSSKPZJ\ZZOV^HKLMLUZLPUKLW[O
strategy can be practically adopted to build a multi-layer security system that will effectively
KLMLUK0;Z`Z[LTZHNHPUZ[IV[UL[Z
Abstract
Botnets are a primary risk for the majority of companies.
They use multiple attack vectors as well as new, sophisticated
evasion techniques. In practice no single security technology can provide efficient protection against this threat. The
safeguards and management systems have to operate in the
same areas as the botnets operate, i.e,. they should control
the malware (bots) distribution infrastructure, command
and control communications, as well as “zombie army” activities. As most of the attacks use social engineering targeted
at the company’s employees, the security awareness program
deployed in the scope of the entire company is a key element
of effective protection. This article will discuss how a defensein-depth strategy can be practically adopted to build a multilayer security system that will effectively defend IT systems
against botnets.
N
owadays everyone working in IT has heard about
botnets and understands that it is a serious threat,
one that can result in serious consequences for the
companies as well as the end users of computers and mobile
devices, one that can result in many more consequences than
any other threat before.
In the past botnets were mostly used to launch distributive
denial of service (DDoS) and click-fraud attacks against targeted websites. Nowadays it is a much more sophisticated and
flexible tool, rapidly developed by cybercriminals. For example, the GameOver Zeus (GOZ) botnet was used primarily
to capture banking credentials from infected computers, and
then use those credentials to initiate or re-direct wire trans-
28 – ISSA Journal | July 2014
fers to accounts controlled by cybercriminals.1 GOZ also distributed CryptoLocker ransomware that encrypted the files
of the victims’ computers, extorting an amount of $750 USD
or more to receive the password necessary to unlock the files.2
According to the FBI, the GOZ botnet predominately spread
through spam email or phishing messages. Botnets are built
using many infection methods, including popular social networks.3
For cybercriminals the botnets—a global network of compromised computers and mobile devices—are powerful online
tools that can be used for many purposes. Technically the
botnet can conduct the same malicious activities as hackers;
it is centrally managed by people and has the same intelligence as its operators. For companies the danger of the botnets is twofold: the company can be attacked by the botnet
(e.g., a DDoS attack can disturb IT services, money can be
stolen from e-banking accounts, computers can be blocked
by ransomware, smartphones can be used to send expensive
text messages, etc.) or the company’s computers and mobile
devices can become a part of the botnet and used by the cybercriminals to attack other companies. The danger is not
only to infected computers but also to the company’s servers
being used to distribute malware to build the botnets, e.g.,
hacked websites (watering hole attacks, for instance).
1 “GameOver Zeus Botnet Disrupted, Collaborative Effort among International
Partners,” FBI – http://www.fbi.gov/news/stories/2014/june/gameover-zeus-botnetdisrupted.
2 “International Action against Gameover Zeus Botnet and CryptoLocker
ransomware” – https://www.europol.europa.eu/content/international-action-againstgameover-zeus-botnet-and-cryptolocker-ransomware.
3 Jonell Baltazar, Joey Costoya, Ryan Flores, “The Real Face of KOOBFACE: The
Largest Web 2.0 Botnet Explained,” Trend Micro – http://www.trendmicro.com/
cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-real-face-ofkoobface.pdf.
Practical Defense-in-Depth Protection against Botnets | Mariusz Stawowski
Anatomy of botnet
Planning the protections against botnets, companies should
take into consideration the principle known in the military
world, described more than two thousand years ago by Sun
Tzu in The Art of War: “If you know the enemy and know
yourself, you need not fear the result of a hundred battles. If
you know yourself but not the enemy, for every victory gained
you will also suffer a defeat. If you know neither the enemy
nor yourself, you will succumb in every battle.”
Understanding a botnet’s anatomy is key to effective defense
against it. A description of communication and main components of a botnet is presented in figure 2.
Figure 1 – Example of the botnet offer in crime-as-a-service
A list of malicious activities related to the botnets is long.
