SlideShare a Scribd company logo

Botnets' networks

Download as PPTX, PDF
B
Bederna Zsolt

Presentation at the University of Public Service's Network Workshop, Hungary

Technology
1 of 34
B O T N E T S ’ N E T W O R K S Z S O L T B E D E R N A
S H O R T I N T R O D U C T I O N • IT security consultant • CTO of a startup that is dealing with the human factor of IT security • Doctoral student at the Doctoral School of Security Sciences of the Óbuda University, Hungary • Eötvös Lorand University (ELTE) Institute of Business Economics MBA student • ISACA, ISC2, and EC-Council member, regular volunteer • He is one of the organizers of the National Cyber Competition series • Member of the editorial board of Külügyi Műhely journal 2
R E F E R E N C E S • Bederna, Zsolt & Váczi, Dániel & Pollner, Péter & Szádeczky, Tamás (2019). Támadás hálózatba szervezve. In Hálózatok a közszolgálatban. pp. 223-247. Ludovika Egyetemi Kiadó Nonprofit Kft. ISBN 978-963-531-081-4. • Bederna, Zsolt & Dr. Szádeczky, Tamás. (2019). Cyber espionage through Botnets. Security Journal. pp 1-20. Doi 10.1057/s41284-019-00194-6. • Bederna, Zsolt & Dr. Prof. Rajnai, Zoltán (2020). Analysis of static and dynamic parameters of players in cyberspace. TIEES 2020 konferencia. • Bederna, Zsolt & Dr. Prof Rajnai, Zoltán & Dr. Szádeczky, Tamás (2020) Attacks against energy, water and other critical infrastructure in the EU. IEEE Cando EPE 2020. (Megjelenés alatt) • Bederna, Zsolt (2015). Fuzzy-based intrusion detection. Hadmérnök. Volume X. Issue 1. pp. 147-160. 3
T O P I C S 4
W H E R E A R E W E N O W ? 5
B O T N E T S A botnet is a group of computers available on the Internet which resources are used by an attacker or group of attackers without the knowledge and permission of the owner to engage in illegal activities to carry out one or more cyber-attacks. Directive 2013/40 / EU distinguishes between: • Unlawful access to information systems (Article 3) • Unlawful interference with the system (Article 4) • Unlawful interference with data (Article 5) • Unlawful acquisition of data (Article 6) 6
S C E N A R I O S Case 1 Case 2 7 Resources
W H E R E A R E W E N O W ? 8
B O T N E T ’ S C O M P O N E N T S Botnets also vary in structure, capabilities, and technical implementation, but generally include one or more control parties (botmaster or botherder), one or more control servers (Command and Control – C&C, or C2), and one or more controlled machines (bot). 9
S T R U C T U R E O F B O T N E T S Type Number and connections of C&C servers Centralised In the case of a centralized structure, one or more fixed number of servers perform the C&C function, which (in the case of several servers) can also be organised hierarchically . The number of layers increases the complexity of the given botnet and the probability of hiding the botmaster, while the number of C&C servers per layer serves is for load balancing and redundant design. Decentralised There is no differentiated C&C server, each bot loads (can load) this function. Hybrid Some C&C servers work in peer-to-peer mode. 10
A D VA N C E M E N T O F B O T N E T S 11
N E T W O R K A R C H I T E C T U R E – M I R A I 12
W H E R E A R E W E N O W ? 13
B O T N E T S ’ O P E R AT I O N C Y C L E (1) Beginning of infection: The botmaster starts to infect network nodes via at least one attack vector with the exploitation of contained vulnerability or vulnerabilities. (2) Second injection: After successful infection, nodes start to download the agent’s code. (3) Connection: Each agent connects to one of the C&C servers. (4) Command and Control: C&C servers relay the commands of the botmaster to bots, for example, to take part in an attacking campaign. (5) Updates and maintenance: Bug repairs and new features may be created and sent to bots which install updates. Sometimes botmaster activates sleeping mode temporarily or a complete switch-off status command for the whole or partial network. 14
W H E R E A R E W E N O W ? 15
C H A R A C T E R I S AT I O N O F AT TA C K E R S Generally, the following threat actors are distinguished in cyberspace by security industry: (1) script kiddies, (2) malicious insider, (3) cybercriminals, (4) hacktivists, (5) cyber terrorists, and (6) state-sponsored. Actors are listed in increased order according to knowledge and capability levels, but as a negative result, a huge amount of information wastes with the application of this kind of over-simplification categorization. My advice on the parameters of threat includes the followings: (1) Motivation; (2) Capabilities; (3) Source of attack; (4) Applied business model; and (5) Cooperation willingness. 16
D I S T I N G U I S H I N G C A PA B I L I T I E S 17 Capabilities represent the application of tools that reside in the attacker's portfolio. Social engineering, technical tools, and physical capabilities can be distinguished. Each of them has its effect and usability in the cyber kill chain model. Capabilities Humans Technology
