Since the start of the Russia-Ukraine War, Russia has sponsored several Distributed Denial of Service (DDoS) attacks against Ukrainian targets, including various attacks against government and financial entities. Botnets, which are networks of computers infected with malware that an attacker controls and uses to fulfill malicious cyber activities, can be used to launch these DDoS attacks. States and criminals have used botnets to disrupt public and private services and institutions globally—the Mirai botnet, for example, took down major internet services along the East Coast of the United States in 2016. Botnets have also been used to gather valuable intelligence, spread disinformation, and inflict substantial financial losses to businesses throughout the world.
Those who leverage botnets—so-called “botmasters”—possess many advantages over their adversaries that make botnets a constant global challenge. Attribution, or identifying perpetrators, is notoriously difficult, and both states and criminals can develop and deploy botnets with relative technical ease, and at low cost. Often, botnets are geographically distributed among many states that have lax security standards. The rapid deployment of internet of things (IoT) devices, such as cellphones and other smart devices, further contributes to creating an environment conductive to the ever-greater proliferation of botnets. The many advantages of botnets suggest we will likely see their increased use in the Russia-Ukraine War, as well as in future conflicts.
Artificial intelligence may make the risk of botnets even more acute. For example, AI can augment a botmaster's ability to infect vulnerable machines more efficiently and effectively. It can do this by creating better malware, as malware installation for botnets is often triggered by embedding or attaching infected code to spam email, compromised URLs, file sharing sites, and social media, to name a few. The development of more-sophisticated, AI-powered malware that is highly evasive and ever-more precise at targeting victims—much like IBM's “DeepLocker” class of malware—could put defenses farther behind. While it is unclear if such malware is “in the wild” at present, other automated approaches to botnet infection already exist, suggesting that the United States and its partners should not ignore such technologies, and ought to continue investing in technical defenses and responses (i.e., detection and mitigation).
Artificial intelligence may make the risk of botnets even more acute.
Share on Twitter
There is also a nontechnical element that stands out in the fight against botnets: collaborative organizational networks. As indicated by extant policy and assessments, the entities that comprise the “counter botnet ecosystem”—including governments and private entities within industry and academia—must collaborate efficiently and effectively to address botnet threats. While federal agencies maintain formal roles and responsibilities to counter botnets, as well as other cyber threats, they often rely on organizational networks that include local and state governments, private entities, and international partners to implement and coordinate prevention through education and awareness, engage in detection and mitigation issues such as sharing best practices and technology, and support law enforcement activities. The Conficker Working Group is a commonly referenced example of a public-private collaborative network combating botnets. Another more-recent example is the disruption of the Russian-sponsored “Cyclops Blink” botnet. The United States and its partners must continue to foster and manage such networks; however, little practical guidance exists about how organizations within this ecosystem can better work together to fight this persistent threat.
Both governmental agencies and private industry should invest more time and resources into developing a systematic understanding of their own networks. At a minimum, this approach should include establishing organizational policies and allocating resources toward regularly capturing data about botnet-related interactions with other organizations, such as the development of formal information-sharing agreements, and participation in conferences and working groups. Moreover, agencies and industry must embrace both the complexity, or messiness, and the dynamism of the counter botnet ecosystem.
Public and private entities should collect and analyze, using link and social network analysis (SNA), data about their own networks. One reason is that network data, especially when easily accessible and visualized effectively, can help decisionmakers obtain situational awareness of their networks. This approach can inform planning and coordinating both proactive and reactive activities against botnets. Specifically, such an approach can go beyond just supporting investigations and responses at national and field levels; it can help inform efforts to create new opportunities for collaboration, foster data and information sharing where limited, enhance feedback mechanisms through formalizing collaboration strategies, and empower public-private intermediaries and brokers.
Another reason to collect network data is to promote broader institutional knowledge related to botnets and efforts to counter them. This point is especially important for the federal government, which faces challenges with recruitment and retention of cyber professionals, and often relies heavily on private entities for relevant skill sets, both of which can obfuscate decisionmakers' situational awareness. Collecting and storing network data within ethical and legal boundaries can help preserve institutional knowledge, while also potentially preserving the social capital that would otherwise leave with departing employees.
But capturing and analyzing network data alone is not enough. In practice, network data often reflect systems at snapshots in time. One way to address this would be to maintain a broader, more-dynamic view of their ecosystem by drawing from the field of complex adaptive systems (CAS). While no single definition of CAS exists, they are often described as highly interconnected systems in which higher-level patterns or behaviors emerge from interactions among adaptive components (e.g., organizations) rather than from centralized control. In other words, CAS self-organize.
The counter botnet ecosystem consists of many interconnected public and private organizations that generally operate in their own interests.
Share on Twitter
The counter botnet ecosystem exhibits several of these same characteristics. It consists of many interconnected public and private organizations that generally operate in their own interests, without a system-wide centralized “controller”—though there might be a leading agency depending on the type of botnet attack, and its implications for national security. These entities within the counter botnet ecosystem act and react to one another, as well as to botnet threats and other contextual factors like new cyber threats, or changes in laws and norms.
