Botnets in the Age of Remote Work

Cyberattacks launched or controlled via botnet are nothing new, but they are on the rise and pose an ever-growing threat.

A recent Russian botnet masquerading as a proxy service compromised millions of devices across the globe, giving cybercriminals access to stolen online accounts until the Feds shut it down. Attacks that happen at a large scale in this manner can have devastating effects. Indeed, botnets represent one of the top techniques attackers use to gain access to networks and systems, which is why it's vital to take steps to mitigate botnet attacks from wherever your employees are working.

The economics of botnets have greatly affected the volume of attacks, as well. Large networks of compromised computers and devices across the Internet can be used to carry out multiple attacks against a broad range of targets. Our research shows that DDoS botnet attacks are on the rise, with a 14% increase in attacks since 2019. Overall, 69% of Comcast Business DDoS customers experienced attacks, a 41% increase over 2020, while 99% experienced repeat attacks.

Botnet attacks are a major threat because they deploy in large numbers and are constantly evolving. The underlying host computing systems are spread across thousands of different owners, and shutting down botnets requires careful coordination across law enforcement, hosting providers, and network carriers.

In addition, botnet resources can be repurposed, which has led to the creation of an indirect black marketplace. Cybercriminals trade botnet assets and use them for different cyberattack types based on where they can make the most money. Essentially, botnets have become a fungible asset for organized crime.

Botnet DDoS Attacks Present a Challenge for Security Teams

The rapid shift to remote work provided convenience and efficiency, but it also created new opportunities for threat actors to exploit. Corporate networks are more vulnerable when accessed using unsecured work-from-home environments; personal computing devices are not always protected; and the use of video-conferencing software by remote workers makes an easy target, according to the FBI's "Internet Crime Report 2021."

DDoS attacks are sudden and can penetrate business systems even when protected by firewalls. Endpoint defenses like antivirus cannot protect against DDoS attacks, which are tricky for security experts to identify even after a complete outage. On-premises DDoS prevention equipment is expensive and still leaves upstream connectivity vulnerable to network saturation.

Once these attacks happen, consequences include server crashes, unresponsive applications, and network outages that take businesses offline for legitimate users. Simply put, DDoS attacks cost victims significant time, money, and brand reputation.

Mitigating and Defending Against Botnet Attacks

Protecting against botnets requires a layered, defense-in-depth approach. The first line of defense involves network security controls that maintain a global IP reputation database of known malicious IPs and domains, as well as compromised systems belonging to botnets.

Ask your security vendors how they block network connections using IP reputation. On average, 10% to 15% of global malicious IPs change daily, so confirming that your vendor provides frequent updates is critical to ensuring effective botnet protection. Assess the size and reputation of your security vendors' threat intelligence research team, as well as the sources and size of their IP and domain reputation databases.

The second line of defense requires the detection of network traffic based on protocol behavior and session flow. Modern detection techniques use a combination of machine learning algorithms and threshold-based countermeasures.

The challenge for defenders is that botnets can launch multiple types of attacks. The network behavior shown by ransomware exploits is different from brute-force credential stuffing or the click fraud perpetuated against e-commerce Web servers. So, the layered defense required to prevent botnet attacks will vary based on the risks for each individual business.

For example, modern DDoS botnet attack patterns have multiple vectors, are short in duration, and high in intensity, as highlighted by the 2021 Comcast DDoS Threat Report. This makes DDoS extremely challenging to detect for security personnel who must identify issues in minutes but have only seconds to react before an outage occurs.

Building a Layered Cybersecurity Plan

Basic cybersecurity hygiene is critical to defending against the threat of botnets. Frequent and continuous vulnerability scanning, configuration hardening, and an organized patch management policy are basic steps in preventing your host systems from becoming botnet victims.

Next, organizations should implement network access controls, multifactor authentication, and a zero-trust policy for users, all of which make it harder for bad actors to access your network or host computers. Lastly, continually training employees on how to identify suspicious activity such as phishing attempts and what steps to take when compromised can mitigate botnet attacks.

Botnet attacks are here to stay, so it is important that users and businesses evaluate their systems, partner with the right vendors and service providers, and implement a cybersecurity program with executive sponsorship to protect themselves against attacks.