What is a botnet and “command & control”? Why might botnet activity lead to a data breach? Malware-infected systems inside your network and others form a botnet by connecting to an attacker’s command and control infrastructure.
“My next-generation firewall would block botnets, right?” Not usually.
Firewalls rely on IP reputation and intrusion prevention systems (IPS) to detect suspicious or unusual traffic, which may detect botnet activity. But attackers use domain names and DNS nameservers to stay ahead of IP reputation systems. And advanced malware uses domain generation algorithms, which results in botnet activity that IPS is blind to. Plus, botnet activity happens over any port or protocol. By delivering security at the DNS and IP Layer, Umbrella can best prevent command & control callbacks and contain breaches.
It used to be a question of “if.” Then it was “when.” And now, it is “which.” A sizable business has not one, but many, systems infected with malware even after following best practices. Most security products detect threats at a point of time—visiting a website, receiving an email, downloading or executing a file. But if this action did not trigger an alert, there is little to no ongoing endpoint or network monitoring to detect future botnet activity. Umbrella provides continuous security visibility at the DNS and IP layers for any device, no matter where it’s located. So when malware attempts to callback to the botnet’s command and control infrastructure days or months later, we can identify which device is infected. Even better, we block the botnet callback to stop a possible breach.
Most products alert you to every security event detected, and it’s extremely difficult to distinguish a targeted attack from an opportunistic attack. Umbrella also reports all botnet activity in our real-time dashboard. The big difference is that we compare your botnet activity to what we see across our global network. There is a good chance that your business is being targeted if your activity makes up a sizable portion of what we’ve seen from that botnet across the world. In addition, we will surface details such as the threat type, hosting locations, and in some cases, the attack’s name. Summarizing this intelligence makes it easier to prioritize which systems to remediate first.
The Umbrella Security Research Team team takes a predictive approach to security. Our goal is to continually innovate ahead of the pace of technology change and build the best breach protection and security platform possible without sacrificing performance. By analyzing 80 billion or more queries a day, we block more than 80,000,000 malicious requests each day. And we’re always iterating on our algorithms and expanding our visibility to provide predictive security whenever possible.
A large government client of ours recently saw a huge jump in botnet requests from 10 a day to 5,000 in one day. Umbrella effectively contained the malicious traffic, gave us the visibility to isolate the infected machines, and allowed us to eradicate the activity immediately.
Cybersecurity Consultant, State & Local Government