• United States



Slow Day? Stop a Bot or Zombie

Dec 27, 20062 mins
Data and Information SecurityPhysical Security

Back on Election Day, our network security team received a small, but unexpected, early “holiday gift.” Since most people were off on a government holiday, network traffic was slow. Several members of the team were in monitoring traffic – looking for anything unusual that could disrupt the Michigan election. While the election and associated computer systems ran without a hitch, our team found over a dozen “suspicious” computers. Without going into the details, I can say that our IDS, IPS, and other security tools were much more effective at finding the “bad actors” that day.

  If you want to know more about bots and the potential damage that they can do, you can go to this Computerworld article or Google botnets.

What did we do? Nothing unusual, open an incident, block the IP traffic and/or ports, and have the PCs checked, cleaned and/or rebuilt. Thankfully, no sensitive information was lost.

The interesting thing was that the “one off” situation (network traffic levels) appeared to be different than normal weekends or off-hour situations. We suspect that more people just left their computers on for that day, whereas they turn them off for the weekends.

Slow days at the office are often the times when I cleanup the stacks of papers on my desk or catch up by reading updates on important enterprise projects. Perhaps we should spend more of this holiday time watching unusual patterns on our networks.

With over 50,000 PCs on Michigan State networks, this may not seem very significant, but stopping each bot or zombie helps. Of course, when you find bots, you should report them the US- CERT or your Information Sharing & Analysis Center (ISAC). We reported our findings to the MS-ISAC.

Obviously, this monitoring activity should be going on all the time, but some days yield more results than others. We all get busy, and many government shops are short-handed. I recommend taking slow days to go fishing (note the spelling) for bots and zombies. 

For more tips on stopping zombies and bots, see this article from IT Business Edge


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author