London (UK): The StealthWatch Labs Intelligence Center (SLIC) - Lancope’s research initiative which tracks emerging threat information from around the world, today revealed that 30% the world’s active botnet command and control servers are actually based in the US! This is three times higher than the second and third most active countries – China (9%) and Russia (8%) respectively. Yet, when it comes to Internet scanning for victims to target with brute force attacks or exploit their activity, it is China (44%) that is the most active followed by Japan (7%), USA (6%) and South Korea (5%). When looking at Backscatter activity (Victims of DDOS attacks), again it is the US that tops the list at 23% followed by Taiwan (17%), Japan (10%) and South Korea (8%). Interestingly, of all the European countries, it is only Germany that features at the top of these lists, in fifth place for both botnet command and Backscatter (6% and 5% respectively). The UK’s only appearance in the top 10 list is for botnet command and control in sixth place at 4%. The reason the US and the other countries feature so highly is to be expected as threats often originate from inside large legitimate networks as a result of systems that have been compromised. Under the remote control of botnet operators or other nefarious external parties, these internal systems spread infections, steal data and wreak havoc on enterprise resources.
Speaking about these trends Amrit Williams, Lancope’s CTO, said, “Criminals are actively using legitimate IT resources to ply their trade worldwide. In addition, state sponsored computer network intrusion is an increasing trend that demands attention. The reality is any organisation’s expensive IT infrastructure is at risk of being recruited and used as a botnet, users email addresses abused by Backscatter (DDoS) attacks or their ports scanned. Organisations need not only to be aware of what is knocking at their gateway, but also what is happening within their walls. Instead of perimeter-centric network security to keep the bad guys out, organizations need to realize that they are already – or will be - compromised by increasingly hostile threats. Internal visibility and security context is the key to preventing cyber-attacks from taking over networks, helping to keep not just themselves but everyone safer.”
Organisations need to look beyond traditional security technologies and techniques if they’re to adequately identify and remove malware, and protect their infrastructure:
To complement existing security controls, organisations need complete network visibility and security intelligence that covers all internal network communications. #
· Elevate the importance of incident response, and empower incident responders to thoroughly investigate each attack and compile a comprehensive intelligence solution surrounding the incident.
· Adopt best practices and technologies, such as Netflow-based monitoring, that put incident response at the forefront of enterprise security.
· Finally, feed the intelligence uncovered by incident responders back into the overall threat detection strategy to improve detection rates and reduce security breaches moving forwards.
Amrit Williams, Lancope’s CTO, will be speaking at a seminar titled ‘Targeting the Kill Chain: A multifaceted approach to defence in depth’ in the Technical Theatre on Wednesday 24 April at Infosecurity Europe at 12.40pm