Chapter 4. The Evolution of the Botnet

This chapter focuses on the ways in which the threat from bots and botnets has continued to evolve. Just as your security team cannot rely on technology from 5 or 10 years ago, threat actors are constantly changing their attack strategies and finding new ways to wreak havoc on unsuspecting networks. This includes changing up tactics, including incorporating ML into their own capabilities. Of course, attackers aren’t afraid to dip back into classics tricks that still work. Defenders need to be able to protect against these new attack methodologies while still ensuring that defenses against older attacks remain in place.

A Thriving Underground Market

Before getting to the actions of sophisticated threat actors, it is important to understand the evolving underground market. This begins with the increase in commoditization and specialization by threat actors, which makes it easier for less-sophisticated threat actors to “get a foot in the door” by purchasing tools or access from other actors that specialize in various areas of cybercrime. Some of these specialties include the following:

  • Launching distributed denial of service (DDoS) attacks

  • Phishing campaigns

  • Managing ransomware campaigns

  • Selling access to organizations

  • Developing malware for rent or sale

This specialization allows attackers that have a specific skill to continue to improve the capabilities of their tool or service. The revenue stream that comes from selling their capability means that they now have the time to work on adding features or improving antidetection mechanisms, making them more effective. For example, an attacker who specializes in selling access can spend time gaining and maintaining access to hundreds of organizations without detection. Another actor who needs a foothold into a specific organization can buy that access for $10 to $50. This is a benefit to both parties: the first actor makes money selling access, whereas the second actor saves time by not having to spend days or weeks finding an initial entry point.

Attackers who provide quality products or services gain a strong reputation on the various underground forums and can charge a premium for their services. Newer attackers often seek them out, especially if they get in over their head during an attack. An example of this came when two novice attackers used acquired point-of-sale (POS) malware and actually deployed it into the POS network of a major retailer. As a result, they accessed and sold 100 million credit cards at the peak of the holiday shopping season.

All of this equated to an underground market that conducts about $6.7 million in business, just from sales of malware and other malicious activity, every year according to Carbon Black.

The Bot Marketplace

A lot of the rise in the underground market can be attributed to the rise in the adoption of Internet of Things (IoT) devices. The internet-connected world has witnessed large numbers of poorly protected technologies being taken over and conscripted into botnets with amazing firepower. Just a few weeks after the 1.3 Terabyte DDoS attack that was reported against GitHub, a 1.7 Terabyte DDoS attack was reported against another, unnamed ISP, according to Arbor networks. This is something that had never been seen before. So, are DDoS attacks the only attack vector these infected devices are capable of? Unfortunately, they are not.

The recent exponential growth in botnet attacks can be traced back to the release of the Mirai botnet. The Mirai malware was first unleashed on the web in mid-2016. The initial variant of Mirai was rather simple in its infection and take-over technique. The writers of Mirai must have done some research by looking at user manuals for common IoT devices, ultimately selecting IP video cameras. They included a list of factory default usernames and passwords in the malware and used this list in the attack.

The Mirai botnet used Telnet and/or Secure Shell (SSH) plus the long list of usernames and passwords, and, more often than not, successfully logged into a significant number of IP cameras located all over the world. After the malware determined that access was gained, it instructed the camera to download additional code. This code included instructions to maintain command and control in order for the cameras to communicate back to the attackers running the botnet. It also included a large list of DDoS attack tools and code to self-propagate like a worm and infect other similar cameras. Although it was rather simple, it was also ingenious.

In October of 2016 the source code for the Mirai botnet was made publicly available on GitHub. Since then, a number of Mirai copycats, including Reaper, Satori, and Okiru, have been released. Figure 4-1 illustrates some of the highlights of the Mirai timeline. These variants keep the underlying source code but have added new capabilities that make them more dangerous. These variants no longer rely solely on well-known usernames and passwords, instead they are now exploiting vulnerabilities in the software that many of the IoT devices are running. The current and future variants of Mirai and their attack methodology are poised to become an important challenge the entire industry will face before the end of this decade.

