Today, enterprise networks can be attacked in a number of ways. None are more daunting than the Internet robot, or simply, the bot. Bots are malicious code programs that are automated to infect a computer network. They can strike in so many different ways that traditional network security is often ineffective in blocking their destructive payloads. Bot infection methods include the downloading of a virus-infected program, infection via a worm, or more sophisticated methods such as a “drive-by” infection, in which a user can self-infect their system by simply visiting a website. Since bots are self-propagating, they spread exponentially because each bot, in turn, attempts to infect and compromise more systems. As the collection of infected systems grows, it forms a network of bots, or a botnet.
How a botnet works
Botnets are controlled by a master who has remote access and control of all the bots in a botnet. The botnet controller creates a command & control (C&C) site or uses Internet Relay Chat, an instant messaging protocol to issue commands to the bots in the net.
The botnet controller can either utilize this botnet for malicious purposes or sell this control to others who wish to do harm at directed targets. Examples of malicious actions from botnets include distributed denial of service (DDoS) attacks, malware, spyware,
spam, and data theft.
Protecting against bots/botnets
Both the automated nature of bots and their varied infection methods make network protection a difficult task. Bots are becoming more sophisticated, tricking users into engaging in seemingly benign actions, such as clicking a link, while the bot is downloading malicious code in the background. Yet the most common method of exploit is also the oldest used by hackers—exploit of an unpatched system. Therefore, protection from bots must be managed across multiple vectors, utilizing devices and processes that act together in unison.
In order to fully protect the network from attacks generated by botnets, security professionals must first understand the dynamics of that threat. A strategic approach to protection starts with defining the methods of infection, and then, by using risk mitigation strategies, implement protections. In defining the methods of infection, there are key common elements with all bots:
- First, bots exploit client-side vulnerabilities and compromise systems (that is, via binary deployment).
- Second, bots leverage intelligent control and communication most heavily (via various command and control configurations).
- Third, bots utilize variable payloads (malicious code and content, tools, and other means).
- And fourth, bots are controlled by the motives and drivers of the bot master (using directed attack as part of an Advanced Persistent Threat, a consistent, ongoing set of attacks targeted at one organization or a random attack meant for sale or profit).
Botnets use a wide range of attack vectors
Once those four bot commonalities are understood, organizations can create a strategic and focused plan of action for protecting their network. The most fundamental is an effective security policy, where processes are in place to ensure that the
network is protected through a system of checks and balances. In order to ensure the successful ongoing implementation of any security program, it is imperative to first determine the current state of security in the organization’s network.
After an assessment of the current security posture, organizations can then devise a step-by-step approach to patching and protecting vulnerable assets before they can be exploited. In addition to securing the physical network, organizations can further mitigate attacks through an educational campaign, promoting recommended procedures to help ensure security for the day-to-day network users.
Number of drones in several well-known botnets; HP 2010 Full Year Cyber Security Risks Report, April 2011
Adopting the right security strategies and solutions
The key to addressing threats posed by botnets and their underlying attacks is a defense-in-depth security strategy where multiple layers of defense are used to effectively prevent direct attacks against critical systems. A well-designed strategy can block and delay attacks so various security measures have time to mitigate the consequences of a breach.
HP Enterprise Security Products (HP ESP) has invested considerable amounts of time, effort, and resources into formulating solutions for identifying and mitigating the risks posed by botnets and other malicious code attacks.
HP TippingPoint customers can protect their networks from infection using network security tools such as HP TippingPoint Next Generation Intrusion Prevention System (NGIPS) and Reputation Digital Vaccine (RepDV) service.
The HP TippingPoint NGIPS is a purpose-built appliance for evaluating network traffic and blocking malicious content from breaching the network. HP TippingPoint RepDV is a database of IP addresses and DNS entries that are known to be delivering malicious content.
Working in tandem with HP, NGIPS customers can set policy based upon the RepDV data to block users from visiting sites that could compromise their systems.
As a respected solution leader in the security industry, HP TippingPoint discovers four times as many critical vulnerabilities as the rest of the market combined. Through an ongoing, diligent security practice, education of users, partnership with the most admired and respected Intrusion Prevention System product company—HP TippingPoint and its DVLabs, and a proactive and pre-emptive service such as RepDV—enterprise organizations can be assured that they will minimize the risk of botnet infection in their network
while they protect both their critical assets and their reputation.
HP Enterprise Security is a leading provider of security and compliance solutions for modern enterprises that want to mitigate risk in their hybrid environments and defend against advanced threats. Based on marketleading products from ArcSight, Fortify, and
TippingPoint, the HP Security Intelligence and Risk Management (SIRM) Platform uniquely delivers the advanced correlation, application protection, and network defense technology to protect today’s applications and IT infrastructures from sophisticated
Find out more
For more information about network security, HP TippingPoint NGIPS, HP TippingPoint RepDV, and other industry-leading enterprise security products from HP, please visit the HP Enterprise Security website at:
|"Come out from man foul spirit.|
What is thy name?"
And he said unto him,
"Our name is legion, for we are many."
Gospel of Mark, 5 - 8
|Patriotism is your conviction|
that your country is
superior to all others because
you were born in it.
George Bernard Shaw