Ransomware is only one possible outcome of advanced persistent threat activities and one that we focus on too much. This leads us to ignore other risks to the organisation prior to the ransom. The delivery of the ransom is not the start of your problem; it is the beginning of the end. With too many of us focused on perception rather than evidence, it is time we assess what occurs before the ransom, as it could be masking other nefarious activities, such as the impacts of Botnet-as-a-Service (BAAS). Read on for three best practices to reduce the risk of a botnet attack on your organisation’s estate.
Hackers are no longer the fundamental risk; cyber attackers have evolved and so must we. The evolution of malware has encouraged sophisticated threat actors to develop new ways of gaining unauthorised access to an organisation’s network system. Let’s look back on the malware evolution to determine the precautions we should consider to futureproof our environments.
The evolution of cybercrimes supported by malware.
1st wave: Test
It all began with the era of the Script Kiddies, otherwise known as “bedroom hackers”. They would work individually, competing to test the defences of organisations. However, their strategy of business interruption was unorganised as they simply utilised technology as a target.
2nd Wave: Access
Then came the Botmasters, who saw the efficiency of harnessing the talents of the individual hackers – and their conquests – to achieve access “at-scale” in organisations. This was the dawn of “Advanced Persistent Threat.” An underground economy emerged to sell access and malware tools (MAAS) to third parties with value-added services such as the stealing of personal bank information, eavesdropping, and ransomware. The Botmasters would gain and maintain access with APT activities, and in some cases, would curate access and manage the network security more securely than the victims defending them, as they not only use technology as a target but as a tool.
3rd Wave: Operate
In recent times, we have experienced the impact of the Access Broker (Botmaster or Hacker for Hire). They operate to objectives via subscription services of the underground economy, in jurisdictions friendly to their activities – and with flexible operating structures and technical architectures. They facilitate the interests of competitors of their targets, whether political, social, business, or economic. To maintain a level of anonymity and security in their activities (and for their clients) – and to combat the evolving defences of organisations to cyber-attacks, they also leverage false flag tactics and commonly employ distraction techniques.
4th Wave: Influence
Whereas technology has been a target for gaining access to sensitive business information in the past, the increased reliance by people on technology for interpersonal communications, commerce, and business activities has revealed a vulnerability that cybercriminals have evolved their tactics to exploit. By utilising Coordinated Inauthentic Behaviour (CIB) in social media and networking, cybercriminals can control the narrative and influence decisions. Whether that decision is merely to click on a link to read a website laden with malware that will expand a botnet and related services in the darknet, or to spread misinformation among personal and business colleagues, CIB helps cybercriminals to break down behavioural barriers and cause victims to act in ways they otherwise would not. The net effects are to lower the costs of developing botnets and gaining access into secure networks – and to higher-profile people, in ways that bypass or even actively conflict with cyber defences.
Ultimately, today’s cyber threats boil down to Botnets-as-a-Service. They are constantly expanding through tactics tailored to avoid or combat defences. So how are they used? Botnets-as-a-Service are a subscription which today, is as easy as signing up for a Netflix account. There is a common misconception that continues to propagate in news articles that “hackers” are doing everything from:
- Stealing grandma’s life savings
- Conducting complex financial extortion with off-the-shelf malware
- Employing collateral access via supply chains and support vendors
- False flags (language and tools related by ‘intelligence’ to others)
- Distractions such as an outbreak of ransomware in one part of the network whilst banker trojans allow information and financial theft from corporate accounts.
When in fact, Botnets-as-a-Service, Malware-as-a-Service and Ransomware-as-a-Service operators facilitate these actions with their catalogued offerings of access, tools, and technical support.
3 best practices to prevent a botnet attack
A better understanding of the malware evolution allows us to realise that simply putting firewalls and antivirus in place is no longer enough to prevent a cyber-attack. We need to consider social media, identity, and access management protections to evolve from “detect and respond” passive defences into a better “challenge and deter” active defence posture. Here are 3 best practices to prevent a botnet attack:
- User Behaviour Analytics – Monitoring user accesses to services for anomalies
User Behaviour Analytics is a process that analyses patterns of human behaviour, which detects threats of a breach by monitoring for inconsistent use of services and resources. It considers user “conditions” such as what time your employees usually log in and out of the VPN, and from which locations.
- Network Access Control – Control access through segmentation and zero trust
Architecturally, most companies have flat networks. Consider better methods to protect your network from a cyber-attack by implementing Network Segmentation. To illustrate this, imagine your business as a ship and the departments are separated by bulkheads, if the hull is breached and manages to flood one section of the ship, the bulkheads will contain the flooding and prevent your ship from sinking. In the same way, if a threat actor gains unauthorised access to a system in one department, they cannot move laterally across the network (without a challenge) to compromise other departments. Check out this blog for practical steps to help you focus your efforts when designing and deploying a zero-trust architecture: Who Do You Trust? Explore the True Realities of Zero Trust
- Multi-Factor Authentication – Challenge authority
An integral practice for any organisation to protect its resources from a cyber incident is to implement essential security defences such as multi-factor authentication. This is the process of challenging one secret that is managed by something else, by proving another that is known only to you. Although passwords and security tokens are commonly exploited by cyber-attackers, the use of multi-factor authentication provides an impenetrable defence to endpoints (PAM), networks (PIM), and services (IAM) as it employs a “human in the middle” defence.There are two ways to identify a user on the network:
- Identity management/authentication – proving your identity to the system with something you know (your password) and something you own (mobile phone or biometrics)
- Access management/authorisation – proving your rights to the system with permissions defining what you are allowed to do/see on the system.
Information security expert Dr Shane Shook talks further about malware evolution, dark market partnerships and evolving defence, in our latest Emerging Trends Podcast.