You are here

Insight from DEF CON: Are You Prepared for the Next Generation of Botnets?

Written by: Michael Unsworth, CISSP, CISA, QSA, PCIP

The focus of multiple presentations at this year’s DEF CON hacking conference was that nothing with a microprocessor is safe from attackers. As more devices become accessible to the Internet, the bigger the target they are for attackers. One DEF CON session in particular highlighted this growing risk. More and more devices such as internet protocol (“IP”) cameras and digital video recording (“DVR”) tools are being connected to the internet. These devices can be used by botnets such as Mirai to carry out distributed denial of service (“DDoS”) attacks against your organization that can cause devastating results. These DDoS attacks can bring down your network, prevent customers from accessing your websites or potentially shut down your IP phone system.

Additionally, botnets like Mirai spread by commanding an infected device to perform scans until it finds other devices that are unsecured or using default credentials. Once the infected device gains access to another device, it will infect the victim device and continue the cycle of scanning for others to compromise. Your organization can quickly become both the victim and resource to attack other organizations.

Though many organizations typically have sufficient defenses on their perimeter to prevent rudimentary attacks such as this from reaching their internal network, hackers are using phishing attacks and malicious webpages to break through these perimeters and infect employee workstations, laptops and smartphones. Once the internal network is infiltrated, the already-infected instruments will continue to again search for weaknesses in other devices on the network to compromise. This is significant because attackers are changing their approach to carrying out attacks on internal networks all while relying on significantly fewer resources and causing more damage. 

In addition to the malware being used to target cameras and DVR systems, with some slight modifications, attackers will also be able to use it to attack common business hardware such as printers and scanners. With the ability to target a large amount of an organization’s networked devices, attackers are then able to build much larger botnets than they have before. This allows them to carry out more impactful attacks against external targets, and also allows hackers to hold hostage any organization they have infected.

Not only does the scanning performed by infected devices serve to continue spreading malware, it also consumes valuable network bandwidth. When these devices are performing an attack on a target, they consume even more; resulting in the network of the infected organization being significantly slowed down or even unusable. Even worse is if the devices are directed to a target on the organization’s own network, because, using attacks currently performed on perimeter devices, a hacker could very quickly crash an entire network. Researchers are expecting hackers to use this approach in a manner similar to ransomware. They will hold network bandwidth of an organization’s internal network hostage until their desired ransom is paid.

What can you do to mitigate the risk of your institution becoming a victim of these new threats? Harden your internal networks. Your goals should be to prevent botnets from spreading, and to restrict the flow of traffic and prevent malware from communicating back to the command and control server that it receives instructions from. One method of doing this is through network segmentation, which isolates devices on the internal network and only allows them to communicate to as few devices as necessary. Storm control or other similar measures should also be considered. These restrict the bandwidth that can be consumed during an attack and helps keep the network up and running. You should also restrict the protocols that are allowed to communicate out to the internet, because this will prevent malware from receiving instructions from the command and control server so that attacks can’t be initiated.

If you have questions on your institution’s security posture and would like an evaluation, contact Michael Unsworth, CISSP, CISA, QSA, PCIP, IT Assurance Senior Consultant, at 617-933-3372 or munsworth@wolfandco.com

For more insight from DEF CON, check out our article How Safe is Your Active Directory?