The year 2016. The Republic of Liberia, a small country of barely 111,000 square kilometers in the east of Africa, has a serious problem: its communications network has just collapsed. The majority of its 4.3 million inhabitants have been left without Internet, and the provider that controls large parts of the country’s network, Lonestar, has no idea what has happened; all that it knows is that its network is down.

Over time, some explanations begin to materialize: the culprit for the incident is Daniel Kaye, a British cybercriminal who was allegedly hired by a director of Cellman (the main competitor of Lonestar in Liberia) to attack the Lonestar’s IT security until he brought it down and provoked an outage in the network across nearly the whole country. Kaye, as it stands, has already been jailed, and has several such incidents in various countries on his rap sheet.

Kaye caused this outage by himself, but didn’t exactly act alone: his comprehensive strategy included a plethora of botnets that attacked the telephone operator continuously and simultaneously until they brought down its cybersecurity.

This is how botnet attacks work

Attacks that make use of botnets are increasingly frequent, as we saw throughout 2018. The aim of the strategy is for the main cybercriminal (bot herder or bot master) to accumulate as many bots – that is, infected devices – as possible. These bots are then used to carry out simultaneous coordinated attacks with a specific goal: breaking through the cybersecurity of one or several systems.

Bots can have several points of entry: illegal software, malware that gets onto devices thanks to poor use of networks, malicious files that get in via email attachments, etc. Essentially, the aim is to have several points from which to attack that, if used in coordination, are able to do huge amounts of damage.

The consequences of this kind of attack

When a company experiences a botnet attack, the possible consequences that it can experience are:

1.- Network outage. Bots can be programmed to massively launch an endless number of requests to a website, making it crash via a distributed denial of service attack (DDoS). This is what happened to Liberia’s network. And we need look no further than the 2018 cyberattack on the University of Edinburgh website to find another example.

2.- Network infections. A botnet attack might not simply target a company’s website; it may go directly for its IT systems. This way, the attack can have several points of entry to the same system, although having more than one isn’t necessary: if it manages to get into just one (the computer of an employee who downloaded a malicious attachment from an email, for example), the bot could begin to automatically infect the rest of the endpoints connected to the same network, fully compromising the company’s corporate cybersecurity.

3.- Theft of information. If a cybercriminal manages to infiltrate a company’s IT system, they may be able to gain access to confidential material and documents. But, worse still, they may also be able to steal this information and distribute it to third parties, thus endangering the company’s business.

4.- Theft of resources. In the last few years, as a direct result of the cryptocurrency boom, there have been more and more cybercriminals who turn to botnets to force a company’s computers to dedicate part of their resources to cryptomining.

How to avoid botnet attacks

In order to protect themselves against this kind of cyberattack, companies must take measures to safeguard their corporate cybersecurity.

1.- Secure browsing policies. An institution’s employees are often the easiest point of entry for a cybercriminal. For this reason, workers must follow a strict browsing policy on their devices, making sure not to visit suspicious websites, certain P2P networks, or any other platform that could potentially infect the device with fileless malware.

2.- Monitoring processes. There are times when, because of how they work, botnet attacks don’t raise suspicions for certain traditional security programs. This means that it is vital to monitor in a way that is more preventative than curative. Panda Adaptive Defense monitors all processes that are running on the company’s IT system so that any anomalous behavior of resources is caught immediately. Having visibility of everything that happens on the organization’s devices contributes to reducing possible attack vectors to the absolute minimum.

3.- Careful with emails. Employees’ emails can been a great entry point when the attacker wants one person to infect all their colleagues. This is why every employee must stay alert to anything suspicious (even an email supposedly from a boss can be dangerous) and not download any attachment if they are even the slightest bit doubtful about its trustworthiness.

If there is one thing that typifies botnet attacks, it is their stealth and their silence… Until all hell breaks loose. This is why prevention and counterattacks must also be proactive, monitoring every process on the company’s IT system in order to protect its corporate cybersecurity.