C O O P E R AT I O N W I T H I N T H E O R G A N I S AT I O N According to Dr. Charlie Miller's investigation: • 592 people • $45.9 mil in annual salary • (Average annual salary $77,534) • $3 mil in equipment Source: Charlie Miller (2018). DefCon presentation. https://www.defcon.org/images/defcon-18/dc-18-presentations/Miller/DEFCON-18-Miller-Cyberwar.pdf 18
C O O P E R AT I O N B E T W E E N O R G A N I S AT I O N S Source: MIT (2018). Inside the business model for botnets. https://www.technologyreview.com/2018/05/14/142895/inside-the- business-model-for-botnets/ Source: Denis Makrushin (2017). The cost of launching a DDoS attack. SecureList. https://securelist.com/the-cost-of-launching-a-ddos- attack/77784/ 19
C O O P E R AT I O N B E T W E E N O R G A N I S AT I O N S • In Crimeware as a Service, identified vulnerabilities and the related exploits are offered generally or for a specifically targeted scenario. Zero-day vulnerabilities, Advanced Persistent Threats (APTs), malware such as rootkits, ransomwares are included as well as droppers, keyloggers, and hiding tools like cryptors or polymorphism. • Criminals offer infrastructural elements, specifically clients and servers, in the model of Cybercrime Infrastructure as a Service. Clients as part of a botnet are ready to process commands. On the other hand, the information about the vulnerabilities of scanned servers is put up for sale. • By the usage of Hacking as a Service, the complete process is outsourced to the “service provider” including planning and performing on-demand 20
B U S I N E S S 21 Source: MIT (2018). Inside the business model for botnets. https://www.technologyreview.com/2018/05/14/142895/inside-the-business-model-for-botnets/ Crimeware as a Service Cybercrime Infrastructure as a Service Dr. Charlie Miller’s DefCon presentation Cybercrime Infrastructure as a Service
T E C H N O L O G I C A L C A PA B I L I T I E S • Infection, ability to spread • Connection to C&C server • Receive new commands, update • Hiding on the infected device and network • Self-destruction • Type of attack implemented depending on the target (spam, ransomware, DDoS, spyware, etc.) 22
AT TA C K S A G A I N S T E S S E N T I A L S E R V I C E S ( E U ) DDoS ransomware 23
A P T 2 8 A N D B O T N E T S – E X A M P L E In May 2018, one of the most extensive campaigns reported about a botnet consisting of approximately 500,000 devices as a result of VPNFilter malware infection. Cisco Talos researchers found interrelation between VPNFilter and BlackEnergy that targeted the Ukrainian power grid in the winter of 2015-2016 The stage one relied on connecting either to one of twelve hardcoded Photobucket URLs, or the Toknowall website. The stage two malware had the capabilities of an intelligence- collection platform, such as file collection, command execution, data exfiltration, and device management, as well as some versions possessed a self-destruct capability that overwrites a critical portion of the device's firmware and reboots the device. There were multiple stage three modules as plugins for stage two malware with additional functionality, such as packet sniffer and communications module allowing communication over Tor. 24
W H E R E A R E W E N O W ? 25
D E F E N S E C A P A B I L I T I E S Limitation Knowing the relevant characteristics of existing and operational botnets plays an important and decisive role in the design of effective protection methodologies Parameters that can be analyzed • Start and end of communication, • Protocol used, • Number of active flags used during TCP communication, • Number of packets sent during communication, • Number of bytes sent during communication, • The amount of time elapsed during communication, • Initiator of the communication (server or client), • The average number of bytes sent per packet, • Number of successful C&C contacts, • The number of DNS queries as well • Periodicity of communication with the C&C server. 26
P R O P A G A T I O N P A T T E R N S – P O R T S C A N 27
AT TA C K PAT T E R N S – S Y N F L O O D 28
F U Z Z Y L O G I C ( E X A M P L E ) Predefined parameters are: • ART as average time between received packets, • NSP as number of sent packets, • NRP as number of received packets If (ART is high) and (NSP is med) and (NRP is high) then (output is high) 29
N E T W O R K M O D E L S Source: Barabási Albert-László & Eric Bonabea (2003). Scale-free networks. Scientific American. https://barabasi.com/f/124.pdf 30
S U M M A R Y 31
C O N C L U S I O N : W H E R E D O E S T H E N E T W O R K A P P E A R ? Cooperation within the organisation Cooperation (or competition) between organisations 32
C O N C L U S I O N : W H E R E D O E S T H E N E T W O R K A P P E A R ? Logical structure Propagation and attack patterns 33
T H A N K Y O U F O R Y O U R A T T E N T I O N 34

