We talk a lot with our clients about the importance of due care and due diligence when it comes to compliance and risk management. In order to perform proper due diligence, it’s important to understand the nature of the attacks being directed against your infrastructure, the motivation behind them, and what steps are reasonable to detect and prevent these attacks.
One commonly misunderstood point when it comes to the criminal element in cyber-attacks is the actual motivation. Sometimes the point of a coordinated attack on a company isn’t to steal documents or financials, the point may be to borrow or command all of your expensive hardware.
Stealthy worms and trojans that traverse through well-traveled ports can provide attackers the perfect opportunity and backdoor to compromise endpoints and use their processing power and bandwidth to attack another network. I have seen many environments where malware resides on a few key machines and, with careful and coordinated effort, an attacker can gain the ability to execute commands that help the entire infrastructure behave with a botnet. A botnet is another term for a robot or automated network that utilizes the network addresses and processing capabilities to execute commands scripted by a malicious hacker.
These are not the Bots you’re Looking for…
Your network that consists of tens or hundreds of thousands of dollars worth of equipment may be the perfect tool a hacker needs in order to carry out a successful attack. Some botnets can be commanded to attack and compromise itself, the coordinated attack can be dictated a “botmaster” or “bot herder”. The attacker remotely commands and controls these compromised computers via standards-based network protocols such as smtp, IRC, and http. Typically the stealthy malware that joins the machine to the botnet will encrypt traffic to the control server to make it much more difficult for those communications to be flagged by network intrusion detection systems. This also makes it much more difficult to see the true nature of the communication between your compromised botnet and the control center. This is important to consider because an infrastructure with a lot of computers and a lot of networking equipment can be devastating to a victim machine during a surprise attack. If a botnet combines forces with multiple infrastructures and focuses all of its egress traffic to one target address, the victim machine automatically attempts to respond to each and every request until the switch/router/server is so overloaded that it simply stops working.
Due diligence is the key to mitigate risk and reduce liability. If there is gross negligence in terms of security measures, the victim may legally be able to seek compensation for loss of equipment and productivity. Mass spam mailing from a compromised network can cause domain blacklisting and can lead to delivery failures of legitimate business communications. The repercussions can lead not only to financial losses, but damage in reputation and brand name.