Botnets and automated distributed threats have been a growing problem in recent years. In a report to the president that was publicly released on May 30, the U.S. Department of Commerce and the Department of Homeland Security detailed the status of botnet threats and provided direction on how to improve resiliency.
The 51-page report comes a year after President Trump issued an executive order on strengthening the cyber-security of federal networks and critical infrastructure. As part of that order, there was a mandate to determine the risk and resiliency to U.S. infrastructure from botnets and automated distributed attacks. Among the key findings in the report is that existing tools to help improve defenses are not being used.
“While there remains room for improvement, the tools, processes, and practices required to significantly enhance the resilience of the Internet and communications ecosystem are widely available, and are routinely applied in selected market sectors,” the report stated. “However, they are not part of common practices for product development and deployment in many other sectors for a variety of reasons, including (but not limited to) lack of awareness, cost avoidance, insufficient technical expertise, and lack of market incentives.”
The report also determined that market incentives for product manufacturers are not aligned with the goal of reducing automated threats. According to the report, the goal of many vendors is to minimize cost and time to market, rather than to build in security.
Industry Reaction
Akamai Chief Security Officer Andy Ellis said he wasn’t surprised by the findings in the report, though he did call out a few of the conclusions.
“The most notable is that the report acknowledges a lack of standards for safety and security in the IoT [internet of things] world,” Ellis told eWEEK.
While the report noted that tools do exist to help mitigate some of the risks associated with botnets and automated distributed attacks, it also states that there are some gaps in the landscape. Ellis said that the cyber-security landscape can be confusing, which could be a cause for the perceived gaps in the marketplace.
“For enterprises, it isn’t always clear what your best moves are, both from using vendors, as well as the parts of defense that an enterprise needs to own in their own right,” Ellis said. “I think the call for a framework is likely helpful here, although we should all be wary about proposing a one-size-fits-all model for DDoS defense.”
Reid Tatoris, vice president of product marketing and outreach at Distil Networks, agrees with the report’s finding that tools exist that aren’t being utilized. He added, however, that there is also a gap in the way that some organizations think about the problem of automated distributed attacks.
“Most people think about putting a solution in place to stop bot attacks, but advanced attackers constantly shift their attack vectors and methods,” Tatoris told eWEEK. “The mindset should be more focused on how to respond to ongoing threats, which means putting a flexible system in place that can stop current attacks and also detect and respond to new threats that evolve over time.”
Srinivas Kumar, vice president of engineering at Mocana, calls the report is timely, particularly on the heels of the recent disclosure of the VPNFilter malware in networking equipment. Kumar noted that botnets present very real threats in IoT across a variety of domains, as detailed in the report.
“While this report offers a variety of policy recommendations for action, perhaps the most important recommendations are those focused on promoting and incentivizing innovation,” Kumar told eWEEK. “The botnet threat landscape is one where hackers are proven to think and adapt faster than bureaucrats.”
Kumar added that implementing effective countermeasures against blind spots and addressing the threat of botnets require a paradigm shift in policy, process and technology that focuses on protection and prevention within the devices and systems of devices themselves.
Georgia Weidman, founder and CTO of Shevirah, commented that while cyber-security awareness is part of the problem, there are technical limitations as well. She noted that for years much of security technology was focused on the network perimeter, which is no longer where all attacks come from.
“With most of our budget sitting at the traditional perimeter, we are of course going to miss compromises originating from and DDoS traffic using these myriad alternative communication methods, such as a mobile modem that bypasses the perimeter or even close range communication methods such as Bluetooth or near-field communication if an attacker or his hardware is nearby, Weidman said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.