Figure 4-1. Timeline of Mirai activity

As a result of Mirai and its variants targeting consumer IoT devices, on May 25, 2018 the US Federal Bureau of Investigation (FBI) released a Public Service Announcement titled Foreign Cyber Actors Target Home and Office Routers and Networked Devices Worldwide. The announcement says:

The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.

The size and scope of the infrastructure impacted by this VPNFilter malware is significant. The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer. The initial infection vector for this malware is currently unknown.1

To further highlight the challenges surrounding consumer-based IoT and often the lack of security when they’re developed and deployed, governments all over the world are at a loss as to what to do about the threat they represent. Not only are governments, critical infrastructure, organizations, and consumers being attacked by an onslaught of malicious bots, no world-wide governing body has any real control over the manufacturers of IoT technologies. Unlike electricity, water, and air quality standards that are pretty much applied in most modern countries, there are no cybersecurity standards for consumer-based IoT devices.

As a result of not having any international standards in place for manufacturers of IoT devices and realizing adoption rates and the cyberthreat is real and growing, some governments have taken up initiatives with other governments to at least begin a dialog for cooperation. For example, in early 2016 the EU-China Joint White Paper on the Internet of Things was released. The whitepaper highlights the following:

Formulation of ten action plans for IoT development: the plans cover various perspectives, including top-level design, standard development, technology development, application and promotion, industry support, business models, safety and security, supportive measures, laws and regulations, personal trainings, etc.

This is a move in the right direction.

Beyond this effort mentioned, the US government has started IoT and botnet-related initiatives, as well. For example, in early 2018, A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats was released for public comment. In the draft, the following is discussed:

The opportunities and challenges we face in working toward dramatically reducing threats from automated, distributed attacks can be summarized in six principal themes.

Automated, distributed attacks are a global problem

The majority of the compromised devices in recent botnets have been geographically located outside the United States. Increasing the resilience of the internet and communications ecosystem against these threats will require coordinated action with international partners.

Effective tools exist but are not widely used

The tools, processes, and practices required to significantly enhance the resilience of the internet and communications ecosystem are widely available, if imperfect, and are routinely applied in selected market sectors. However, they are not part of common practices for product development and deployment in many other sectors for a variety of reasons, including (but not limited to) lack of awareness, cost avoidance, insufficient technical expertise, and lack of market incentives.

Products should be secured during all stages of the life cycle

Devices that are vulnerable at time of deployment, lack facilities to patch vulnerabilities after discovery, or remain in service after vendor support ends make assembling automated, distributed threats far too easy.

Education and awareness are needed

Knowledge gaps in home and enterprise customers, product developers, manufacturers, and infrastructure operators impede the deployment of the tools, processes, and practices that would make the ecosystem more resilient. In particular, customer-friendly mechanisms to identify more secure choices analogous to the Energy Star program or National Highway Traffic Safety Administration (NHTSA) 5-Star Safety Ratings are needed to inform buying decisions.

Market incentives are misaligned

Perceived market incentives do not align with the goal of “dramatically reducing threats perpetrated by automated and distributed attacks.” Market incentives motivate product developers, manufacturers, and vendors to minimize cost and time to market, rather than to build in security or offer efficient security updates. There has to be a better balance between security and convenience when developing products.

Automated, distributed attacks are an ecosystem-wide challenge

No single stakeholder community can address the problem in isolation.

In the light of the two aforementioned efforts, governments are making strides in the right direction to address the malicious bot issue that the internet ecosystem faces today. However, organizations are still being forced to address the problem on their own by implementing a host of protection mechanisms, as governments try to get their arms around policy that would address the issues without hampering the growth and adoption of consumer IoT.

One word of caution: it is easy to get sucked into all of the hype around the latest threats, and there are a lot of security threats that organizations face. But, there is no need to be in a constant panic mode. It is important for security teams to understand what the latest threats are, how to defend against them, and what the potential exposure of the organization to those threats is. One of the best ways to do that is through threat intelligence.

AI and ML Adoption in Botnets

Some of the most sophisticated threat actors are now incorporating ML into their attacks. This is a dramatic change in the behavior for cybercriminals as they take advantage of ML to launch attacks that imitate nonmalicious behaviors and eliminate the patterns used to traditionally identify malicious behaviors. This section highlights some examples that are affecting organizations today.

