Cyren Security Blog

Self defense: Detecting a bot inside your network

by John Callon

Anti-MalwareMalware AnalysisWeb Security

The ratio expressed in the saying “an ounce of prevention is worth a pound of cure” is off by several magnitudes when applied to Internet security. While avoiding getting infected in the first place is obviously ideal, evasive tactics invariably fool many (many!) security systems—or simple carelessness does the job. 

To find the bot within, follow the chatter—to detect a bot you should search for the two-way communications that the bot conducts with its command and control (C&C) server. There are several warning signs and methods that an organization can use to uncover the presence of bots: 

 

  • Check email traffic. If your organization’s emails are being rejected by recipient organizations or ISPs, this may indicate that at some point emails from your company were blacklisted, probably as a result of spam activity originating on your network.
  • Utilize corporate firewalls. They may have rule sets for detecting suspicious port use or unknown transactions.
  • Install an intrusion prevention system. This type of system comes with built-in open source or vendor-defined rules for detecting bot traffic.
  • Use Web security/URL filtering systems. These types of systems, like WebSecurity offered by Cyren, block outbound bot communications to C&C’s, and help admins identify where the bots are in order to remove them.
  • Consider creating a “darknet” on your network. By creating a subnet on your LAN that shouldn’t normally have traffic routed to it, with logging machines in it, you can detect which computers aren’t obeying your normal network setup; for example, these computers may be scanning for nodes on the network they intend to infect.
  • Use security solutions from vendors who specialize in bot detection. There are vendors who specialize in bot detection and rely on behavioral analysis using the combined approach of log analytics and traffic analysis. 

 

Once unwanted traffic has been detected, the next step is tracking down the source. Cybersecurity solutions offer the best chance to discover who has compromised your network. Preference should be given to solutions that can provide user identification to simplify the process, especially where users are behind network address translation (NAT) devices. Cyren blocks outbound bot communications to C&C’s, and helps admins identify where the bots are in order to remove them.

To go deeper on botnets, download Cyren's special threat report on botnets.


 Want to learn more about cloud-based email & web security? Contact us here!

Go back