Winning the war against bots

Frank Ohlhorst
Updated
Reports from the Wall Street Journal noted an official from the US Department of Justice told Apple executives that "a child would die" due to new encryption technologies rolled out on iOS 8. Is there any truth to the matter?

Once deemed as a benevolent agent to gather information for search engines, the lowly "bot" has evolved into something that can in fact be an agent of malicious intent. Today, bots come in many different forms, sometimes harmless, sometimes beneficial, but more often than not - festering with malicious intent and backed by sophisticated botnets.

The harm caused by bots can range from something mildly annoying (email harvesting for spam distribution) to something of major concern (Website Scrapers that steal website content) to something downright alarming (Distributed Denial of Service attacks), meaning that the threats posited by unmanaged bots far outweigh any benefits.

That said, it becomes easy to see why organizations need to come up with a plan to deal with bots, a methodology that lets harmless bots perform their master's bidding, while keeping malicious bots from achieving their nefarious goals. In theory, that sounds like it should be able to be an easy task to accomplish, but the truth reveals something much more insidious - malicious bots have the ability to mask themselves and hide within normal internet traffic, making detection difficult, if not impossible before the damage is done.

Nonetheless, IT professionals should never through their hands up in despair and yield victory to the ever more sophisticated bot based attacks - there are methods, technologies and best practices that can take the teeth out of a bot and send those bots scampering for the hills.

From the best practices stand point, dealing with bots is relatively straight forward, consisting of three primary goals:

  • Prevent bot infections: Arguably, the most important security control for preventing bots from infecting systems comes from deploying anti-malware software. While many consider this the first line of defense, relying on antimalware sometimes comes up as too little, too late. Prevention takes more than anti-malware controls; it also means taking the prophylactic approach of keeping systems and applications patched, and keeping the appropriate security policies enforced. What's more, other preventive technologies should be leveraged, such as intrusion prevention systems, firewalls, content filtering and inspection technologies (spam filtering and web content filtering, for example), and application whitelisting.

  • Identifying bot infections: If a bot gets through the prevention systems, and odds are some will, finding compromised systems becomes a critical practice. Many of the tools that are used for stopping malware can be helpful for determining what systems are infected. However, most anti-malware packages are designed to deal with known attacks, meaning that additional technology may be needed - specifically, network behavior analysis (NBA) systems that can identify unusual network traffic patterns, such as those produced by bots attacking other computers. If some computers have been turned into bots, an NBA system may be quite effective at identifying the activity on the network and in turn, identify which systems are affected.

  • Remediate: Infected systems must be isolated immediately, which may mean physically removing those systems from the network to prevent the spread of the botnet infection. Once isolated, the next logical step is to clean the infect system using antimalware tools. However, it's increasingly common that such tools are unable to uninstall or otherwise remove malware from computers. For example, if the bot gained administrator-level access, it may be almost impossible to "cure" the infection, meaning that the system should be resurrected from the latest "clean" backup. If a computer is not properly cleaned up after an infection, it is very likely that it will be re-infected and become part of another botnet.

Leveraging the power of the cloud

Interestingly, the very element that gave birth to the botnet and associated bots can also be the primary tool to put a stop to those bots. That element, often referred to as the cloud, has given birth to a multitude of cloud-based solutions that can secure systems from attack beyond what any premise based device or technology can - at least that is what the latest crop of SaaS purveyors are starting to claim.

In the war against bots, one startup in particular is taking on the challenge of bot protection from a SaaS point of view. Arlington, VA based distil networks is offering a service geared towards preventing bots from ever entering an organization's network.

Simply put, distil uses a constantly updated bot-tracking database that can identify bots based upon fingerprinting or other tell-tale indicators. In essence, distil's SaaS offering can identify bots and prevent those bots from entering a client's network.

In a nutshell, distil's service monitors and filters traffic at the network level, by acting as a proxy between an organization's network edge and the internet. The company also offers a solution that can be installed on site behind the corporate firewall.

Nevertheless, the SaaS model offers some interesting capabilities, such as instant deployment, constant updating and extended features, including click fraud prevention, website scraping prevention and DDoS mitigation.