The United States’ Department of Homeland Security and Department of Commerce have released a joint report aimed at identifying actions to reduce threats posed by botnets.

Called A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats, the 51-page-long material notes the range of threats for which botnets can be created and used, including distributed denial of service (DDoS) attacks, spewing out spam, and spreading malware. It goes on to spell out several themes that underlie the problem and help explain its magnitude:

  • Botnets and concomitant automated, distributed threats are a global problem that involves the entire internet and communications ecosystem. This underscores the need for cooperation that involves various nations and all relevant stakeholders.
  • While effective tools to improve the resilience against the botnet menace exist, they are not routinely used in product development and deployment. This is because of a number of reasons, including lack of awareness and cybersecurity-specific expertise, as well as due to cost avoidance and insufficient market incentives.
  • Another factor that greases the wheels of botnets and associated threats is that devices are vulnerable throughout their lifecycles. Devices are shipped with known security flaws, newfound vulnerabilities are never patched, and devices remain in service after their vendor ends support for them.
  • There is also a lack of awareness of the threats on the part of many home users and some enterprise customers, since they may be oblivious to the role that their devices can play in a botnet-enabled or botnet-supported attack and may not fully understand the merits of available countermeasures.
  • The problem is also exacerbated by the fact that market conditions are not naturally conducive to prioritizing security over swift output. Rather than building in security or offering patches efficiently, product developers, manufacturers, and vendors are motivated to minimize cost and time to market.

Based on the various facets of the botnet menace, the report identifies five goals that are intended to help mitigate the risk of attacks unleashed by botnets and to make the internet ecosystem more resilient. The objectives involve determining a clear pathway toward a secure technology marketplace, promoting innovation both in the infrastructure that underlies the digital ecosystem and in the networking industry, promoting cooperation between various stakeholders, and boosting awareness of the threats.

ESET Senior Malware Researcher Jean-Ian Boutin highlighted the importance of coordinated global actions for disrupting botnet operations: “We wholeheartedly agree with the report on the necessity of collaboration between law enforcement bodies around the world and the private sector as a necessary step to tackle this global cyber threat. Operations such as the Andromeda/Gamarue and the Dorkbot disruption efforts would not have been possible without the close collaboration of the private and public sector in different jurisdictions”.

Meanwhile, the report also dispenses guidance for providers at the infrastructure level, which includes “the hardware, software, tools, standards, and practices on which the ecosystem depends – for example, routers, switches, Internet service providers, DNS providers, content delivery networks, hosting and cloud-service providers”. Organizations operating in this space should work towards understanding the benefits of shared-defense approaches and work towards driving best-practice adoption.

What have devices got to do with it?

A large portion of the report deals with edge devices, which it defines as “personal computers, mobile devices, edge servers, and IoT and other connected devices” and which can act as both the sources and victims of attacks.

Security is often an afterthought in design, especially for Internet-of-Things (IoT) devices. Regardless of whether it’s because of a lack of awareness, mistaken assumptions on the part of software developers, desire for convenience, cost avoidance or any other reason, devices are often inherently insecure or their configurations leave much to be desired in terms of security. According to the report, vulnerabilities that are discovered in software in use are often easier to exploit than to patch.

“Over the years, the targets have evolved, ranging from business machines, to poorly secured home devices, to vulnerable systems run by hosting providers and cloud service providers, and, more recently, to IoT devices,” reads the report. Insecure IoT devices offer “the most attractive target to malicious actors” and have had the pernicious side effect of enabling the development of widely distributed botnets.

With that in mind, the report advocates establishing internationally applicable baselines both for home and industrial IoT applications. It calls for global advances in the domain of edge devices that will be underpinned by robust and universally accepted and deployed standards, specifications, and security practices, such as secure default configurations and effective software update mechanisms. By elevating security to a primary design requirement, the devices would be less vulnerable to compromise at any point throughout their lifecycles.

However, a risk also emanates from systems that are no longer supported by their manufacturers and so their vulnerabilities are difficult to address. The threat involving legacy systems is further compounded by the heavy use of pirated software by many enterprises in many countries, as security holes in the software are never patched and the systems using them remain vulnerable to compromise.

The report came out at a time when it emerged that hundreds of thousands of routers had been compromised with malware dubbed VPNFilter, which prompted the Federal Bureau of Investigation (FBI) to recommend that the owners of small office and home office routers should reboot the devices.