Botnets – A Game Changer in Cybersecurity PrioritiesJune 9, 2017
On May 11th, the White House released a Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. While much of the executive order may come as little surprise to those working in cybersecurity, it does include a relatively new priority: botnets. Addressing botnets and even striving to eliminate them as a threat could be a game changer.
Unlike other forms of malware that do only what they are preprogrammed to do, botnets are networks of upwards of millions of malware-infected computers that can be redirected on-the-fly by the humans that control them. They can be commanded to launch distributed denial of service (DDoS) attacks against arbitrary targets, steal information from hosts they’ve infected, and even instructed to upgrade themselves to add functionality or evade cleanup. The people that create and control botnets often rent them on black markets, are continuously trying to grow and improve them, and will put up a fight to defend them.
Botnets are part of a dynamic and challenging criminal threat, and tackling them will require an ecosystem with the capacity to respond and adapt. Building this capacity could drastically reshape the cybersecurity landscape—helping us address many different threats, not just botnets.
If you had asked me any time in the last 10 years what we should worry about the most, I would have quickly pointed to nefarious targeted intrusions to steal information or sabotage infrastructure. Even the best security practices will struggle to defend against these kinds of attacks. And these attacks can have the worst consequences—theft of money or property, rattling stocks or driving companies out of business, and increasingly, even loss of life or limb.
Given these concerns, when I first heard of a push to place botnets in the policy limelight, I was a bit underwhelmed. I certainly knew of the ways criminals use botnets, but between coordinated efforts by telecom carriers to shunt botnet-enabled DDoS attacks, increasing anti-virus hygiene, and the occasional botnet take-down, we seem to be doing pretty well compared to other threats. Botnets just don’t keep me up at night.
However, my opinion has changed. I now think that a journey to eliminate botnets as a prevalent threat would do a lot to address targeted intrusions and a range of other cybersecurity issues.
If you're a veteran cybersecurity expert, you’ve likely noticed that our strategy for the last 20 years might have been summed up by the motto "just make it secure." Do these N things when designing and deploying technologies and the problems will go away. With each new strategy, we pile on more things, revise a few, and try again with our fingers crossed. Unfortunately, it ain't working. By most reports of actual intrusions and losses, things continue to deteriorate. Our strategy has focused predominantly on the technology side of the problem rather than the whole ecosystem.
To break this cycle, we need a better destination, one that’s hard to reach but clear and achievable—"secure" by itself doesn’t cut it. The destination has to be one the entire ecosystem can agree on, but one where the journey, as much as the outcome, is what counts. It needs to be one that teaches us lessons we’re missing and ingrains the right policies, technologies, and mindsets. Simply put, one that will leave us in a better place. A journey to eliminate botnets as a prevalent threat might be just what we need.
What can we expect to get out of such a journey?
Let’s start by revisiting what is working in the fight against botnets. This gives us some blocks to build on. Even today, major communications carriers have incentives to tackle botnet-originated DDoS attacks—the bandwidth the attacks consume costs money to provide. These carriers have great visibility too: sitting at the top of the internet makes spotting things like botnets a lot easier—detection isn’t really the problem. Last-mile carriers are also pushing household customers to maintain anti-virus software, and some are going so far as to notify customers whose systems are infected—all to reduce help desk calls and ensure bandwidth goes to what the customer wants and the customer stays happy. We’ve even exercised a few court-authorized takedowns, coordinated with vendors and law enforcement, to seize control of botnets and neutralize them.
And, unlike cybersecurity writ-large, we have good measurements of current and past botnets and the effects they create. This lets us articulate our outcomes quantitatively, helping us know if we are on the right path.
These existing efforts mean we’re not starting from scratch, but what more can be done?
For starters, there is a lot of hit or miss with the things that are working. Some telecoms and other stakeholders are more diligent than others. The industry has some best practices, but they aren’t applied consistently. Takedowns are ad-hoc, and the legal basis, processes, and authorities are often either uncertain or applied erratically and inconsistently. There's plenty of room for a more consistent, coordinated effort.
Also, while communications carriers have some incentives to address botnets, the biggest costs are borne by victims least capable of doing anything about the problem. If a carrier is unwilling or unable to shunt a DDoS attack, the targeted victim may be forced to pay a ransom or accept lost revenue until the attack stops. Similarly, financial institutions might just eat the losses of botnet-enabled bank fraud, rather than team up with other parts of the ecosystem to address the botnet or criminal group behind it.
Unfortunately, even working together to catch the criminals may also be on shaky legal ground. We haven’t sorted out the role of telecoms and other providers in policing this kind of stuff, or even their clear ability or obligation to collaborate with law enforcement—particularly internationally, where investments in capacity and relationships are also sorely needed, both for take-downs and to bring criminals to justice. Raising the cost of crime is key to deterring it.
In addition, despite successful botnet takeovers, technically it's really hard to track down compromised systems to ensure they’re cleaned up, or identify command-and-control (C2) nodes to further forensics and assist attribution. This requires real-time coordination among communications carriers, hosting providers, and possibly even end-users—a capability that is also ad-hoc at best, riddled with inconsistent practices regarding data collection or retention capabilities, and could benefit from policy and legal backing.
Consumers and software vendors could also take on stronger roles. Fortunately, some vendors are starting to take more responsibility for the security of their products, offering a much-needed shift away from a consumer do-it-yourself security model. That's good, but eliminating botnets may need to take things one step further: forcing consumers to follow-through with vendor updates and replace unsupported devices, or face sanctions like being quarantined by their internet service provider. This may be particularly important for the Internet of Things (IoT)—a space that is rapidly expanding, yet far behind the power curve. Technology and policy solutions will be needed to ensure infected devices don't accumulate. Such a clean-up will undoubtedly also control other kinds of malware as well, potentially lowering the noise floor to make detecting new activity even easier.
These kinds of challenges are all opportunities for improvement that can pay significant dividends as we address threats other than botnets. It's easy to recognize how some of these extend to other forms of malware or tee up the coordinated responsiveness needed to detect, attribute, or thwart targeted attacks. An environment that encourages response to botnet activity is also more likely to respond to other forms of suspicious activity, even if it's not yet identified as part of a botnet.
These ideas just scratch the surface. I've left out many others, such as possible roles for state and local governments, insurance underwriters, technology retailers, standards organizations, academia, public education, and more. A journey to address botnets could bring these players to the same table. This lets each part of the ecosystem experiment a little and re-enforce what seems to work. Hopefully just reading this already has you thinking of some of your own solutions as well.
Turning back to the executive order and national policy. The United States hosts a sizeable portion of the internet infrastructure. With large pipes and expansive datacenters, it should also come as little surprise that the United States also inadvertently hosts a lot of the world's botnet activity. This puts opportunity for real impact in our hands; both to tackle botnets directly and demonstrate to the rest of the world the means by which it can be done. This will pave the way for a range of new developments that will make the internet a safer space for everyone.