One of the earliest adoptions of ML in botnets was in the realm of brute-force password attacks. A brute-force password attack is one in which the attacker tries hundreds, thousands, or even tens of thousands of passwords against a system in an attempt to gain access.

The problem with brute-force password attempts is that they are noisy, with each failed password attempt generating a new log entry, and many systems have timeout security features that will block access to a system if an incorrect password is entered too many times.

To increase their chances of success in brute-force attacks, botnet operators will feed multiple password databases that have been exposed on underground forums into the botnet. The botnet will process the hundreds of millions or billions of entries and identify the most common passwords used. The botnet will then start with those passwords first in an effort to reduce the number of attempts. As more password datasets are added, the botnet continuously adjusts the common passwords that it tries.

Not as common (but a growing trend) is for botnets to look at regional datasets based on the target location. For example, if the IP address of the target host indicates it is in Pennsylvania, the botnet might change the order in which it tries passwords to include variants of the Pittsburgh Steelers or the Philadelphia Eagles.

A second area of marked growth in AI and ML for malicious purposes is defeating CAPTCHA challenges. This will be discussed further in the next chapter, but attackers have become very good at bypassing CAPTCHA challenges, even those involving object recognition (e.g., identify all pictures containing storefronts).

This is an example of hundreds or thousands of humans providing information into an AI and ML system to make it more effective. Attackers that sell these CAPTCHA bypass systems on the underground market claim up to 98% efficiency at detecting objects in the CAPTCHA photos.

Although AI and ML has not seen widespread adoption by most attackers, there are definitely some more advanced attackers who are building these technologies into their tools.

Staying Ahead of the Next Attack with Threat Intelligence

Most businesses are, at best, only aware of today’s current threats. Even when organizations implement what is believed to be the best security defenses, inadequate security training, staff turnover, and the high volume of threat activity on a daily basis leave most businesses vulnerable to malicious attacks in one respect or another.

Much as today’s more aggressive attackers understand this, security analysts, specialists, and executives need to think about what’s next. Imagination is needed to envision the threats that are just around the corner. This is where threat intelligence becomes so important to your organization. Many in security view threat intelligence as simply indicators, such as bad IP addresses, domains, or file hashes. But three different types of threat intelligence should be considered: operational, tactical, and strategic.

Operational threat intelligence is intelligence that you can use immediately to stop an attack such as the aforementioned indicators. Tactical threat intelligence provides information about the person or group behind the indicator, with a focus on the tactics, techniques, and procedures (TTPs) of the adversary.

Strategic intelligence, which is our primary focus here, is really about seeing the big picture. It is an understanding not only of what attacks are happening now, but also what attacks might come in the future.

Moreover, strategic intelligence is about understanding the strengths and weaknesses within your organization and what is needed to better protect it against current and future attacks. When talking about strategic intelligence, many organizations panic because they don’t think they have the proper resources or vision to “predict the future.” But it is not really all that difficult, and many organizations do it without really knowing they are doing it.

Strategic intelligence involves planning for the future based on available information. Very few organizations predicted the Meltdown and Spectre vulnerabilities when they were announced. After they were announced, it was logical to assume more vulnerabilities of this nature would be found and take proactive steps to protect the organization from this new category of attack. Similarly, if every month an Adobe Flash vulnerability is announced, it is safe to assume that more will be announced in the future and to take steps to minimize the installation of Adobe Flash within your organization.

Strategic intelligence is not magic. It means that your organization needs to understand the preferred attack methods of today’s attackers as well as understand where in the organization you are most susceptible to these attacks. After that information is gathered, your organization can then take smart steps to protect itself from current and future attacks.

To be effective, strategic intelligence must involve every part of your organization and must be driven by senior leadership within the organization to get different departments engaged. If there is any secret to success here, this is it. After buy-in from the top down is in place, you can move forward with your strategic intelligence plans. As we discuss in Chapter 5, much of your strategy will center around the increasing need to move beyond familiar security tools and solutions, as you implement newer approaches to cybersecurity.

1 Federal Bureau of Investigation, Public Service Announcement; Internet Crime Complaint Center (IC3); 2018.

Get Security with AI and Machine Learning now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.