Recommended

Classifying IoT malware delivery patterns for attack detection
Classifying IoT malware delivery patterns for attack detectionClassifying IoT malware delivery patterns for attack detection
Classifying IoT malware delivery patterns for attack detectionFabrizio Farinacci
 
Project in malware analysis:C2C
Project in malware analysis:C2CProject in malware analysis:C2C
Project in malware analysis:C2CFabrizio Farinacci
 
J_McConnell_LabReconnaissance
J_McConnell_LabReconnaissanceJ_McConnell_LabReconnaissance
J_McConnell_LabReconnaissanceJuanita McConnell
 
A Taxonomy of Botnet Detection Approaches
A Taxonomy of Botnet Detection ApproachesA Taxonomy of Botnet Detection Approaches
A Taxonomy of Botnet Detection ApproachesFabrizio Farinacci
 
IJSRED-V2I5P18
IJSRED-V2I5P18IJSRED-V2I5P18
IJSRED-V2I5P18IJSRED
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The BotmasterIJERA Editor
 
Literature survey on peer to peer botnets
Literature survey on peer to peer botnetsLiterature survey on peer to peer botnets
Literature survey on peer to peer botnetsAcad
 
Botnet detection by Imitation method
Botnet detection by Imitation methodBotnet detection by Imitation method
Botnet detection by Imitation methodAcad
 

Recommended

Classifying IoT malware delivery patterns for attack detection
Classifying IoT malware delivery patterns for attack detectionClassifying IoT malware delivery patterns for attack detection
Classifying IoT malware delivery patterns for attack detectionFabrizio Farinacci
 
Project in malware analysis:C2C
Project in malware analysis:C2CProject in malware analysis:C2C
Project in malware analysis:C2CFabrizio Farinacci
 
J_McConnell_LabReconnaissance
J_McConnell_LabReconnaissanceJ_McConnell_LabReconnaissance
J_McConnell_LabReconnaissanceJuanita McConnell
 
A Taxonomy of Botnet Detection Approaches
A Taxonomy of Botnet Detection ApproachesA Taxonomy of Botnet Detection Approaches
A Taxonomy of Botnet Detection ApproachesFabrizio Farinacci
 
IJSRED-V2I5P18
IJSRED-V2I5P18IJSRED-V2I5P18
IJSRED-V2I5P18IJSRED
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The BotmasterIJERA Editor
 
Literature survey on peer to peer botnets
Literature survey on peer to peer botnetsLiterature survey on peer to peer botnets
Literature survey on peer to peer botnetsAcad
 
Botnet detection by Imitation method
Botnet detection by Imitation methodBotnet detection by Imitation method
Botnet detection by Imitation methodAcad
 
A taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesA taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesFabrizio Farinacci
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 VulnerabilitiesPositiveTechnologies
 
The Phantom Protocol: Generic, Decentralized, Unstoppable Anonymity
The Phantom Protocol: Generic, Decentralized, Unstoppable AnonymityThe Phantom Protocol: Generic, Decentralized, Unstoppable Anonymity
The Phantom Protocol: Generic, Decentralized, Unstoppable Anonymitylokijaja
 
Detection of Spoofing attackers in wireless network
Detection of Spoofing attackers in wireless networkDetection of Spoofing attackers in wireless network
Detection of Spoofing attackers in wireless networkAM Publications
 
Passive monitoring to build Situational Awareness
Passive monitoring to build Situational AwarenessPassive monitoring to build Situational Awareness
Passive monitoring to build Situational AwarenessDavid Sweigert
 
UNDERSTANDING TRAFFIC PATTERNS OF COVID-19 IOC IN HUGE ACADEMIC BACKBONE NETW...
UNDERSTANDING TRAFFIC PATTERNS OF COVID-19 IOC IN HUGE ACADEMIC BACKBONE NETW...UNDERSTANDING TRAFFIC PATTERNS OF COVID-19 IOC IN HUGE ACADEMIC BACKBONE NETW...
UNDERSTANDING TRAFFIC PATTERNS OF COVID-19 IOC IN HUGE ACADEMIC BACKBONE NETW...IJNSA Journal
 
