Table of Contents
This SPIE will analyze the value of bot detection in a security model; the perceived value of such features; the methods used to detect bots, and their respective effectiveness.
The model for threat detection is continually evolving in response to changing tactics utilized by malicious actors. Network-based threats are increasingly deceptive and dubious in nature; and, as a result, security technologies must be able to detect signs of an attack or intrusion attempt, rather than an exact pattern of an outright threat.
One of the trends forcing a shift in threat detection methodologies is the growing importance of the bot as a go-to tactic for hackers and hacker groups. A bot is a computing system tasked with performing a specific Internet function, in an automated fashion. Not all bots are malicious in nature; there are bots that perform legal and useful tasks such as Web indexing, data collection, competitive research, and promotional activities on social networking Web sites.
For hackers, the benefits provided by bots are invaluable. The ability for bots to perform assigned tasks repeatedly, quickly, and in an automated manner enable hackers to control these systems en masse and to great effect. A group of coordinated bots, called a botnet, enable threat actors to perform massive scale distributed denial-of-service (DDoS) attacks and spam email campaigns. Though DDoS attacks and spam distribution are some of the most visible and well-known uses of DDoS attacks, the importance of bots is greatly underestimated. Essentially, the bot is the “go-to” tool that enables the command, control, communications, and coordination of covert operations by highly sophisticated threat actors.
Thus, while bot detection is a valuable pursuit in its own right, it may also be leveraged as a means to defend against a range of threats. Security solution vendors hope to be able to protect customer networks from a range of commodity malware, advanced threats, availability attacks, and other undesirable activities by identifying and blocking malicious bots. This SPIE will analyze the value of bot detection in a security model; the perceived value of such features; the methods used to detect bots, and their respective effectiveness.
The Need for Bot Detection as an Integral Component in a Modern Network Security Model
Too often, bots are overlooked as just another item of concern in a threat landscape characterized by a myriad of threats. However, bot detection is an important capability that can help to solve imminent threats, as well as less visible security issues.
Bot Detection to Mitigate DDoS Attacks and Spam
Bot detection is perhaps most closely associated with DDoS attacks and spam distribution. The first step in these attacks is to infect as many devices as possible. The Zeus trojan and similar malware families are capable of infecting a range of devices, and installing the necessary software for hackers to control the device. Next, the malware will direct the infected device to dial-out to a specified IP address, pertaining to the command and control (C&C) system, for directions. The C&C system can then direct bots to send unsolicited network traffic to targeted IP addresses as part of a DDoS attack.
DDoS attacks can be very costly for businesses, by inhibiting employee access and productivity, blocking sales and new customers, and by hurting the reputation of the targeted organization. As a result, DDoS attacks are increasing in frequency, volume, and potency.
Arbor Networks is the leading provider of DDoS mitigation solutions for service providers and enterprise networks. Bot detection is an important capability for the purpose of identifying and mitigating DDoS attacks reliably. For Arbor Networks, the ability to identify and block bots accurately helps to distinguish its products from entry-level DDoS mitigation capabilities integrated in standard network tools such as firewalls, intrusion prevention systems (IPS), and content distribution network (CDN) services. A complete analysis of the DDoS mitigation global market is provided in the Frost & Sullivan Market Engineering study available at www.Frost.com/ndd2.2
The owner of the bots and C&C system, called a bot herder, may also use the botnet to send massive amounts of spam email, as in the case of the Cutwail botnet. Spam email presents a range of threats, from a simple nuisance to a launching point for social engineering attacks, phishing, and distributing malware such as Cryptolocker. Additionally, spam can present a drain on businesses by tying up valuable computing resources involved in threat detection inspections, or by hijacking computing resources for the purpose of sending spam emails.
Bot Detection to Stop Malware and Advanced Threats
A particular trend that has forced a shift in the security model is the emergence of advanced persistent threats (APTs). Frost & Sullivan defines an APT as a cyber-based attack that
- Utilizes a type of advanced malware
- Targets or focuses on specific individuals or organizations (not a mass targeted attack)
- Looks to achieve a monetary or intellectual property gain
- Looks to penetrate and persist, undetected, in an environment (network or endpoint)
The term APT was originally coined to describe dedicated, skilled, and organized hackers and groups that conduct highly successful data theft and network intrusion actions. Often, these actions go unnoticed for several months and even years as APTs are designed to evade commercial threat detection systems, as well as obfuscate evidence of their activities. The first signs of an APT are typically discovered by the victimized organization’s partners and customers rather than the victim organization itself, and are fully uncovered only after a lengthy and exhausting forensics investigation.
Security companies continue to develop and refine multiple methods to detect APTs. Some solutions attempt to identify threats near the network perimeter, with FireEye as a well-known example. FireEye utilizes a sandboxing methodology to detonate malware in a virtualized computing environment, in order to identify APTs that are undetectable by traditional signature matching and behavioral systems. However, there is a pattern of escalation that indicates that future APTs will become resistant to these detection mechanisms. Already, advanced malware is being discovered with sandbox evasion capabilities, such as the ability to detect the presence of emulation or a virtualized environment, and stay dormant during the inspection process.3 Therefore, the detection of APTs increasingly requires the ability to detect and correlate multiple indicators in an automated and investigative manner.
Get Industry Insights. Simply.
Talk to Amrita
+1 718 303 2019
“The rise in phishing attacks and security breaches will drive the ransomware protection market” The ransomware protection market size is expected to grow from USD 8.16 billion in 2016 to USD 17.36 ...
Increasing instances of enterprise targeted DDoS attacks is expected to drive the DDoS protection and mitigation market The Distributed Denial of Service (DDoS) protection and mitigation market size is ...
Protection from increasing instances of security breach due to insider attacks is driving the privileged identity management market The privileged identity management market size is expected to grow from ...