Top U.S. cyber-security strategists are considering a move to adopt an emerging set of best practices aimed at helping ISPs better address the issue of pervasive botnets operating across their customer networks.
This is just the sort of proactive approach that needs to be put into action if infrastructure providers and regulators hope to significantly weaken the hordes of zombie networks currently encircling the globe.
As those who closely follow the world of IT security know all too well, botnets have evolved to become the de facto underground infrastructure that supports cybercriminal activities ranging from DDoS campaigns and malware distribution to so-called hacktivism – another name for politically driven cyber-attacks.
One of the reasons for this ubiquitous use of botnet infrastructure of course is that by employing these networks of infected devices – owned by otherwise innocent bystanders – cybercriminals have been able to make it ever harder for lawmakers and law enforcement agencies to find and prosecute assailants for their nefarious actions.
And while ISPs have long recognized the botnet issue in their midst and sought methods for identifying and staving off the attacks before they can proliferate across their networks and infect customers, clearly these efforts have not had any substantial affect in stomping out the problem in the long-term.
Consider that leading industry experts have said in recent days that the botnet style of attack remains “remarkably resilient” as an entry point into corporate systems – and that it will likely become even more ubiquitous as enterprises further embrace technologies including cloud-based services, virtualization and social networks.
At Gartner’s annual Security and Risk Management Summit here in Washington two weeks ago, longtime security industry guru John Pescatore told the assembled crowd that for the next two years we’ll continue to see botnets as the primary mechanism used to deliver “the most damaging attacks” we will see.
Meanwhile, researchers at Georgia Tech’s Information Security Center (GTISC) reported this week that the Kraken botnet – a notorious iteration of the breed that once commanded at least 650,000 infected machines, and subsequently became the focus of aggressive anti-botnet efforts across the security community – has once again begun to regroup itself, growing back to over 318,000 machines.
As it stands we’ve known quite about botnets for many years now, and ISPs have been a focal point for intervention based on their view into larger network behavior, but the reality is that we’re still losing this fight.
Addressing the Problem ISP-Up, from Down Under
Australia hasn’t frequently been called out on the global stage out as a world-renown center for IT security innovation, but in the arena of stomping out botnets – and working with the ISP community to do so – our friends down under have recently made some interesting strides.
Namely, the Australian Internet Industry Association (IIA), along with some influential partners, has created an extensive “e-security code of conduct” which lays out a specific set of best practices for ISPs to follow to help themselves, and the broader community, identify and choke off ongoing botnet attacks while they attempt to proliferate.
A more complete summary of the practices are outlined here, but the program is aimed primarily at arming ISPs and end users with a standardized information resource regarding botnet activity, and a method of reporting ongoing attacks, to help speed and lend consistency to information sharing.
As an added benefit for meeting the program’s guidelines, ISPs that comply with the code, which goes into effect in Australia Dec. 1, earn the right to publicly display a “trustmark” that indicates to customers that they are making their best effort to comply with the higher standards.
And while many onlookers will certainly observe that this level of information sharing is merely a band-aid for a problem that actually requires reconstructive surgery, I’d point to the growing use of similar standards – including the adoption of CVE data in the world of vulnerability reporting – as evidence that adoption of such standards can have a very positive affect. In the government sphere we often talk about improving situational awareness to respond to cyber-threats, and this is just the sort of effort that concept applies to.
The long story short is this: targeting botnet command and control nodes is absolutely critical to disrupting the current ecosystem of the cybercrime shadow economy. We must civilize cyberspace. Governments must help influential constituencies such as ISPs help themselves, and must also do to more actively regulate the alternative payment channels that serve as the money laundry for the cybercrime industry.
Ultimately, the current prevalence of truly pervasive botnets and further commoditization of compromised devices depicts the bugeoning economy of scale that current exists within the cybercrime community.
ISPs need many new tactics for choking off this problem, but the adoption of Australia’s e-security code of conduct can be a key step in moving U.S. policies in the right direction.
--Tom Kellermann, Vice President of Security Awareness