A “zombie army” consisting of thousands of infected computers (zombies) can conduct massive distributed denial of
service (DDoS) attacks against a single site or network and
generate high charges in pay-per-click online advertising, so
called click-fraud. Portions of the zombie army can also be
offered as crime-as-a-service (see figure 1).
Individual infected zombie computers can be utilized for
many activities that are dangerous to the company and its
employees:
Figure 2 – Concept of communication and botnet’s main components
‡ Email accounts to distribute malware to the the company’s customers and partners
A botnet is a distributed IT system consisting of three main
areas:4
‡ Social networks accounts to distribute hostile links to
friends as well as business partners
Bots distribution infrastructure – malware delivery system using many infection methods (e.g., Bredolab and
Pushdo/Cutwail botnets: email phishing; Koobface and
Kelihos (C version) botnets: social networks phishing;
Mariposa and Kneber botnets: trojanized applications;
Conficker and Gumblar: drive by download).
‡ Smartphones to send expensive text messages—premium messaging
‡ Steal money using the employee’s e-banking account,
e-commerce account, or credit card numbers
‡ Blackmail for regaining control of computer or data—
ransomware
‡ Blackmail for non-disclosure of private or intimate
photos—camjacking
‡ Computers used to distribute illegal content, such as
drug sale offers or child pornography
‡ Computers used to conduct attacks on other computers accessible on the network, e.g., exploits to infect
other computers
‡ Computers used to steal confidential data, e.g., intellectual property, financial data, personal data, etc.
‡ Conduct many other specific activities, depending on
the situation and the criminals’ current needs
For an efficient detection and mitigation of a cyberthreat, the
security staff has to know and understand it. This article will
analyze the anatomy of a botnet, describe how the bots distribution infrastructure operates, and discuss a security strategy that can be efficient against this threat.
Zombie army – infected computers and mobile devices
used by cybercriminals to conduct different types of malicious activities (e.g., Bredolab and Storm botnets: sending spam and data theft; Mariposa botnet: DDoS attacks;
Citadel botnet: stealing money from e-banking accounts;
Android SMS trojan botnet: premium messaging).
Command and Control (C&C) – central management
system of distributed zombie army (owner of the botnet is
called botmaster), utilizing many different network communication protocols (e.g., HTTP, Internet Relay Chat
(IRC), C&C proprietary protocols, protocols tunneling in
HTTPS, P2P, IM, DNS, etc.).
Bots distribution infrastructure
Malicious software used by the botnets has evolved to be more
and more effective. From the technical point of view current
4 Francois Begin, “BYOB: Build Your Own Botnet and Learn How to Mitigate the
Threat Posed by Botnets,” The SANS Institute – http://www.sans.org/reading-room/
whitepapers/malicious/byob-build-botnet-33729; “CERT Polska Report 2013,” NASK
2014 – http://www.cert.pl/PDF/Report_CP_2013.pdf; Botnet, Wikipedia – http://
en.wikipedia.org/wiki/Botnet.
July 2014 | ISSA Journal – 29
Practical Defense-in-Depth Protection against Botnets | Mariusz Stawowski
versions of bots are similar to advanced persistent threats
(APT). The malware utilizes a combination of advanced infection and evasion techniques and allows cybercriminals to
keep control of computers and mobile devices undetected for
a long time. Because companies are enhancing their security
posture, cybercriminals are adapting to counter these measures and use new, more sophisticated evasion techniques as
well as targeted attack methodologies, previously typical only
for spearphishing and APT.5
Security analysts distinguish APT from the botnets mostly based on their operations.6 APT is a targeted attack that
wants to remain invisible for as long as possible. APT operators conduct “low and slow” attacks, i.e., silently and slowly
moving from one compromised system to the next selected
target without generating regular or predictable network traffic to avoid detection by the security management systems.
The botnet’s main objective is to achieve high financial profits
as soon as possible. Cybercriminals have developed dedicated
crimeware tools to quickly build new botnets if the botnet
is taken down. Recently national law enforcement agencies,
ISPs, and other institutions responsible for Internet security
have been making a great effort to dismantle the botnets. The
5 Loucif Kharoun, “Cybercriminals Use What Works: Targeted Attack Methodologies
for Cybercrime,” Trend Micro – http://www.trendmicro.com/cloud-content/us/pdfs/
security-intelligence/white-papers/wp-cybercriminals-use-what-works.pdf.
