What to do when Botnets Go Berserk

A killer botnet commandeers a zombie network of unsecured, everyday devices to bring the Internet to its knees, zapping billions of dollars in commerce and causing disruption to services across the globe.

It might sound like a scene from a bad sci-fi movie, but it’s not. The real-life villain in this real-life story is the Mirai large-scale botnet, which preyed upon unsecured Internet of Things (IoT) devices to set off a massive DDoS assault in late 2016. Mirai ensnared Dyn, a company that controls much of the Internet’s domain name system (DNS) infrastructure, which in turn disrupted service on popular websites like Twitter, PayPal, and Netflix. The mastermind behind Mirai was not a shadowy nation-state or big-time hacker. In the case, culprits were three young computer geeks who stumbled into creating the most successful botnet to date as part of a scam to gain advantage in the world of Minecraft, a popular online computer game.

The high-profile attack is now in the rear-view mirror, but danger still abounds. With researchers predicting more than 8 billion IoT-connected “things”—a 31% spike over 2016 as we barrel towards 20.4 billion devices by 2020 - security experts are girding for the prospect of similar IoT-inspired malware mutants.

It’s difficult to establish exactly how many Mirai-infected devices are in the field, but there are some data points. As detailed in the 2017 Symantec Internet Security Threat Report (ISTR), Incapsula research found close to 50,000 unique IPs hosting Mirai-infected devices attempting to launch attacks on its network, and Level 3 identified 493,000 Mirai zombies on its network. Symantec launched its own honeypot to track attempted attacks on IoT devices. It found strikes had almost doubled, and at the peak of Mirai’s activity, attacks were coming every two minutes.

Mirai mostly targeted consumer IoT devices like unsecured household routers and DVRs along with CCTV cameras as part of its botnet brigade. But experts say this kind of threat vector may also have serious ramifications for the enterprise. Without proper security measures, companies could unknowingly get swept up in an Mirai-induced DDoS attack or risk having their own IoT assets, including industrial control systems, getting attacked.

“Most corporations are not prepared to survive DDoS attacks that come from small devices,” said Vijay Sarvepali, information security architect CERT Division, at Carnegie Mellon’s Software Engineering Institute. “Those that have done business resiliency planning properly will survive better than those that have not.”

Proactive Defense is the Best Defense

IoT devices are a prime target for botnet attacks like Mirai because unlike enterprise laptops or desktop computers, which are safeguarded with multiple levels of robust security, there is typically minimal protections on this gear--maybe a default user name and password, at best. This class of IoT devices is also unlikely to receive automatic updates, which leaves the door open to vulnerabilities that don’t get patched.

Infected IoT devices could potentially provide entrée to stealing personal data like user names and passwords or become a stepping stone to attacking other devices on a network. As part of a DDoS attempt on DNS providers like Dyn, the botnet gains access to a broad spectrum of corporate servers, increasing disruption and raising the stakes for its targets.

Enterprises are less likely to end up becoming an active participant in a Mirai-inspired IoT botnet and DDoS attack and more likely to end up on the receiving end, at risk for service disruptions, according to Candid Wueest, principal threat researcher at Symantec. If a botnet starts sending garbage data to a web site or ecommerce platform in droves, Wueest noted that the site can be quickly overwhelmed with requests and break down, unable to service customers and partners.

“Attackers don’t need to break into a company in terms of finding a password or unpatched system somewhere—they’ll masquerade as users to get in and take the service down so users can’t make use of it,” Wueest said, adding that the attack puts companies at risk for downtime, lost revenue, and even supply chain disruptions.

Planning for DDoS attacks in advance, not when an attack is underway, is the best line of defense. IT organizations need to beef up architecture resources and map out a robust resilency plan that includes locating servers in different data centers and data centers on different networks so there is no single point of failure, according to Rachel Kartch, analysis team lead at CMU’s SEI CERT Division.

In addition, organizations should have a response plan and recovery drill at the ready. Knowing who to call in the event of a problem is also important. “Have a black book you can follow—for example, limiting the amount of traffic in different countries, which might buy you time and help mitigate damage,” Wueest said.

There are also specialized outsourcing providers offering services that specialize in scaling infrastructure to respond to DDoD attacks. Many of these providers offer scrubbing or filtering services that function like a firewall, blocking problematic traffic before it hits the network.

Nevertheless, as with most security threats, there is no single, full-proof solution for protecting against this new strain of IoT botnets gone berserk. As Wueest notes: “taking a layered approach to security is always the best the defense.”