Evaluation of Snort using Rules for DARPA 1999 Dataset
Evaluation of Snort using Rules for DARPA 1999 DatasetEvaluation of Snort using Rules for DARPA 1999 Dataset
Evaluation of Snort using Rules for DARPA 1999 DatasetIJCSIS Research Publications
 
Ransomware protection in loT using software defined networking
Ransomware protection in loT using software defined networking Ransomware protection in loT using software defined networking
Ransomware protection in loT using software defined networking IJECEIAES
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
L018118083.new ramya publication (1)
L018118083.new ramya publication (1)L018118083.new ramya publication (1)
L018118083.new ramya publication (1)IOSR Journals
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!PositiveTechnologies
 
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networksCe hv8 module 03 scanning networks
Ce hv8 module 03 scanning networksMehrdad Jingoism
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringLancope, Inc.
 
A Comparison Study of Open Source Penetration Testing Tools
A Comparison Study of Open Source Penetration Testing ToolsA Comparison Study of Open Source Penetration Testing Tools
A Comparison Study of Open Source Penetration Testing Toolsijtsrd
 
WPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsWPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsAirTight Networks
 
A Steganography-based Covert Keylogger
A Steganography-based Covert KeyloggerA Steganography-based Covert Keylogger
A Steganography-based Covert KeyloggerCSCJournals
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkPositiveTechnologies
 
IRJET- Phishdect & Mitigator: SDN based Phishing Attack Detection
IRJET- Phishdect & Mitigator: SDN based Phishing Attack DetectionIRJET- Phishdect & Mitigator: SDN based Phishing Attack Detection
IRJET- Phishdect & Mitigator: SDN based Phishing Attack DetectionIRJET Journal
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networksPositiveTechnologies
 
Simjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilitySimjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilityPositiveTechnologies
 
Journal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993ConJournal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993Conkarenahmanny4c
 
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docxJournal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docxcroysierkathey
 

More Related Content

What's hot

A taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesA taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesFabrizio Farinacci
 
The Phantom Protocol: Generic, Decentralized, Unstoppable Anonymity
The Phantom Protocol: Generic, Decentralized, Unstoppable AnonymityThe Phantom Protocol: Generic, Decentralized, Unstoppable Anonymity
The Phantom Protocol: Generic, Decentralized, Unstoppable Anonymitylokijaja
 
Detection of Spoofing attackers in wireless network
Detection of Spoofing attackers in wireless networkDetection of Spoofing attackers in wireless network
Detection of Spoofing attackers in wireless networkAM Publications
 
Passive monitoring to build Situational Awareness
Passive monitoring to build Situational AwarenessPassive monitoring to build Situational Awareness
Passive monitoring to build Situational AwarenessDavid Sweigert
 
UNDERSTANDING TRAFFIC PATTERNS OF COVID-19 IOC IN HUGE ACADEMIC BACKBONE NETW...
UNDERSTANDING TRAFFIC PATTERNS OF COVID-19 IOC IN HUGE ACADEMIC BACKBONE NETW...UNDERSTANDING TRAFFIC PATTERNS OF COVID-19 IOC IN HUGE ACADEMIC BACKBONE NETW...
UNDERSTANDING TRAFFIC PATTERNS OF COVID-19 IOC IN HUGE ACADEMIC BACKBONE NETW...IJNSA Journal
 
Evaluation of Snort using Rules for DARPA 1999 Dataset
Evaluation of Snort using Rules for DARPA 1999 DatasetEvaluation of Snort using Rules for DARPA 1999 Dataset
Evaluation of Snort using Rules for DARPA 1999 DatasetIJCSIS Research Publications
 
Ransomware protection in loT using software defined networking
Ransomware protection in loT using software defined networking Ransomware protection in loT using software defined networking
Ransomware protection in loT using software defined networking IJECEIAES
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
L018118083.new ramya publication (1)
L018118083.new ramya publication (1)L018118083.new ramya publication (1)
L018118083.new ramya publication (1)IOSR Journals
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!PositiveTechnologies
 
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networksCe hv8 module 03 scanning networks
Ce hv8 module 03 scanning networksMehrdad Jingoism
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringLancope, Inc.
 