6 “Advanced Persistent Threats (APTs): Take Back Command-and-Control,” Damballa
– https://www.damballa.com/downloads/r_pubs/advanced-persistent-threat.pdf.
30 – ISSA Journal | July 2014
most effective technique is called DNS Sinkhole.7 C&C servers are mostly accessible with DNS names. A sinkhole is a
specially prepared server that emulates the activity of a C&C
server. Taking over the domains used by the C&C and redirecting the traffic to the sinkhole server can result in the
cybercriminals losing control of their infected computers.
NASK in Poland has also achieved success in this field.8
Bots distribution infrastructure uses many attack vectors:
‡ Trojanized applications (backdoors) – a malicious application is added to another, harmless application and distributed using the Web, email, P2P, IM, etc.
‡ Drive-by download – the attacks carried out from websites where cybercriminals have injected malicious code
(e.g., exploits utilizing the vulnerabilities of web browsers and other client-side applications). Websites containing the exploits or redirecting to other malicious sites are
called watering holes.
‡ Phishing – social engineering attacks conducted through
email, text messages, and social networks (e.g., Facebook,
Twitter), often combined with other attack techniques like
trojanized applications and drive-by downloads.
7 Guy Bruneau, “DNS Sinkhole,” The SANS Institute – http://www.sans.org/readingroom/whitepapers/dns/dns-sinkhole-33523.
8 “NASK shuts down dangerous Virut botnet domains,” NASK – http://www.nask.pl/
newsID/id/827.
Practical Defense-in-Depth | Mariusz Stawowski
There are many factors contributing to the creation of botnets. The following significantly help cybercriminals in their
activities:
Donn’s Corner
By Donn Parker
ISSA Distinguished Fellow
Silicon Valley, USA Chapter
apter
‡ Low levels of the security awareness among employees of
the companies
‡ Large number of vulnerabilities in operating systems and
applications
‡ Easy access to professional crimeware, especially in the
Deep Web (i.e., hidden Internet sites accessible with Tor)
‡ Low effectiveness of commonly used computer safeguards
like antivirus and intrusion prevention
‡ The company’s concerns about stability of new security
solutions, i.e., companies delay deployment of next-generation firewalls and anti-malware sandboxes capable of detecting new intrusion methods as they are not sure about
stability and are afraid of disturbing legitimate network
communication
Nowadays it is very easy to have 0-day malware, especially
with publicly available tools like Rapid7 Metasploit.9 So called
exploit kits allow quick creation of PDF, MS Office, or EXE
files containing working exploits that are undetectable by
most of antivirus programs. Figure 3 shows an antivirus analyze by VirusTotal10 of a newly generated malicious EXE file
generated with Metasploit. Typically less than 10% of antivirus scanners are able to detect newly generated malicious
files. Exploit kits are available as legal commercial software
and also as crimeware sold on the hidden marketplaces.11
There are plenty of the exploit kits such as Cool Exploit Kit,
Blackhole Exploit Kit, Red Kit, and Nuclear Exploit Pack.12
Sometimes they include 0-day exploits utilizing unknown
vulnerabilities that make them very effective intrusion tools.13
Checklists
I LIKE BRANDEN WILLIAMS’ COLUMN, “Checklists Are Good for
Security Too,” (ISSA Journal, February, 2014, page 6). Checklists have
gotten a bum rap in information security. Their use in security reviews has implied amateur, shallow evaluations, e.g., that a control
might exist but nothing is said or implied about its validity and effectiveness. I saw big consulting firms send hoards of newbies into
an enterprise with review checklists in hand with one or two word
items to search for and check off vulnerabilities and security controls and practices.
I found checklists to be necessary and valuable when used as reminders to comprehensively find all vulnerabilities, assets, and
security controls and practices for evaluation and analysis. It is not
possible to remember everything to consider in doing a comprehensive security review. Checklists are required. Admittedly attackers don’t use the same checklist you do. That is why you need to
make your checklists as comprehensive as possible to incorporate
theirs as much as possible. You are in a checklist war.
