Saturday, January 14, 2017

Botnets, swarms, operating at scale, sharing notes

"Imagine ubiquitous, intelligent robots collectively performing complex tasks. By combining intricate algorithms, defined rules, and continuous sensor data, swarm behavior can emerge. Entrepreneurs are using this collaborative intelligence to develop applications for drone swarms in the air, on land, and by sea. Watch out, Drone Swarms are coming!" (vlab.org) 

Last week we held our first "Big Broadcast" a live audio event in which we talked about our thinking on futures —and swarms are one of those things I think about 3-5 years out. Not swarms of bees or drones or swarms of strike fighters or humanoids, but the computers, and I'm not sure we have the ability to protect against what's to come. Let me explain...

If you are a security organization, what’s the most significant thing you can do to combat threats from cyberspace? Work at scale. Are we there yet? Not yet.

In late last month, the cybercrime platform “Avalanche” was taken down by an international consortium of law enforcement agencies. It was an investigation that took four years to come to fruition, and would not have been possible without cooperation from and collaboration with 30 different countries. If you’re familiar with cybercrime history you know this sort of action isn’t new, but the scale of it is impressive. 


A total of five people were arrestedOver its eight-year lifetime, Avalanche is believed to have caused losses well into the hundreds of millions of dollars. Campaigns run through Avalanche impacted systems in over 180 countries. Avalanche had control over as many as 500,000 systems, every day, across the world. Five people!  

Reports don’t reveal how many law enforcement agents, attorneys, technicians and participants from the private sector were involved, but it’s a safe bet that we’re talking about at least mid-to-high hundreds. From the perspective of scale, the bad guys still have us beat hands-down.

Avalanche was a semi-automated, semi manual process, relying heavily on money mules, but was the favored means for delivering Zeus and ZpyEye malware — he tools used to clean out accounts. The manual link of requiring money mules, limited the amount of damage that could be done at any given time. 

Now consider this: what if Avalanche were fully automated, autonomous, using peer-to-peer communications and coordination between those 500,000+ drone computers? What if a user simply enters the name of a system into a point and click interface and those 500,000 computers took over attacking one victim organization at every vulnerable point using a range of poisons that allow the attacker to use the system for whatever they choose in future operations?

Our folks have participated in a number of botnet takedowns. No, they didn’t last long, but such efforts are merely the initial steps in our ability to skew the economics of this sort of malicious activity. Right now it takes a lot of time and effort to take down a Zeus botnet or a cybercrime platform like Avalanche, but that won’t always be the case.  But at the same time, the idea of automation and targeted botnet swarm attacks will continue to inch toward reality.


Takedowns are rare today, but as the negative impact of cybercrime grows, and once the good guys begin to promulgate lessons learned, such efforts will become more common. We hope that efforts of good guys outpace the efforts of bad guys, but to date this has not been the case. Momentum is building but protection (and liabilities) of your networks resides solely on the owner.

How do you do this? How do you protect yourself against botnets, future potential swarms (or at least higher velocity, higher frequency attacks) outpacing the ability for authorities to keep up?

Work on your technology. Develop your methodology and processes. Perfect your as-a-Service offering. Learn to operate at scale. When given the chance, don’t hesitate to participate in a collaborative effort to fight cybercrime. All boats rise on the tide. Security is no different. If you can think of a new way for groups of us to band together in efficient and cost effective ways, you’re making a greater contribution to the good fight than you will likely do on your own.  


Red Sky Alliance is one of those places, with intelligence, collaboration, sources and tools. If you'd like to see some of the kinds of reporting that we push to our Red Sky members, have a look at our readboard or the Wapack Labs blog. This is where we announce products that get pushed to our members. When they need help or have questions, they use Red Sky to ask. When they need help, we refer trusted partners for the strategy, consulting and/or incident response. For more information, contact us. 

Until next week,
Stay safe in the ice storm!
Jeff