A Comparison Study of Open Source Penetration Testing Tools
A Comparison Study of Open Source Penetration Testing ToolsA Comparison Study of Open Source Penetration Testing Tools
A Comparison Study of Open Source Penetration Testing Toolsijtsrd
 
WPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsWPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsAirTight Networks
 
A Steganography-based Covert Keylogger
A Steganography-based Covert KeyloggerA Steganography-based Covert Keylogger
A Steganography-based Covert KeyloggerCSCJournals
 
IRJET- Phishdect & Mitigator: SDN based Phishing Attack Detection
IRJET- Phishdect & Mitigator: SDN based Phishing Attack DetectionIRJET- Phishdect & Mitigator: SDN based Phishing Attack Detection
IRJET- Phishdect & Mitigator: SDN based Phishing Attack DetectionIRJET Journal
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networksPositiveTechnologies
 
Simjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilitySimjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilityPositiveTechnologies
 

What's hot (20)

A taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesA taxonomy of botnet detection approaches
A taxonomy of botnet detection approaches
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
 
The Phantom Protocol: Generic, Decentralized, Unstoppable Anonymity
The Phantom Protocol: Generic, Decentralized, Unstoppable AnonymityThe Phantom Protocol: Generic, Decentralized, Unstoppable Anonymity
The Phantom Protocol: Generic, Decentralized, Unstoppable Anonymity
 
Detection of Spoofing attackers in wireless network
Detection of Spoofing attackers in wireless networkDetection of Spoofing attackers in wireless network
Detection of Spoofing attackers in wireless network
 
Passive monitoring to build Situational Awareness
Passive monitoring to build Situational AwarenessPassive monitoring to build Situational Awareness
Passive monitoring to build Situational Awareness
 
UNDERSTANDING TRAFFIC PATTERNS OF COVID-19 IOC IN HUGE ACADEMIC BACKBONE NETW...
UNDERSTANDING TRAFFIC PATTERNS OF COVID-19 IOC IN HUGE ACADEMIC BACKBONE NETW...UNDERSTANDING TRAFFIC PATTERNS OF COVID-19 IOC IN HUGE ACADEMIC BACKBONE NETW...
UNDERSTANDING TRAFFIC PATTERNS OF COVID-19 IOC IN HUGE ACADEMIC BACKBONE NETW...
 
Evaluation of Snort using Rules for DARPA 1999 Dataset
Evaluation of Snort using Rules for DARPA 1999 DatasetEvaluation of Snort using Rules for DARPA 1999 Dataset
Evaluation of Snort using Rules for DARPA 1999 Dataset
 
Ransomware protection in loT using software defined networking
Ransomware protection in loT using software defined networking Ransomware protection in loT using software defined networking
Ransomware protection in loT using software defined networking
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)
 
L018118083.new ramya publication (1)
L018118083.new ramya publication (1)L018118083.new ramya publication (1)
L018118083.new ramya publication (1)
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!
 
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networksCe hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
 
A Comparison Study of Open Source Penetration Testing Tools
A Comparison Study of Open Source Penetration Testing ToolsA Comparison Study of Open Source Penetration Testing Tools
A Comparison Study of Open Source Penetration Testing Tools
 
WPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsWPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQs
 
A Steganography-based Covert Keylogger
A Steganography-based Covert KeyloggerA Steganography-based Covert Keylogger
A Steganography-based Covert Keylogger
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest link
 
IRJET- Phishdect & Mitigator: SDN based Phishing Attack Detection
IRJET- Phishdect & Mitigator: SDN based Phishing Attack DetectionIRJET- Phishdect & Mitigator: SDN based Phishing Attack Detection
IRJET- Phishdect & Mitigator: SDN based Phishing Attack Detection
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networks
 
Simjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilitySimjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerability
 

Similar to Botnets' networks

Journal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993ConJournal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993Conkarenahmanny4c
 
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docxJournal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docxcroysierkathey
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Davide Cioccia
 
Ir alert-med-17-093-01 c-intrusions-affecting_multiple_victims_across_multipl...
Ir alert-med-17-093-01 c-intrusions-affecting_multiple_victims_across_multipl...Ir alert-med-17-093-01 c-intrusions-affecting_multiple_victims_across_multipl...
Ir alert-med-17-093-01 c-intrusions-affecting_multiple_victims_across_multipl...Hamad Al Katheri
 
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...IRJET Journal
 
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...IRJET Journal
 
Bot net detection by using ssl encryption
Bot net detection by using ssl encryptionBot net detection by using ssl encryption
Bot net detection by using ssl encryptionAcad
 
IRJET- Hashxplorer-A Distributed System for Hash Matching
IRJET- Hashxplorer-A Distributed System for Hash MatchingIRJET- Hashxplorer-A Distributed System for Hash Matching
IRJET- Hashxplorer-A Distributed System for Hash MatchingIRJET Journal
 
A Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits AttackA Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits AttackCSCJournals
 
IRJET- The Hidden Virus Propagation Search Engine Attack
IRJET- The Hidden Virus Propagation Search Engine AttackIRJET- The Hidden Virus Propagation Search Engine Attack
IRJET- The Hidden Virus Propagation Search Engine AttackIRJET Journal
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkEditor IJCATR
 