The checklists must be at the right level of abstraction to be comprehensive. A checklist must be constructed by adding items not
obviously included in other items and made meaningful when
quickly read and applied. A check-off for presence or absence of
each item requires additional notations when variation from implied meaning is not enough. Here are several maxims.
19. At the right level of abstraction, detail, and comprehensiveness, security checklists are valuable aids, but only aids.
20. Remember, your adversaries use different checklists than
yours.
21. Never assume a checklist is complete.
Here are some examples of lists that I have used in doing more than
200 client reviews. At every opportunity I challenge others to discover any items I have overlooked at the level of the checklist abstraction I have chosen.
Functions of information security
Confidentiality, Possession and control, Integrity, Authenticity,
Availability, Utility
Types of controls and practices
Figure 3 – Example of analysis showing that most antivirus programs do not
detect generated malware
Evasion techniques
Botnets provide huge financial profits for the cybercriminals,
so they can invest in developing new, sophisticated evasion
Avoidance , Deterrence, Prevention, Detection , Mitigation, Investigation (forensics), Transference (of responsibility to others or
insurers), Audit and monitor, Sanctions against perpetrators , Rewards for exemplary security performance, Backup and recovery,
Correction, Motivation to support security, Security training and
awareness
Intentional information abuse and misuse
9 David Maloney, “Evading Anti Virus Solutions with Dynamic Payloads in Metasploit
Pro,” Rapid7 – http://www.youtube.com/watch?v=1LZCb4HJlkI.
10 VirusTotal online malware detection service – https://www.virustotal.com.
11 Updated: List of Hidden Marketplaces (Tor & I2P) – http://www.deepdotweb.
com/2013/10/28/updated-llist-of-hidden-marketplaces-tor-i2p/.
12 An Overview of Exploit Packs (Update 20) Jan 2014 – http://contagiodump.blogspot.
com/.
13 Chris Astacio, “New Java Zero Day Used in Exploit Kits,” Websense Security Labs
Blog – http://community.websense.com/blogs/securitylabs/archive/2013/01/10/newjava-zero-day-used-in-exploit-kits.aspx.
Destroy, Interfere with use, Use false data, Modify or replace,
Misrepresent or repudiate, Misuse or fail to use , Locate, Disclose,
Observe, Copy, Take, Endanger, Failure to support
Next month I take up our cybercrime adversaries.
Donn Parker, CISSP, Retired, Distinguished Fellow, and
information security pioneer, [email protected].
July 2014 | ISSA Journal – 31
Practical Defense-in-Depth Protection against Botnets | Mariusz Stawowski
BOTS DISTRIBUTION INFRASTRUCTURE
ZOMBIE ARMY
COMMAND & CONTROL
Social engineering (email, social networks)
Disable computer safeguards (AV, etc.)
Peer-to-peer communication model
Watering-hole hosting exploits at specific folders Redirect requests for safeguards updates (disable AV updates, etc.)
Domain name generation algorithm (DGA)
0-day exploits, 0-day malware
Sleep mode (evasion for anti-malware sandbox)
Regular malware code changes
Droppers using encrypted payload, shellcode
copied to memory (no physical files), malware
code injected into system processes
AV signature evasion: encrypted malware configuration, shellcode
encoding, self-modifying code/polymorphic code
Tor (hidden, anonymous communication)
Fast-flux: hide malware delivery sites with DNS
changes and proxies
Kernel mode rootkit
Traffic tunneling, encryption
Dynamic code generation
Valid digital certificate
Google cloud messaging
Table 1 – Summary of evasion techniques utilized by botnets
techniques that make the attacks difficult to detect. Social
engineering is a commonly used technique, especially in the
social networks attacks, which are often used because they
are difficult to control by the security systems of most companies. As mobile devices are increasingly being used for the
business purposes, bots have evolved from the computer versions to those dedicated for smartphones: computer versions
of banking trojans, e.g., Zeus, (man-in-the-browser) have
quickly evolved to mobile versions (man-in-the-mobile and
man-in-the-phone).