Decisionmakers, especially within leading government agencies, could incorporate a CAS perspective into their planning meetings, workshops, and assessments of their own networks and the larger counter botnet ecosystem. Specifically, they can assess if their organization and immediate network, as well as the overall ecosystem, are adaptable and resilient enough to respond to botnet activities. For instance, is the federal government too reliant on a single entity or a few organizations that specialize in key skills and technologies such as employing AI/ML to detect botnets? Are they too dependent on entities that maintain key connections that enable global counter botnet activities? Are local governments and organizations within key tech sectors adaptable enough to support counter botnet activities? What are the implications of any such vulnerabilities for coordinating proactive and reactive responses if states like Russia, Iran, and China increasingly turn to botnets, including AI-enabled ones, in current and future conflicts? Armed with this perspective and network data, the counter botnet ecosystem will be better positioned to address the threats posed by state and nonstate actors that might leverage botnets during future conflicts.
Daniel Cunningham is an information scientist at the nonprofit, nonpartisan RAND Corporation, where his research focuses on data science and the application of social network research to irregular warfare, social media, and competitive contexts.
Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.
- Share on Facebook
- Share on Twitter
- Share on LinkedIn
FAQs
What Are Practical Steps to Embrace the Messiness of Public-Private Collaboration in the Fight Against Botnets? ›
At a minimum, this approach should include establishing organizational policies and allocating resources toward regularly capturing data about botnet-related interactions with other organizations, such as the development of formal information-sharing agreements, and participation in conferences and working groups.
How can malicious actors who control the botnets make money? ›What Are Botnets Used For? Botnets are created by hackers who want to make money from their creations. They do this in two ways: First, they sell access to other people's computers so that those users' machines become part of the botnet. Second, they create malware programs that infect computers without permission.
When multiple bots work together what type of attack can they release? ›A Denial of Service (DoS) attack involves a single machine used to either target a software vulnerability or flood a targeted resource with packets, requests or queries. A DDoS attack, however, uses multiple connected devices—often executed by botnets or, on occasion, by individuals who have coordinated their activity.
How botnets are used for DDoS attacks? ›2. Distributed Denial of Service (DDoS) The idea behind using botnets for DDoS attacks is to overwhelm a target server with a massive number of requests (from the zombie devices) to crash, or at least slow down, the server significantly.
How is a botnet created? ›Bot-herders can create botnets by sending malware to unknowing recipients via file sharing, email, social media application protocols, or by using other bots as intermediaries. Once opened, malicious files infect devices with malicious code that instructs the computer to report back to the bot-herder.
How can a person defend against bots and botnets? ›Most botnet attacks can be avoided using basic security practices. For general defense against botnets, invest in a firewalling router and don't click on pop-up ads, suspicious email attachments, or unsolicited software downloads.
What are the ways to avoid botnets? ›- Keep all systems updated. Botnets are designed to exploit vulnerabilities in your network, which includes unpatched security risks in connected devices. ...
- Provide user awareness training. ...
- Multi-factor authentication (MFA).
In a distributed denial-of-service (DDoS) attack, multiple compromised computer systems attack a target and cause a denial of service for users of the targeted resource. The target can be a server, website or other network resource.
In what type of attack multiple systems are used to attack a target server and prevent it from being used by legitimate users? ›A distributed denial-of-service (DDoS) attack occurs when multiple machines are operating together to attack one target. DDoS attackers often leverage the use of a botnet—a group of hijacked internet-connected devices to carry out large scale attacks.
What is an attack where a hacker uses a tool to continuously try different combinations until it cracks passwords? ›A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations' systems and networks.
What are the security controls for botnets? ›
Botnets often use automated attacks, meaning some basic security steps can go a long way in stopping these attempts. Change default passwords on all internet-connected devices, enable 2FA whenever possible, and set up firewalls to prevent unauthorized access to devices on your network.
How bots as part of a botnet can be controlled by hackers through? ›How are Botnets Controlled? Bot herders control their botnets through one of two structures: a centralized model with direct communication between the bot herder and each computer, and a decentralized system with multiple links between all the infected botnet devices.
How do firewalls help against botnet attacks? ›A firewall network analyzes traffic based on rules. The system only allows access to connections that it has been configured to accept. The pre-established rules help in blocking or allowing access to specific data packets sent over digital networks.
What are the main components of a botnet? ›The main component of the botnet is depicted in Figure 1, the four main components are Botmaster, Infected Host or Bot (become zombie), Command and Control Channel (Server) and the Attack Victim. Botnet initializes the first attack through exploiting vulnerabilities in users' computers. ...
How do hackers create a botnet? ›Botnets are created by infecting computer systems with malicious software, which in most cases comes in the form of a trojan horse virus that a user can inadvertently download or the malicious payload hackers install on an already compromised server or website.
What is a botnet and how can you detect it? ›A botnet is a network of bots that runs on devices infected with malware, serving the malicious purposes of one or more hackers. A botnet can infect computers, laptops, servers, smartphones, and all kinds of IoT devices with security vulnerabilities.
How do hackers make money with botnets? ›So how do botnet owners make money with infected computers? There are several major sources of income: DDoS attacks, theft of confidential information, spam, phishing, SEO spam, click fraud and distribution of adware and malicious programs.
How do malicious hackers make money? ›Creating Ransomware and Other Malware
Ransomware is a type of malware that can be used to encrypt files on a victim's computer and then demand payment in exchange for the decryption key. By creating malware and ransomware, black hat hackers can make money by extorting victims for large sums of money.
Threat actors use exploits to take advantage of vulnerabilities, and deploy payloads that allow them to access, control, destroy, or enable further malicious activity on a victim's system.
What is the business impact of botnets? ›Impact of Botnet Attacks on your Business
For example, a scraping attack can hinder a website's performance, causing high bounce rates and reduced search engine credibility. Plus, this can cause conversion rates to dip or, worse – cause downtime.