Kurnava_Matthew_Research Paper_NSEC506_SPR16
Kurnava_Matthew_Research Paper_NSEC506_SPR16Kurnava_Matthew_Research Paper_NSEC506_SPR16
Kurnava_Matthew_Research Paper_NSEC506_SPR16Matthew Kurnava
 
Identifying Malicious Data in Social Media
Identifying Malicious Data in Social MediaIdentifying Malicious Data in Social Media
Identifying Malicious Data in Social MediaIRJET Journal
 
Internship ankita jain
Internship ankita jainInternship ankita jain
Internship ankita jainAnkita Jain
 
Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Chema Alonso
 
Webinar: Vawtrak v2 the next big Banking Trojan
Webinar: Vawtrak v2 the next big Banking TrojanWebinar: Vawtrak v2 the next big Banking Trojan
Webinar: Vawtrak v2 the next big Banking TrojanBlueliv
 
DDoS Attack Detection on Internet o Things using Unsupervised Algorithms
DDoS Attack Detection on Internet o Things using Unsupervised AlgorithmsDDoS Attack Detection on Internet o Things using Unsupervised Algorithms
DDoS Attack Detection on Internet o Things using Unsupervised Algorithmsijfls
 

Similar to Botnets' networks (20)

Journal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993ConJournal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993Con
 
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docxJournal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server
 
Ir alert-med-17-093-01 c-intrusions-affecting_multiple_victims_across_multipl...
Ir alert-med-17-093-01 c-intrusions-affecting_multiple_victims_across_multipl...Ir alert-med-17-093-01 c-intrusions-affecting_multiple_victims_across_multipl...
Ir alert-med-17-093-01 c-intrusions-affecting_multiple_victims_across_multipl...
 
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
 
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
 
Bot net detection by using ssl encryption
Bot net detection by using ssl encryptionBot net detection by using ssl encryption
Bot net detection by using ssl encryption
 
4777.team c.final
4777.team c.final4777.team c.final
4777.team c.final
 
China Cyber
China CyberChina Cyber
China Cyber
 
IRJET- Hashxplorer-A Distributed System for Hash Matching
IRJET- Hashxplorer-A Distributed System for Hash MatchingIRJET- Hashxplorer-A Distributed System for Hash Matching
IRJET- Hashxplorer-A Distributed System for Hash Matching
 
A Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits AttackA Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits Attack
 
A05510105
A05510105A05510105
A05510105
 
IRJET- The Hidden Virus Propagation Search Engine Attack
IRJET- The Hidden Virus Propagation Search Engine AttackIRJET- The Hidden Virus Propagation Search Engine Attack
IRJET- The Hidden Virus Propagation Search Engine Attack
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social Network
 
Kurnava_Matthew_Research Paper_NSEC506_SPR16
Kurnava_Matthew_Research Paper_NSEC506_SPR16Kurnava_Matthew_Research Paper_NSEC506_SPR16
Kurnava_Matthew_Research Paper_NSEC506_SPR16
 
Identifying Malicious Data in Social Media
Identifying Malicious Data in Social MediaIdentifying Malicious Data in Social Media
Identifying Malicious Data in Social Media
 
Internship ankita jain
Internship ankita jainInternship ankita jain
Internship ankita jain
 
Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64
 
Webinar: Vawtrak v2 the next big Banking Trojan
Webinar: Vawtrak v2 the next big Banking TrojanWebinar: Vawtrak v2 the next big Banking Trojan
Webinar: Vawtrak v2 the next big Banking Trojan
 
DDoS Attack Detection on Internet o Things using Unsupervised Algorithms
DDoS Attack Detection on Internet o Things using Unsupervised AlgorithmsDDoS Attack Detection on Internet o Things using Unsupervised Algorithms
DDoS Attack Detection on Internet o Things using Unsupervised Algorithms
 

Recently uploaded

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Recently uploaded (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