Often to avoid detection malware delivery is conducted with
specially crafted code called a dropper.14 The dropper itself
does not contain malicious code; instead it is more like a malware installer. The dropper is difficult to detect by antivirus
because it is not an infected file but carries the code to “drop”
the malware into a system. Its role is to install malware at the
proper time and conditions, e.g., when the user works on an
administrator account. Droppers can be delivered to computers and mobile devices with exploits and social engineering,
e.g., bundled in a game installer or codec required to play a
downloaded movie.
are a popular and effective method for delivering malware.
Many companies do not have effective safeguards against
0-day threats. A summary of evasion techniques utilized by
botnets is presented in table 1. Details about the evasion techniques can be found at many Internet sites (e.g., knowledge
bases and blogs of security vendors).
Defense-in-depth strategy
Defense-in-depth as a term is derived from the military
world. It means that there is no possibility of protecting
against a strong enemy using only one weapon type, i.e., effective armed forces should have infantry, tanks, aircrafts,
helicopters, as well as a navy if the country expects military
activities on the sea. Likewise, IT security system should have
many protections capable of protecting IT resources against
different attack methods and evasion techniques. Defense-indepth in IT security is also called layered defense. Figure 4
presents an concept of layered defense against the botnets.
Droppers use many techniques to prevent malware detection
by the computer safeguards:
‡ Encrypted payload (e.g., malicious functionality and
C&C addresses are hidden)
‡ Shellcode is copied directly to the computer memory—there are no physical files dropped into the computer file system)
‡ Malware code is injected into other, legal computer
processes (e.g., explorer.exe)
Attacks from trusted websites, known us watering-hole attacks, are becoming very sophisticated. To avoid detection,
an infected website does not automatically attack the visitors.
The exploits are located in specific directories available with
specific links sent to the victims in phishing attacks as well as
unsuspecting visitors. Still 0-day malware and 0-day exploits
14 ZACCESS/SIREFEF Arrives with New Infection Technique, Trend Micro Security
Intelligence Blog – http://blog.trendmicro.com/trendlabs-security-intelligence/
zaccesssirefef-arrives-with-new-infection-technique/; “Threat Refinement Ensues
with CryptoLocker, SHOTODOR Backdoor,” Trend Micro Security Intelligence
Blog – KWWSEORJWUHQGPLFURFRPWUHQGODEVVHFXULW\LQWHOOLJHQFHWKUHDWUHÀQHPHQW
ensues-with-crypto-locker-shotodor-backdoor/; James Wyke, “The ZeroAccess
Rootkit,” SophosLabs – http://nakedsecurity.sophos.com/zeroaccess2/.
32 – ISSA Journal | July 2014
Figure 4 – Layered defense: multi-layer security system controls malware
distribution infrastructure, zombie army activities, and C&C communication
In practice companies are not able to eliminate all IT systems
vulnerabilities. The protections should be designed and implemented in a way that intruders and malware are not able
to exploit existing vulnerabilities. Even 0-day exploits using
vulnerabilities unknown to the vendors and security providers can be mitigated. For this purpose companies should deploy a vulnerability management program using dedicated
tools as well as design and implement the safeguards of IT
Practical Defense-in-Depth Protection against Botnets | Mariusz Stawowski
systems according to recognized security principles like the
segmentation (security zones), layered defense, and least privilege. More information about the principles of secure networks designing are available in “Network Security Architecture,” published in the May 2009 ISSA Journal.15 Even if the
exploit attack is successful, the safeguards should block C&C
connections that allow an intruder to control an attacked IT
system.
Additionally, the security awareness program (i.e., trainings,
audits, motivation) should reduce user susceptibility to the
attacks utilizing social engineering such as being more aware
of links in email and social networks that could lead to malicious websites. Table 2 presents a summary of advantages
provided by proper IT security system design.
According to recent tests conducted by independent companies, next-generation firewalls provide good protection
against drive-by download attacks (e.g., NSS Labs tested
many NGFWs; also CLICO verified NGFWs in real penetration tests). Nowadays most companies are aware of this
threat and deploy or plan to deploy appropriate safeguards.
