Fighting botnets: Malware has ‘exploded,’ says security manager

A report released earlier this year by Panda Security reveals just how sophisticated the business of cyber crime has become. Among its findings: botnets are now available as a service for criminals to rent and launch spam attacks —- with prices that start as low as $15 for the rental of a SMTP server.

See also: Smartphone botnets? New report predicts mobile devices will be part of DDOS attacks

Botnets, a network of infected computers controlled by a master bot to send out spam, spread viruses and launch attacks, are responsible for as much as 85 percent of all email spam, according to many estimates. While efforts by some security groups to stop them have been successful, botnets continue to be the attack vector of choice from criminals, making botnet detection and evasion an increasingly crucial part of the security program in many organizations.

More about botnets

• What a botnet looks like
• The botnet hunters
• Report: Rustock still top dog among spam botnets
• With botnets everywhere, DDoS attacks get cheaper

So what does an effective strategy look like? CSO spoke with Todd Ferguson, a network security manager at Raymond James Financial, a financial services holding company with subsidiaries engaged in investment, financial planning, investment banking and asset management. According to Ferguson, fighting botnets is like shooting at a moving target — and there is no clear way to know if you’re winning.

CSO: What would you say the threat landscape is like now in terms of botnets? In my organization, we have a unique situation in that we have both independent and employee advisor models. In the case of our independent financial advisors, they are responsible for their own computing systems, networks, etc. The botnet issue is far more prevalent today than just for corporate users and financial advisors. It really transcends all users. It applies to clients, associates and independent contractors alike. Everyone is potentially at risk today. Botnets are not picky about who they target. Any user can be attacked and become a member of a botnet unwillingly. There are challenges to deal with once one of these devices is located, which includes cleaning and assessing the potential damage.

Ferguson:

How do you locate a compromised device?

We are big believers in the layered security methodology. We don’t rely on any one technology or intelligence source. We use a mixture, as well as our own internal monitoring. We are using the Damballa Failsafe component to monitor network traffic to identify potentially compromised machines through network behavior and intelligence applied. We also use conventional antivirus, IDS, IPS and some proprietary monitoring.

It’s a combination of technologies and leveraging intelligence. There is no one silver bullet out there. Everyone has been struggling with the velocity of malware in the past few years. The landscape has changed quite a bit and weve been looking at some emerging technologies, such as Damballa. Internally, we refer to it as an alternative malware identification technique.

It’s all about finding an indicator of compromise. We know that the antivirus vendors have struggled to keep up with the velocity of the malware, so were looking at other services that can give us indicators of possible compromise. Once we see an indicator, we can intervene before it gets too far down the line.

How have things changed with regard to this threat in recent years?

One of the issues around the malware threat today, and the botnet threat specifically, is that in general creators of malware are no longer seeking notoriety. They’re doing it for financial gain. Malware is centered around profit and it will interact with anyone. Once it connects to a device it will communicate with someone to either steal data or take other actions. So we’re always concerned around loss of data or credentials that could be used to commit fraud.

I can’t give you exact numbers on how much the threat has grown in recent years, but I can tell you it’s exploded. You don’t have to be technically proficient to write malware anymore. You can pay someone to do it as a service. You can easily find kits that will build malware, and you can even choose what you want it to do. We are to the point now where some of these kits and malware authors even offer support for their product.

Does part of your strategy also include an awareness campaign among employees?

Awareness is critical. One of my colleagues is dedicated to educating our associates and advisors through articles published internally, conferences, educational classes, and our annual attestation for policy review. We offer resources through our e-learning campus, and we initiate awareness campaigns if we see a threat or an emerging threat.

The attackers continue to target the same vectors, such as e-mail campaigns luring users to click on links within e-mails. We still see a lot of that, as do many other organizations.

How do you measure success?

It’s a constant challenge. Success is a moving target, because the threats are ever changing. The landscape is not what it was a year ago, even two years ago, but we believe we are managing to stay ahead of the curve.