Botnets' networks

  • 1. B O T N E T S ’ N E T W O R K S Z S O L T B E D E R N A
  • 2. S H O R T I N T R O D U C T I O N • IT security consultant • CTO of a startup that is dealing with the human factor of IT security • Doctoral student at the Doctoral School of Security Sciences of the Óbuda University, Hungary • Eötvös Lorand University (ELTE) Institute of Business Economics MBA student • ISACA, ISC2, and EC-Council member, regular volunteer • He is one of the organizers of the National Cyber Competition series • Member of the editorial board of Külügyi Műhely journal 2
  • 3. R E F E R E N C E S • Bederna, Zsolt & Váczi, Dániel & Pollner, Péter & Szádeczky, Tamás (2019). Támadás hálózatba szervezve. In Hálózatok a közszolgálatban. pp. 223-247. Ludovika Egyetemi Kiadó Nonprofit Kft. ISBN 978-963-531-081-4. • Bederna, Zsolt & Dr. Szádeczky, Tamás. (2019). Cyber espionage through Botnets. Security Journal. pp 1-20. Doi 10.1057/s41284-019-00194-6. • Bederna, Zsolt & Dr. Prof. Rajnai, Zoltán (2020). Analysis of static and dynamic parameters of players in cyberspace. TIEES 2020 konferencia. • Bederna, Zsolt & Dr. Prof Rajnai, Zoltán & Dr. Szádeczky, Tamás (2020) Attacks against energy, water and other critical infrastructure in the EU. IEEE Cando EPE 2020. (Megjelenés alatt) • Bederna, Zsolt (2015). Fuzzy-based intrusion detection. Hadmérnök. Volume X. Issue 1. pp. 147-160. 3
  • 4. T O P I C S 4
  • 5. W H E R E A R E W E N O W ? 5
  • 6. B O T N E T S A botnet is a group of computers available on the Internet which resources are used by an attacker or group of attackers without the knowledge and permission of the owner to engage in illegal activities to carry out one or more cyber-attacks. Directive 2013/40 / EU distinguishes between: • Unlawful access to information systems (Article 3) • Unlawful interference with the system (Article 4) • Unlawful interference with data (Article 5) • Unlawful acquisition of data (Article 6) 6
  • 7. S C E N A R I O S Case 1 Case 2 7 Resources
  • 8. W H E R E A R E W E N O W ? 8
  • 9. B O T N E T ’ S C O M P O N E N T S Botnets also vary in structure, capabilities, and technical implementation, but generally include one or more control parties (botmaster or botherder), one or more control servers (Command and Control – C&C, or C2), and one or more controlled machines (bot). 9
  • 10. S T R U C T U R E O F B O T N E T S Type Number and connections of C&C servers Centralised In the case of a centralized structure, one or more fixed number of servers perform the C&C function, which (in the case of several servers) can also be organised hierarchically . The number of layers increases the complexity of the given botnet and the probability of hiding the botmaster, while the number of C&C servers per layer serves is for load balancing and redundant design. Decentralised There is no differentiated C&C server, each bot loads (can load) this function. Hybrid Some C&C servers work in peer-to-peer mode. 10
  • 11. A D VA N C E M E N T O F B O T N E T S 11
  • 12. N E T W O R K A R C H I T E C T U R E – M I R A I 12
  • 13. W H E R E A R E W E N O W ? 13
  • 14. B O T N E T S ’ O P E R AT I O N C Y C L E (1) Beginning of infection: The botmaster starts to infect network nodes via at least one attack vector with the exploitation of contained vulnerability or vulnerabilities. (2) Second injection: After successful infection, nodes start to download the agent’s code. (3) Connection: Each agent connects to one of the C&C servers. (4) Command and Control: C&C servers relay the commands of the botmaster to bots, for example, to take part in an attacking campaign. (5) Updates and maintenance: Bug repairs and new features may be created and sent to bots which install updates. Sometimes botmaster activates sleeping mode temporarily or a complete switch-off status command for the whole or partial network. 14
  • 15. W H E R E A R E W E N O W ? 15
  • 16. C H A R A C T E R I S AT I O N O F AT TA C K E R S Generally, the following threat actors are distinguished in cyberspace by security industry: (1) script kiddies, (2) malicious insider, (3) cybercriminals, (4) hacktivists, (5) cyber terrorists, and (6) state-sponsored. Actors are listed in increased order according to knowledge and capability levels, but as a negative result, a huge amount of information wastes with the application of this kind of over-simplification categorization. My advice on the parameters of threat includes the followings: (1) Motivation; (2) Capabilities; (3) Source of attack; (4) Applied business model; and (5) Cooperation willingness. 16
  • 17. D I S T I N G U I S H I N G C A PA B I L I T I E S 17 Capabilities represent the application of tools that reside in the attacker's portfolio. Social engineering, technical tools, and physical capabilities can be distinguished. Each of them has its effect and usability in the cyber kill chain model. Capabilities Humans Technology