But they are less aware of the real danger to their websites,
many believing their websites do not need protection because
they contain only public data. They do not understand that
cybercriminals prey on such weakly protected websites to
distribute malware.16
A watering-hole attack, for instance, requires two types of
protections:
SEGMENTATION (SECURITY ZONES)
ADVANTAGES
LAYERED DEFENSE
ADVANTAGES
1. Safeguards against drive-by download attacks at the employee’s computer and mobile device—cybercriminals
want to infect the end user’s devices
Isolation of low-trust network areas that can
be potentially used to launch attacks against
strategic IT system resources
Response to many attack
vectors and reduction of
attack surface
2. Safeguards against specific attacks at the company’s website—cybercriminals want to infect the company’s website
and convert it to a watering hole
Limiting a security breach scope to one system Guard against failure or
weakness of one component
or network segment, as well as limiting the
of the security system
incident from spreading to other systems
Accurate network access control to IT system
resources as well as monitoring and auditing
of the resource usage
Slow down the penetration
and deter the intruders
Quick identification of IT systems security
incidents based on the events detected in the
network areas where these events should
never occur (e.g., unknown traffic from the
company’s servers)
Quick identification of
infected systems and limitation of malicious activities
Table 2 – Summary of advantages provided by proper security system design
For effective botnet detection and mitigation IT security systems should be built with appropriate defenses and should
operate in the same areas as the botnets operate, i.e., they
should control the malware (bots) distribution infrastructure
and C&C communication, as well as zombie army activities.
It means that multi-layer security systems should protect
employee computers and mobile devices against malware
distribution infrastructure (e.g., drive-by download, phishing); protect the company’s websites and email servers from
being compromised to distribute malware; detect and block
malicious activities conducted by the zombie army (e.g., detect DDoS and exploit attacks conducted from the company’s
computers), as well as detect and block communications with
the botnet central management system (C&C).
New safeguards
New kinds of safeguards provide effective protection against
attacks and evasion methods used by the botnets. For example, next-generation firewalls (NGFW) restrict employee
access only to those Internet applications that are approved
and necessary. All other applications are blocked. In this way
the NGFW reduces the risk of malware infection as well as
increase employee productivity.
15 Mariusz Stawowski, “Network Security Architecture,” ISSA Journal, May 2009.
New types of anti-malware solutions based on sandboxing
technology are capable of detecting malware without signatures. Unknown files that can potentially include malicious
code (e.g., PDF, EXE, Microsoft Office) are opened in virtualized environments and analyzed to detect malicious activities
(e.g., access to registries, system file changes, shellcode download). In this way 0-day malware can be detected.
Another new security technology, database firewalls are capable of protecting a company’s business data from specific
database attacks as well as privileged users, e.g., database administrators, in case they attempt to commit fraud or their
workstations are infected by malware and controlled by cybercriminals.
Website safeguards
Using web-specific attacks like SQL-Injection17 or Stored
XSS,18 cybercriminals can lay traps on websites with exploits
to conduct drive-by download attacks that infect the computers of people visiting the site such as customers, business partners, employees. According to Gartner’s report, “Web Application Firewalls Are Worth the Investment for Enterprises,”19
firewalls and intrusion prevention systems (IPS) do not provide sufficient protections for most public-facing websites or
internal business-critical and custom web applications.
Network firewalls and IPSs are essential for building the
network security architecture, along with security zones, as
well as defending against numerous network attacks such
as exploits against network services, operating systems, and
16 On-line service tracking websites delivering malware – http://www.
malwaredomainlist.com.
17 More information about SQL-injection attacks can be found at Open Web
Application Security Project – https://www.owasp.org/index.php/SQL_Injection.
18 More information about Cross-site Scripting attacks can be found at Open Web
Application Security Project – https://www.owasp.org/index.php/Cross-site_
Scripting_(XSS).
