Botnets: The uninvited guests that just won’t leave

Botnets have been in existence for nearly two decades. Yet despite being a longstanding and widely known threat, they still have the power to wreak havoc on an organization’s networks, and often do so successfully while evading detection. 

The majority of contemporary malware families have set up botnets for command and control (C2) connections. It stands to reason that the number of active botnets would grow in sync with the number of malware families and versions. When FortiGuard Labs researchers analyzed botnet activity during the first half of 2023, we saw there are more botnets currently active, inevitably increasing the chances that organizations will be impacted by this threat.

What’s more concerning, though, is that we observed an increase in dwell time: Botnets are lingering on networks longer than ever before being detected. This underscores the fact that reducing response time is critical because the longer organizations allow botnets to remain, the greater the damage and risk to the business.

Botnet activity and dwell time are on the rise

The number of active botnets grew in the first half of 2023, up 27% from the prior six-month period. We also saw a higher rate of botnet activity (+126%) among organizations when comparing those same periods. 

Botnets are like uninvited guests that just won’t leave.

The true eye-opener for botnet trends in the first half of this year is the sharp rise in the overall number of \”active days\”—the period between the start of a botnet\’s activity and the termination of its C2 communications. In comparison to measurements made at the beginning of 2018, this reveals a more than 1,000x rise, demonstrating that botnets have become more tenacious in the last five years.

As botnets are quick to adapt and broaden the variety of devices they can automatically infiltrate and control—including some devices that traditionally haven’t been closely inspected, such as IoT—there are more vulnerabilities and exploits than ever that botnets can leverage.

Take back control from the botnets

Reducing response time is vital. The longer the dwell time, the more likely it is that botnets can impact a business, particularly given that botnets can spread across many devices in a short period. How can security teams improve detection processes and shrink the time it takes to respond to malicious activity?

Security practitioners should have multiple tools and strategies at their disposal to protect their organization’s networks against botnets. An obvious first step is to prevent access to all recognized C2 databases. Next, leverage application control to restrict unauthorized access to your systems. Additionally, use Domain Name System (DNS) filtering to target botnets explicitly, concentrating on each category or website that might expose your system to them. DNS filtering also helps to mitigate the Domain Generation Algorithms that botnets often use.

Monitoring data while it enters and leaves devices is vital as well, as you can spot botnets as they attempt to infiltrate your computers or those connected to them. This is what makes security information and event management technology paired with malicious indicators of compromise detections so critical to protecting against bots. And don’t forget the importance of using strong passwords to prevent hackers from breaking into your system via unprotected devices.

Strengthen your defenses against malicious activity

Taking your safeguards a step further, network detection and response (NDR) technology is ideal for helping to detect sophisticated botnets across your environment, offering ongoing, AI-driven, deep content inspection without the need for installed agents. NDR gives security teams the ability to detect suspicious behavior early, shrinking the time and resources needed to contain the potentially malicious activity.

The need for a security operations solution is paramount for early detection. By using electronic data processing technologies, including endpoint detection and response or extended detection and response, organizations can shorten the time it takes to discover threats from weeks—if they are even noticed at all—to less than an hour and frequently to mere seconds. Choose solutions that use advanced behavioral analytics and AI, preferably those that are designed to work together as part of a broader, comprehensive platform solution. With an integrated strategy and a platform approach to security operations, the time needed to assess and contain is drastically reduced. A platform approach makes it easier to simplify complex networks, secure distributed users, and protect hybrid applications, all of which are critical as the threat landscape (and bot activity) intensifies.

If you don’t have the resources within your organization to consistently monitor and manage these tools and processes, embrace a managed detection and response offering to augment your internal team’s capabilities.

A lesser-discussed but equally important attribute of a strong defense against cyber threats is a comprehensive and ongoing cybersecurity awareness program. Your employees have the potential to be your best defense or your weakest link—but they can only effectively defend your organization if they have the appropriate knowledge and tools to do so. From understanding how to develop good passwords to examining suspicious-looking emails, texts, social media messages, and links, every person in your organization has a role to play in keeping the business safe. 

Say goodbye to lingering guests

Botnet proliferation signals an expanding threat landscape. Our analysis reveals that not only are active botnets on the rise but activity among organizations is also surging. Yet, more alarming is their tenacity—their \”active days\” have increased over 1,000-fold in five years. The urgency lies in reducing response time; as botnets linger, damage and risk escalate. 

Effective detection demands DNS filtering, application control, and an AI-powered platform approach to security. Mitigation entails targeting compromised devices, disabling control centers, and enforcing stronger security measures throughout the entire enterprise. A proactive effort is key to protecting your organization from botnets. Implement these recommendations and say “goodbye” to these unwanted guests. 

Learn how Fortinet can help.