  • 18. C O O P E R AT I O N W I T H I N T H E O R G A N I S AT I O N According to Dr. Charlie Miller's investigation: • 592 people • $45.9 mil in annual salary • (Average annual salary $77,534) • $3 mil in equipment Source: Charlie Miller (2018). DefCon presentation. https://www.defcon.org/images/defcon-18/dc-18-presentations/Miller/DEFCON-18-Miller-Cyberwar.pdf 18
  • 19. C O O P E R AT I O N B E T W E E N O R G A N I S AT I O N S Source: MIT (2018). Inside the business model for botnets. https://www.technologyreview.com/2018/05/14/142895/inside-the- business-model-for-botnets/ Source: Denis Makrushin (2017). The cost of launching a DDoS attack. SecureList. https://securelist.com/the-cost-of-launching-a-ddos- attack/77784/ 19
  • 20. C O O P E R AT I O N B E T W E E N O R G A N I S AT I O N S • In Crimeware as a Service, identified vulnerabilities and the related exploits are offered generally or for a specifically targeted scenario. Zero-day vulnerabilities, Advanced Persistent Threats (APTs), malware such as rootkits, ransomwares are included as well as droppers, keyloggers, and hiding tools like cryptors or polymorphism. • Criminals offer infrastructural elements, specifically clients and servers, in the model of Cybercrime Infrastructure as a Service. Clients as part of a botnet are ready to process commands. On the other hand, the information about the vulnerabilities of scanned servers is put up for sale. • By the usage of Hacking as a Service, the complete process is outsourced to the “service provider” including planning and performing on-demand 20
  • 21. B U S I N E S S 21 Source: MIT (2018). Inside the business model for botnets. https://www.technologyreview.com/2018/05/14/142895/inside-the-business-model-for-botnets/ Crimeware as a Service Cybercrime Infrastructure as a Service Dr. Charlie Miller’s DefCon presentation Cybercrime Infrastructure as a Service
  • 22. T E C H N O L O G I C A L C A PA B I L I T I E S • Infection, ability to spread • Connection to C&C server • Receive new commands, update • Hiding on the infected device and network • Self-destruction • Type of attack implemented depending on the target (spam, ransomware, DDoS, spyware, etc.) 22
  • 23. AT TA C K S A G A I N S T E S S E N T I A L S E R V I C E S ( E U ) DDoS ransomware 23
  • 24. A P T 2 8 A N D B O T N E T S – E X A M P L E In May 2018, one of the most extensive campaigns reported about a botnet consisting of approximately 500,000 devices as a result of VPNFilter malware infection. Cisco Talos researchers found interrelation between VPNFilter and BlackEnergy that targeted the Ukrainian power grid in the winter of 2015-2016 The stage one relied on connecting either to one of twelve hardcoded Photobucket URLs, or the Toknowall website. The stage two malware had the capabilities of an intelligence- collection platform, such as file collection, command execution, data exfiltration, and device management, as well as some versions possessed a self-destruct capability that overwrites a critical portion of the device's firmware and reboots the device. There were multiple stage three modules as plugins for stage two malware with additional functionality, such as packet sniffer and communications module allowing communication over Tor. 24
  • 25. W H E R E A R E W E N O W ? 25
  • 26. D E F E N S E C A P A B I L I T I E S Limitation Knowing the relevant characteristics of existing and operational botnets plays an important and decisive role in the design of effective protection methodologies Parameters that can be analyzed • Start and end of communication, • Protocol used, • Number of active flags used during TCP communication, • Number of packets sent during communication, • Number of bytes sent during communication, • The amount of time elapsed during communication, • Initiator of the communication (server or client), • The average number of bytes sent per packet, • Number of successful C&C contacts, • The number of DNS queries as well • Periodicity of communication with the C&C server. 26
  • 27. P R O P A G A T I O N P A T T E R N S – P O R T S C A N 27
  • 28. AT TA C K PAT T E R N S – S Y N F L O O D 28
  • 29. F U Z Z Y L O G I C ( E X A M P L E ) Predefined parameters are: • ART as average time between received packets, • NSP as number of sent packets, • NRP as number of received packets If (ART is high) and (NSP is med) and (NRP is high) then (output is high) 29
  • 30. N E T W O R K M O D E L S Source: Barabási Albert-László & Eric Bonabea (2003). Scale-free networks. Scientific American. https://barabasi.com/f/124.pdf 30
  • 31. S U M M A R Y 31
  • 32. C O N C L U S I O N : W H E R E D O E S T H E N E T W O R K A P P E A R ? Cooperation within the organisation Cooperation (or competition) between organisations 32
  • 33. C O N C L U S I O N : W H E R E D O E S T H E N E T W O R K A P P E A R ? Logical structure Propagation and attack patterns 33
  • 34. T H A N K Y O U F O R Y O U R A T T E N T I O N 34