19 Jeremy D'Hoinne, Adam Hils, “Web Application Firewalls Are Worth the Investment
for Enterprises,” Gartner 2014 – https://www.gartner.com/doc/2673820/webDSSOLFDWLRQÀUHZDOOVZRUWKLQYHVWPHQW.
July 2014 | ISSA Journal – 33
Practical Defense-in-Depth Protection against Botnets | Mariusz Stawowski
network worm distributions, etc. However, in reality it is not
possible to ensure the safety of web applications using only
conventional firewall and IPS protections. These protections
deploy techniques based on known signatures, i.e., attack patterns. Web applications, which are usually developed on business request, contain unique vulnerabilities not known to the
vendors of IPS protections. For this reason they are unable to
create adequate signatures. Moreover, other techniques used
in conventional IPS solutions, such as heuristics and protocol
anomaly detection, are also ineffective for web application
protection as most of the attacks are conducted through legitimate HTTP traffic.
An effective protection for web applications is provided by the
dedicated web application firewall (WAF). WAF protections
are mainly based on the automatically created and updated
profile of the protected web application. A WAF “learns” the
application’s structure, URLs, parameters, cookies, etc. The
purpose for creating the profile is to define the expected and
proper user activity as observed when a web application is accessed. The main difference between an IPS and a WAF is the
approach to network traffic control. An IPS uses the blacklist
approach, accepting whole network traffic except the pack-
BOTNET AREA
Bots distribution
infrastructure
Bots central
management
Zombie army
ets identified as illegitimate. As a consequence all traffic not
blocked by the IPS reaches the web application. WAF, on the
other hand, uses the whitelist approach, accepting only the
network traffic identified as legitimate, based on the generated web application profile. Thus, traffic not identified as legitimate is blocked by the WAF, and the attacks cannot reach
the web application. The Payment Card Security Standard
Data Security Standard (PCI-DSS) states the need to deploy
WAF.20
Nowadays one of the most difficult security challenges is defense against botnet DDoS attacks. Most security experts21
believe that effective DDoS protection should combine onpremise dedicated DDoS mitigation controls and ISP- or
cloud provider-based DDoS scrubbing. Many DDoS attacks
combine brute force attacks with targeted application-level
DDoS. There is no single security solution that in the case of
such attack is able to maintain network bandwidth, handle
high-volume attacks, and ensure business applications avail20 Requirements and Security Assessment Procedures, Payment Card Industry (PCI)
Data Security Standard – https://www.pcisecuritystandards.org/documents/PCI_
DSS_v3.pdf.
21 John Pescatore, “DDoS Attacks Advancing and Enduring: A SANS Survey,” SANS
Institute – http://www.sans.org/reading-room/whitepapers/analyst/ddos-attacksadvancing-enduring-survey-34700.
ATTACK VECTORS, EVASION TECHNIQUES,
COMMUNICATION PROTOCOLS
WHAT PROTECTIONS ARE IN PLACE?
Social engineering in emails and text messages
t Does our security awareness program cover all employees?
t How often have all employees had security awareness training?
Social engineering in social networks
t Do our safeguards control employee use of social networks from their computers
and mobile devices?
t What safeguards do we have that prevent employees from using unnecessary
Internet services and particularly social networks applications?
Watering holes (drive-by download)
t Have we tested our safeguards’ effectiveness against client-side threats and particularly drive-by download attacks?
t Do our safeguards control encrypted traffic from untrusted Internet sites?
t How are our websites protected against specific web attacks (e.g., SQL-Injection,
XSS)?
Trojanized applications distributed by Web,
email, P2P, IM, Tor, Skype, etc.
t Do our safeguards inspect popular protocols like HTTP, FTP, and SMTP against
malware?
t Do our safeguards recognize and control applications tunneling in other traffic like
P2P, IM, Tor, and Skype?
0-day malware
t What safeguards do we have that are capable of detecting and blocking 0-day
malware?
Infected computers, smartphones, and tablets
communicate with C&C
t Do our safeguards detect infected computers communicating with a C&C?
t Do our safeguards detect infected mobile devices communicating with a C&C?
