In this article, MSSP Alert examines the tactics and technologies MSSPs and MSPs use to spot and stop botnets. Read part one of the two-part series: "What are Botnets and Why are MSSPs So Concerned?"
Any time an MSSP or MSP signs up a new customer it’s an expedition into the unknown, an exploration on day one into a potentially under-managed and vulnerable cyberspace environment.
As you begin this journey, you’re wondering who had been watching the customer’s endpoints (hopefully, but not likely, all of points of entry) and what might have already slipped through detection (perhaps years ago) and infected its IT systems — like a botnet or some type of covert malware.
MSSPs and MSPs surely know the potential of a botnet finding its way into their own IT network or devices. Why wouldn’t the bad guys go after those who would prevent them from laying the track to a ransomware attack?
The tools and techniques of the cybercrime trade are not unsurprising inasmuch as the evolving sophistication of the instruments and tactics of today’s threat actors. For instance, AI is now being used by cybercriminals typically operating out of China, Russia and North Korea.
Waging the Botnet Battle
Jim Broome, president and chief technology officer at DirectDefense, said his MSSP employs a robust endpoint detection and response (EDR) solution with their customers.
“For us, it's a two-fold answer,” he said. “The more traditional botnet activity that people are associated with is just malware. So we have a managed security services solution built around managed EDR, partnered with CrowdStrike and Cylance BlackBerry (and others). You have to put the two together to look for signs of infection.”
DirectDefense also has a dedicated practice around application security, largely penetration testing, red teaming, software development and lifecycle review. Essentially, these activities are delivered within a professional services package that complements its managed security services.
“This is how we’re helping organizations deal with the struggle of protecting their applications against botnet activity,” Broome said. “Time and time again we’re being called in either for incident response or to help application providers fix their apps. We like to call it, ‘SOC-ifying their app.’ So, we can actually assist them in a managed service perspective around their application.”
Broome recalled work with a particular client experiencing a botnet intrusion:
“Last summer, besides dealing with Scattered Spider on a few occasions, we also dealt with first-time customers operating in the manufacturing space. These were small, medium-sized manufacturers having their assembly lines go down because the threat actor had enough time to poke around until they found the endpoints did not have protection. "The threat actor was able to rewrite their ransomware to detonate on protected assets by leveraging the assets that did not have updated EDR solutions installed on them.”
For Broome, the key takeaway is, “Have an EDR platform you believe in and can actually manage. The second part of that is going to be your more traditional security stack. A customer has to have firewalls. We have to have logs. Specifically, we have to have logs for the data leaving the environment, which is commonly overlooked.”
He notes that EDR, firewalls and logs segue way into a SIEM from which you can apply the EDR data and review comprehensively.
“And then there is going to be some threat intel,” says Broome. “Most MSSPs today provide some form of threat intel back into the customer base. That's kind of like the one, two, three combo.”
Botnets and the Bigger Picture
Aimei Wei, founder and chief technology of Open XDR specialist Stellar Cyber, explained that as cyber threats become increasingly sophisticated, botnets are now “key actors in the contemporary attack landscape.” Thus, botnets facilitate complex command and control structures, deliver ransomware and often serve as conduits for leaking sensitive data.
“It’s essential to have a unified view and detection capabilities to reveal botnets at work,” she said. “By integrating and correlating detections from email security, EDR, network security and other tools, Open XDR platforms can unveil the complete lifecycles of botnet-facilitated attacks and offer faster detections and responses."
Josh Smith, threat intelligence analyst for MSSP Nuspire, believes the biggest threat from botnets is having someone's credentials or banking information harvested. MSSPs are especially wary of these intrusions.
“Those are game killers for an organization,” he said. “Having credentials stolen from an information stealer or something of that nature could then be reused by a different organization if they resell that to give them initial access into a network.”
For that matter, Nuspire is all in on EDR as their threat hunters’ best weapon in the botnet arsenal.
“We utilize threat intelligence and EDR to be able to identify a lot of these different things that are going on — something that gets past your traditional antivirus that's actually looking at your behavior and the heuristics of a machine.”
Smith adds that critical to botnet defense is the pairing outbound network traffic to see if devices are connecting to known malicious IP addresses.
“Endpoint detection, in my opinion, is king,” he said. “It's great to have a firewall in place. But if you don't have the granularity to look back on an endpoint to see what's happening on a core machine, it can make it difficult when you have that funneled view of what's happening in a network. Firewall is an important part of security infrastructure. But again, I think endpoint is really the critical aspect there. And then, yes, I'm biased as a threat intelligence analyst, but I feel intelligence is very important as well.”
Smith is also a big proponent of network segmentation of IT systems and digital devices. He notes that even a camera is a potential botnet exploit.
“A big target for botnets are these Internet of Things devices,” he said. “They can be very insecure, and they're very easy to plug into and to just forget about. They come with default, hard-coded passwords on them at times, so I would advise our customers to take those super high-risk devices and actually segment them off of their network. If they do get breached, it doesn't give the threat actors very far to roam in your network. They'll be stuck on a very secluded little area and they can't run wild and take over an entire network.”
Bot Bounty Program Offered
DataDome, a provider of AI-powered online fraud and bot management, recently invited the public and greater cybersecurity community to participate in its Bot Bounty Program. Offered in partnership with ethical hacking platform YesWeHack, the initiative incentivizes external researchers to rigorously test DataDome's protection in order to identify any potential vulnerabilities.
In this technical challenge, participants are encouraged to implement a scraping bot to scrape as much content as possible from two dedicated websites without being blocked by DataDome's solution. Rewards are based on various reporting scenarios.
"This expanded program is not just a challenge to external researchers, it is a testament to our belief that collaboration and transparency are key components in the ongoing battle against fraudsters," said Gilles Walbrou, chief technology officer at DataDome. "While our solution is challenged every second by fraudsters targeting our customers worldwide, we look forward to the brightest minds adding their own challenges and collectively raising the bar for online protection."
There are many more bug bounty programs. HackerOne offers a listing of current bot bounty programs.