Infected computers and mobile devices
conduct malicious activities
t What safeguards do we have that control illegal content being distributed from the
company’s computers and mobile devices?
t What safeguards do we have that control the attacks conducted (e.g., exploits,
DDoS) from the company’s computers and mobile devices?
t What safeguards do we have that control confidential data theft from the company’s computers and mobile devices?
t What safeguards do we have that control the attacks conducted from the company’s
websites, i.e., detecting watering holes?
t What technical and operational protections do we have to mitigate DDoS attacks
against our IT systems?
Table 3 – Simple botnet protection self-assessment questionnaire
34 – ISSA Journal | July 2014
Practical Defense-in-Depth Protection against Botnets | Mariusz Stawowski
ability. DDoS protection and mitigation is the shared responsibility of personnel from both security and IT/network operations. Efficient DDoS mitigation requires a flexible security
architecture that combines on-site and upstream detection
and mitigation with regular testing of capabilities.
The main objective of the safeguards is to provide so-called
virtual patches that protect IT systems from exploiting their
vulnerabilities and reduce the risk of the company’s computers and mobile devices become part of the botnet or being
compromised by other cybercriminal activities (e.g., APT).
Companies should not assume that their IT systems will
never be infected. Instead, they should implement security
management tools to quickly identify IT systems controlled
by cybercriminals, such as, security information and events
management (SIEM) and network behavior anomaly detection (NBAD). It is also important to remember that the security awareness program—employee education, auditing, and
motivation—operating in the scope of the entire company is
a key element of the company’s security strategy. Nowadays
most attacks conducted by cybercriminals utilize social engineering against the employees, and they should be aware of it.
For companies it is reasonable to determine if their security systems contain appropriate protections against attack
methods currently used by cybercriminals to infect, control,
and utilize the company’s IT resources. For this purpose the
checklist (self-assessment questionnaire) presented in table 3
can be used.
Summary
Botnets use multiple attack vectors and utilize new, sophisticated evasion techniques. In practice no single security technology can provide effective protection against this threat.
To be effective, security systems have to adopt a defense-indepth security strategy. The safeguards and management systems have to operate in the same areas as the botnets operate, i.e., they should control the malware (bots) distribution
infrastructure, the C&C communications, and the zombie
army activities. As most of the attacks use social engineering
targeted at the company’s employees, the security awareness
program operating in the scope of the entire company is a key
element of effective security system.
About the Author
Mariusz Stawowski, PhD, is Director of Business Development and Professional Services
of CLICO, a security technologies distributor
and service provider operating in Poland and
other Eastern European countries. For more
than 15 years he has been responsible for
management of security projects. He is an ISSA senior member, and holds CISSP and PRINCE2 Practitioner certificates.
He is an instructor teaching official (ISC)2 seminars. His doctoral dissertation was elaborated at the Military University of
Technology in the special field of IT systems security auditing
and network protections designing. Mariusz can be contacted
at [email protected].
ISSA Journal 2014 Calendar
Past Issues – click the download link:
JANUARY
Cyber Security and Compliance
FEBRUARY
Risk, Threats, and Vulnerabilities
MARCH
Legal / Privacy / Ethics
APRIL
Security and Cloud Computing
MAY
Healthcare Threats and Controls
JUNE
Identity Management
JULY
Practical Use of InfoSec Tools
AUGUST
Big Data: Use and Security Ramifications
Articles Due: 7/1/14
SEPTEMBER
History of Information Security
Articles Due: 8/1/14
OCTOBER
Data Protection Strategies and Controls
Articles Due: 9/1/14
NOVEMBER
Cyber Security / Cyber Defense
Articles Due: 10/1/14
DECEMBER
Best of 2014
PAST ISSUSES
Identity Management
Healthcare Threats and Controls
Cyber Security and Compliance
Risk, Threats, and Vulnerabilities
Legal / Privacy / Ethics
Security and Cloud Computing
You are invited to share your expertise with the association and
submit an article. Published authors are eligible for
CPE credits from organizations such as (ISC)2.
For theme descriptions, visit www.issa.org/?CallforArticles.
฀ ฀
July 2014 | ISSA Journal – 35